One of the first and best rules of practicing good web site security is to make sure passwords are secure. The good news is secure passwords do not have to be impossible to remember, and memorable passwords can still be secure.
So, What is The Problem?
The other day a customer came to me and revealed the password he was using to maintain one of his web sites. It was a password I have seen hundreds of times before from other customers. Now, if I have seen that password that many times, you can guarantee the bad guys have it in their password lists that they use to try to gain access to a typical web site.
Password lists are files which contain strings of common usernames and passwords. They then import this list into a specialized application which is programmed to look for web sites to hack. A modern way of doing this is with a large number of previously infected private computers called “bot nets.” These bot nets are remote controlled by a single hacker. The bot nets are able to attack a single site from lots of different IP addresses (the hacked computers), reducing the chances of it being discovered and blocked by the server’s firewall. Conversely, a single IP address that continuously fails to login, would be easily to discover and would be blocked fairly quickly.
How to ensure that your password is not in the list?
Now that we have a basic understanding of one way in which hackers gain access to a web site, we should now understand that we must use secure passwords at every chance we get. The good news is that passwords do not necessarily have to be hard to remember in order to be secure. On the other hand, in cases such as mine, I have no idea what most of my passwords are. I often use long unmemorable passwords with lots of special characters which I won’t be able to remember after I type it. I do this because virtually every site on the Internet allows me to reset my password whenever I need to. Since the process of resetting a password usually takes less than a minute, this is what is convenient for me.
Frequently changing your password using the method above is also a nice practice because it means in the off chance your password somehow gets stolen, it’s probably not going to work on another site. On the other hand, many users have a problem remembering the email that they used to register on a particular site, so this is not an option for everyone.
So, lets get back to our customer with the qwerty password…I explained to this customer the importance of keeping a secure password and his reply was to the effect of, “But, I won’t be able to remember it,” and “I use this password everywhere.” He explained to me that he was not very computer literate and was not interested installing any password managers. He just wanted a memorable password, and I wanted him to have what he desired, along with making sure it was secure. So now what?
Remembering your secured password
Here is a cool tool for your reference which can shed some light on what I mean:
First, try your password. Then, try the differences between these two pass phrases:
red black blue
As you can see, the second password (passphrase) will likely never be compromised simply by adding a few special characters, in this case, spaces.
Now for the downside. Not all web developers understand this concept and many password forms do not allow characters like s p a c e s to be used. Instead they require you to do inconvenient things like add harder to remember special characters, numbers, upper and lower cases and a host of other site-specific rules. The worst of them require you to use a specific number of these things, and that is when finding a memorable password that is usable on all the sites that you frequent, can become difficult.
In any case, this is a good demonstration of how a special character like a space can dramatically increase a password’s security while remaining easy to remember. To summarize, memorable passwords can be secure. The good news is more and more developers are beginning to understand this and I encounter more password forms every day that accept spaces and are less restrictive in their requirements. Here’s to progress, cheers.