You Are Viewing

A Blog Post


The First Line of Defense

Password authentication is a routine part of our everyday lives.  We use passwords in our personal lives to open garage doors, login at work, check email or grab cash from an ATM.  According to the federally funded Computer Emergency Response Team / Coordination Center (CERT/CC):

“80% of all network security problems are caused by bad passwords; therefore, good passwords are the simplest and most important part of information security.”

What’s in a Word

Sometimes, the language we use can be deterministic.  For example, the use of the word “password” implies that you can’t use a space.  On the other hand, if we think in terms of a “passphrase” that allows spaces we create much stronger authentication than a complex 8-character password.

Consider the passphrase “I like chocolate!”  This is a 17-character phrase that is significantly easier to type (and remember) than an 8-character password of “hU*4M%2g” – not to mention infinitely more secure.  In fact, the best advice for a Microsoft Windows passphrase is to be sure it is at least 15 characters long… just remember to stop before you get to 127 characters.

Password Cracking 101

Cracking passwords is all about math.  The more possible combinations of characters the longer it will take to crack.  It’s not about being “uncrackable.”  It’s about being improbable.  Given enough time and resources, however, any password can be cracked.  The table below should give you some insight as to why a longer, simple passphrase is better than a shorter (albeit more complex) password.

Construction Example Possible combinations
4 numbers (The PIN for your ATM card.) 1234 10,000
8 letters password 208,827,064,576
8 alpha-numeric characters pass1234 2,821,109,907,456
8 mixed-case letters PassWord 53,459,728,531,456
8 mixed-case, alpha-numeric characters PasS1234 218,340,105,584,896
8 mixed-case, alpha-numeric w/ symbols Pas$12#$              722,204,136,308,736
17 letters and spaces i like chocolates 2,153,693,963,075,557,766,310,747


Don’t Think Green

Many companies implement policy that follows best practice where network passwords are changed every 90 days, not be re-used and are never to be shared with anyone (including Help Desk or IT personnel).  Best practice for passphrase management is:

  • Don’t Reduce – Use long passphrases when possible
  • Don’t Reuse – Never use the same passphrase at more than one web site
  • Don’t Recycle – Avoid using the same passphrase or variants over and over again.


The best generator of random passwords on the Internet: