Secure IT Foundation

Secure Passwords #2

Posted on: September 5, 2009

Last time we discussed the history of passwords, this week  you will learn how to create a secure password and next week what two factor technology can be used to secure your computer accounts and passwords. To understand what is a secure password you need to know how the bad guys can break your password. There are two types of accounts that can be broken into, Windows or Mac user accounts or website accounts.

Web Accounts

For web site accounts, imagine you login to website X with a user name and password. The bad guys also do the same to try to get access to your account. As your user name may well be the same name you use on other websites or publish using Facebook, Hyves, Myspace etc they may already know this, so they try to crack the password. The way this is done by the bad guys is they use a long lists of words, letter, phrases stored as a text file on a computer and try each one on web site X. If it lets them in, they have cracked your password.

Their list is made up of words from dictionaries in all languages, plus lists of passwords from previous cracked passwords. If the list of thousands of entries does not work for the bad guys they have another method up their sleeve. They take their list of words and run it through a computer program which modifies the words with numbers, capital letters and symbols and they try this new list. If that does not work then they can use the same program to generate every possible combination possible and try that. This list of every possible password only works on one website and can take months or years to make but a determined bad guy has patience.

Computer accounts

Just like web site accounts, computer accounts can be broken into using the word lists of the bad guys. One advantage with computer accounts for bad guys, is normally your user name is shown on screen and only the password is needed. However if the bad guy has access to your computer in person, then your computer is easily broken into without additional security. The Mac operating system, like all UNIX based operating systems (including Linux) have what is known as ‘single user mode’. With a Mac you only need to hold down the apple key and ‘s’ to access it and it will let you change any password. Windows is different but nearly as easy. There is a CD that resets the administrator account see here.

Create a secure password

Firstly to create a secure password, the goal is to create a line of characters that cannot be guessed or cracked. You know now that that given time any password can be found, so what do you do? Simple – just change your password (and PINs!) at least twice a year. Ideally this should be about 30 days as it will take the bad guys longer to work out your password, but that is not the most practical advice. So what do you do to create a secure password, knowing that it will have to be changed in 6 months at most.

  • Should be over 12 characters long with letters, numbers and symbols like ‘!”£$%^&*(){}:@~<>?’ and not made up of just words found in a dictionary, and never the same as your user name.
  • Too hard to remember then the next best thing is a long combination of words commonly known as a sentence e.g. “Mary had a little lamb and 1 ate it for lunch” or “My hi-fi came from the back of a lorry”. Count the number of letters / spaces and both examples are over 20 characters long and would be hard to guess. Spaces do count but must not be used at the start or end of the password. These sentences are known as pass phrases.
  • Note – our examples are for a guide only, please don’t use them yourself – don’t be that silly, the bad guys will have copied them already to their list of words!

What can you do?

  • Encrypt your whole hard drive and use ‘pre boot authentication‘, this makes the above methods of resetting passwords impossible without knowing the ‘pre boot password’, as the disk is not readable. Sounds hard? See the Truecrypt website or call in a security professional to do it for you.
  • Change your password regularly. If someone has captured the gibberish that is a password as a computer sees it, they will eventually over time be able to break the formula protecting it. Changing it often makes this pointless.



1 Response to "Secure Passwords #2"

[…] Go to comments In the first part of this blog we told you about the history of password, the second part we explained how to create a secure password. The third part of this trilogy is to explain how […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


  • Coldwind: Couldn't agree more. I downloaded a piece of software just now, disabled the 'toolbar' 'offer' (which fortunately for me has become a reflex); but co
  • ModemJunki: I only discovered this today - I had updated the firmware to the latest out of habit, and I could STILL access my TrendNet cams on the local network w
  • PrentOS – a Simple Secure Computer « Secure IT Foundation: [...] September 2010 we said it was time for a brand new start to computing, well it is starting to take shape… [...]


%d bloggers like this: