One of the key components of a good security policy is the enforcement of strong passwords. In many cases, a strong password requires the following:
Seeing these restrictions often leads one to think that users must select a password that is so complex that they often can't remember it, Such as oA16I8aCCp.
But in fact, "oA16I8aCCp" is an easy to remember password if you know one simple fact:
As humans, we can remember activities, events, people and occurrences. We especially remember things that happen to us or near us that are either exciting, dangerous or at least out of the ordinary (subjective to each individual).
Using this fact, I suggest to users to think of an event that they can easily remember. When they think of that event, try to think of a simple sentence to describe that event. In most cases, the sentence will be the one you generally use to communicate the event to someone else. Such as "Hey Bob, I just saw the weirdest thing during lunch," or "Amanda, I just went hang gliding in the Virgin Islands!" Now, add a date to the sentence: "On July 5, I saw a weird thing during lunch."
Next, take the first letter of every word, and keep any numbers: OJ5Isawtdl
You can elect to drop common words such as "a," "in," or "the." You can also choose to alternate capitalization. When possible, change out a letter (or entire words) for numbers which are similar, such as three for e/E or one for i/I/l/L or even eight for "ate." You could even throw in a number sign "#" before the mention of any numbers from your initial sentence.
In my first example, oA16I8aCCp is created from the sentence
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
"on April 16, I ate a Chucky Cheese pizza".
With this simple method, you can train your users to create very complex passwords that meet all complexity requirements without forcing them to extreme measures to remember a random password or cause them to write it down.
If users still have problems remembering their passwords using this method because they forget their initial sentence, you can suggest that they write down a short phrase that reminds them of the sentence, as long as that phrase does not contain any significant word from the initial sentence. Ideas might include "bright-green eye shadow is strange," "I crashed into an ice-cream cart," or "I love pepperoni and extra cheese."
One final idea on complex passwords. If you have a two or three digit number (less than 255) which is either easy to remember or becomes evident during the sentence to password conversion process, you can use it as a high-order ASCII character instead of just plain old keyboard numerical digits. Just press and hold the ALT key while entering your numerals. If you only have two numerals, enter a zero ("0") first. This will place a high-order ASCII character into your password. It still counts as only a single character even though you will press four digits to create it. The best part about ALT-generated characters in a password is that most brute-force password-cracking tools do not use these characters in a standard attempt to extract passwords. Instead, they usually default to (or are programmatically limited to) the keyboard-based characters.
About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.
