Problem solve Get help with specific problems with your technologies, process and projects.

Guidelines for creating secure passwords

Consider these guidelines for strengthening the security provided by your users' passwords.

This tip was submitted to the searchSecurity Tip Exchange by user Sujeet Bambawale. Let other users know how useful it is by rating the tip below.

Security awareness at the end-user level is very important to personal as well as corporate computing, and secure passwords are among the stepping stones towards a secure computing environment.

There has been some interesting reference material here regarding secure passwords, and these are some thoughts and comments that I would like to add into the mix.

In my opinion, secure passwords are those that meet the following criteria:
  • Alphanumeric
  • Can be typed in the dark (without looking at the keyboard)
  • Are not necessarily the conversions of an alphabetic sequence

    Passwords that need to be converted using some specific key, however easy-to-remember it may be, require some sort of mental calculation. Passwords that can be touch-typed (typed in the dark, or typed without looking at the keyboard -- just by aligning and using your fingers in a certain way on the keyboard) are far better because one doesn't need to write them down anywhere.

    The downside of converting easy-to-remember alphabetical or alphanumeric strings into "Passwordese," is that the seed string is still easy to remember for the user and easy to figure out for the attacker. Extending that ease-of-use concept, the key is also usually easy to figure out, and therefore the password generated is usually not as secure as the user may believe it to be.

    Here are a few personal details that are easy for most attackers to find out, and thereby apply to attempting password break-ins:
  • Birthdate
  • Vehicle's license plate number
  • Cube or office number
  • Phone extension number
  • Wedding anniversary
  • Significant other, spouse and/or kids' names and/or birthdates
  • Your middle name
  • Residence numeral within your address
  • Firm's stock symbol
  • Brand of vehicle

    Combinations and permutations of the above can have some pretty interesting alphanumeric sequences that seem secure, but can be quite easily figured out. These include:
  • Your first initial, your spouse's first initial, wedding anniversary
  • Your initials, phone extension
  • Cube or office number, your initials, phone extension
  • Your middle name, your birthdate
  • Brand of vehicle, your license plate number and year of purchase'
  • Firm's stock symbol, cube number, phone extension

    As you can imagine, the complexity of the combinations can increase to "reasonably secure," but all the same, the set of most known values is still fairly insecure.

    In conclusion, a touch-typed alphanumeric sequence on a keyboard may be sufficiently random so as to throw a wrench into the guessing game, and be a reasonably secure first level of security.

  • This was last published in October 2001

    Dig Deeper on Password management and policy

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.