Tuesday, November 15, 2011

Brian’s “Quick Guide” to Password Creation & Security

Passwords are a necessary aggravation.  There really are no ways to guarantee your password will stay secure, you can only do your best to balance your needs against how much hassle you’re willing to tolerate.  The following considerations don’t lead to a conclusion – they are simply facts to help you choose password security that you can live with -- comfortably.

The most common ways that passwords are stolen or “cracked”

  • Keystroke loggers.  These record every key that you press, and store it in a file.  This file is later collected by the hacker who searches it for your passwords. Keystroke loggers can be secretly installed programs, or physical devices attached between your keyboard and computer.  
  • Peeking over your shoulder.  Someone can watch you type in your password.  If they don’t get it the first time, they usually will after watching a few times.
  • Password “Crackers”.  Programs that use a special dictionary to "guess" your password by attempting trying to access your password-protected account with each new "guess".  The dictionary can be created by inputting personal information about you (birthdays, family and pet names, etc.) and it will try using combinations of this information in ways that people commonly use them.  (This method is  also called "Brute-Force cracking".) 

General countermeasures

  • Against Keystroke loggers:  Limit physical access to your PC.  Check for devices attached to the keyboard.  Use a high-quality security application that can detect Keystroke Loggers, and set it to scan your system at regular intervals.  Use the on-screen keyboard to enter your password.  (...It's an Accessibility feature that allows you to use your mouse for typing).  Change your password often.
  • Against Peeking:  Position yourself so that others can’t watch you type.  Use a long password, and practice typing it until you can do it very rapidly.  Use letters on the middle and lower rows of the keyboard and include shifted characters. Change your password often.
  • Against Password Crackers:  Don’t create passwords based on personal information.  Include numbers, shifted characters, and punctuation marks in your password.  Use random characters instead of words.  Change your password often.
  • Use A Password Management Program:  These programs remember your passwords and automatically enter them for you.  You activate the program by entering a single "Master" password.  Since these  programs don't use physical keys to enter passwords, they cannot be recorded by a Keystroke Logger.

Problems with the above countermeasures

  • Random character passwords are the hardest to crack, but also the most difficult to remember.
  • Changing your password often creates more hassle with practicing typing it quickly, making it more vulnerable to Peeking.
  • Long passwords are harder to Peek or Crack, but a hassle to type, especially if you have to enter passwords frequently.
  • Including punctuation makes passwords more secure, but many account logins will not allow them in the password.  (e.g. Facebook)
  • Password Managers require that you use one central password to start the program.  Of course, it can be "Peeked" or "Logged" or "Cracked" like any other password.  (However, it still greatly reduces opportunities to steal passwords.)  If a hacker gets your Master password, he/she then has all of them.

Tips for creating good passwords that are easier to remember

  • Choose a favorite quote.  Use the first (or second, or third) character in each word.
  • To create groups of punctuation that are still easy to remember, pick a significant number that you can remember, and type it while holding down the shift key.
  • Split words (or numbers) in half and mix them up.
  • Use “nonsense” four-word sentences with no spaces.  (e.g. horsebootsspaceriver)  It creates an image that is hard to forget, but has no significance to a password cracker.  Practice typing it a few times and you are unlikely to forget it.

About Password Managers

I use Roboform for my Password Manager.  It is very powerful, popular, and has many good features -- but I'll admit it's not as "Intuitive" as I'd like.  You also have to pay for it (but the price is very reasonable.)  There are other popular and free Password Managers.  (Google "Password Manager" for more suggestions.)  Also, many security programs include Password Managers.  (e.g. Norton Security.)


  1. When traveling I worry about my irplane "Seatmate" looking over my shoulder. How effective are those films that you put over your screen that are suppose to only allow you to read the screen if you are in directly front of it?

  2. Privacy screens are effective, although they may darken your display a bit. They won't help prevent someone from "Peeking" what you type on the keyboard, though. However, you can open the onscreen keyboard and use your mouse to enter a password. A privacy screen will protect your password, too, in this case...


All comments are moderated. Keep it nice...