Dictionaries are No Places for Passwords

Can your computer network or online banking password be found in the dictionary?

If someone knew your mother's maiden name, pet's name or your Social Security number, or even a common term from your industry, would your work or personal computer be compromised?

Most computer users create simple passwords and stick with them. If the news Web site or banking login site requires six characters, they'll use their name, maybe with a string of numerals at the end. They'll then write the "code" down on a piece of paper taped to the wall or stashed in their wallet.

That's just what hackers or password thieves hope they'll do, said Frank Peluso, president of Centuric LLC, a Fort Lauderdale, FL IT consulting firm.

"Half the programmers know how to substitute just enough characters to break through. To them, that's pretty standard stuff," Peluso said.

Security experts advise that passwords should not be "words" at all, but a code created with a process that only the user knows. Passwords should be at least eight characters, and include a combination of letters, numbers and punctuation.

As a rule, passwords or codes should not include such elements as a user's computer login name; first or last name; spouse's or children's names; or numbers derived from a Social Security card, date of birth, vehicle license plate or street number. Hackers can find much of this information online.

Peluso's strategy for creating the perfect password begins with a short phrase of two or more words, like "madcowdisease," "blueangels" or "gonefishing." It should be something memorable, but not as obvious as a term from your industry or your favorite pastime. Then create a pattern of substituting characters for letters, like "!" for "i" or "3" for "e" or "$" for "s." Peluso noted these may be commonly used, so create your own pattern.

Change the root word every 30 to 45 days. This will help stymie "shoulder surfers" who watch as you enter your password, or keystroke logging spyware designed to capture passwords, he said.

For users who prefer to write or save passwords, PINS and account codes, password managers like CodeWallet and KeePass Password Safe store codes in one location. Look for solutions that are easy to use, provide data encryption, include search functions and even rate the strength of the password itself, said Darren Miller, owner of Paralogic LLC, a Plantation, FL corporate computer security consulting firm.

Alternatively, use a multifactor device that requires several levels of authentication to gain access to sites. For example, passwords can be stored on USB flash drives with built-in biometric fingerprint scanners. After plugging the drive into the computer and dragging the thumb across the reader, stored data authenticates the user and provides access to Web sites or passwords, Peluso said. Look for a device that also encrypts the biometric signature, he added.

Jeff Zbar, the ChiefHomeOfficer.com, is a speaker, writer and expert on alternative officing. He is the author of Teleworking & Telecommuting: Strategies for Remote Workers and Their Managers (Made E-Z Products, 2002); Safe@Home: Seven Keys to Home Office Security (FirstPublish 2001) and Your Profitable Home Business (on CD-ROM from Made E-Z Products). Visit his Web site to subscribe to Home Office Success Stories, his free electronic magazine on home business and teleworking.

• by Jeff Zbar
• Email this page
• Printer-friendly version