You wouldn’t believe how many people use guessable passwords. It’s no surprise and something we all do, because passwords are a pain to choose, remember and use.

People generally develop their passwords over time in the same way.

First Ever Password
They start with something basic that relates to them such as “london” or “football”. (There was an amazing statistic on the popularity of “cantona” as a password in the 1990’s.

First “Clever” Password
People realise they need to make their password less guessable and choose something they believe to be clever such as “password” (…because no-one would ever guess that). Adding numbers is often used too, such as “football1” or “123password”.

Long Password
Longer words are next but it’s really the same thing.

Complex Password
Realising something more needs to be done, the next step is to develop a “complex” password. This has a number of definitions but in essence is just a word containing a mix of upper & lower case letters, numbers and special characters. “HY4R)g”*&18” is such an example. It is not uncommon for IT administrators to require users to have long complex passwords these days. While this has its merits in securing against guesswork and dictionary attacks, the drawbacks are significant, not limited to difficulty in remembering and increased time to input the characters.

Memorable Complex Password
To address some of the issues with complex passwords, a common workaround is to take a standard dictionary word and replace consonants and vowels with numbers and special characters in a predictable fashion. Some of the common rules people follow are to have the first letter Upper case, a becomes @, e becomes 3, i becomes !, o becomes 0, s becomes 5 amongst others. “P@55w0rd” is such an example but predictably is itself not uncommon.

Non Complex Non Dictionary Password
To save people having to remember the above rules and accidentally forgetting whether an o, an O or an 0 should be used, another approach is to keep everything lowercase and piece together strings of memorable words or letters. An example is “duckshopfloorcat”. This pretty easy to remember and is unlikely to ever be guessed or broken by a dictionary attack.

Passphrases
Rather than using a string of characters, a memorable phrase is seen as today’s “Best Practice”. This is simply a collection of words with the optional addition of complex elements if desired. A line from a song is a good example, especially as we have a habit of remembering song lyrics for years and there’s a lot to choose from. If possible I would recommend keeping the complexity at a minimum, such as having letters only with the first one uppercase, and the rest lowercase (or even everything lowercase). “take a sad song and make it better” would make a good passphrase.

I’m not going to go into the various types of passwords attacks available (that’s what Search Engines are there for…) but I will discuss the often forgotten issues with passwords.

For me, the only thing more insecure than a simple dictionary based password (e.g. “football”) is an overly complex one (e.g. “HY4R)g”*&18”). The big problem with such complexity is the difficulty in remembering and mistyping. If you keep forgetting it the default result is to write it down on a piece of paper or the classic Post-It note under the keyboard. Remembering multiple complex passwords is almost impossible.for us humans so we’re left in a bit of a pickle.

My Advice
I would personally recommend using a mix of non complex non dictionary passwords and passphrases. Maybe use a passphrase as your ultimate never-to-be-given-out password, and the other for everything else such as eBanking or email account access. Multiple passwords are a very good idea, and ideally I would store them all in one secure place. An encrypted Excel workbook is a great solution, with all your passwords and passphrases stored inside. If you do go with this then make sure you encrypt it with enhanced encryption (such as AES) and use a passphrase as the encrypting password. In Excel 2003 – [File > Save As > Tools > General Options > Advanced > Select an enhanced encryption > OK > Input passphrase > OK > Save.

If you have any password tips, thoughts or comments, please let me know,
C@r!