In my previous post on passwords, I posted the 25 worst passwords of 2011. If you didn’t see any of your passwords in that list, that’s good news. But chances are you’re reading this article because you’re nervous that your password may not be strong enough. While some websites are starting to provide an indicator of how strong/weak the password you entered may be, they don’t really help you come up with the password.
Last year, NASA created a list of password best practices, they include:
- It should contain at least eight characters
- It should contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;” If there is only one letter or special character, it should not be either the first or last character in the password.
- It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address.
Following that advice, of course, means you’ll create a password that will be impossible, unless you try a trick credited to security guru Bruce Schneir: Turn a sentence into a password.
For example, “Now I lay me down to sleep” might become nilmDOWN2s, a 10-character password that won’t be found in any dictionary.
Can’t remember that password? Schneir says it’s OK to write it down and put it in your wallet, or better yet keep a hint in your wallet. Just don’t also include a list of the sites and services that password works with. Try to use a different password on every service, but if you can’t do that, at least develop a set of passwords that you use at different sites.
Someday, we will use authentication schemes, perhaps biometrics, that don’t require so much jumping through hoops to protect our data. But, in the meantime, passwords are all most of us have, so they ought to be strong enough to do the job.