Choosing a secure password

by CXOtoday Staff    Mar 09, 2010

We now use the Internet for a wide range of activities, including online banking, online shopping and online research. Increasingly, we are also using the Internet to socialize. In the last few years there has been a massive growth in the number of social networking sites such as Facebook, MySpace, etc. where we share all kinds of personal details as well as music, pictures, and videos.

Unfortunately, the more personal details we make available, the more exposed we are to online identify theft. Identity theft is when a criminal steals confidential personal data that lets them fraudulently obtain goods and services in your name. A cyber-criminal could, for example, open a bank account, obtain a credit card or apply for a driving license or passport. Or they could simply steal money directly from your bank account.

Need for secure passwords
Given that passwords protect such valuable data, they are clearly very important. You should protect all your online accounts with passwords - but you must be careful when choosing them. Sometimes people cut corners in order to make their lives easier and simply do not understand the security implications. This is true of passwords, for example.  It is not uncommon to have 10, 20 or more online accounts, making it very difficult to remember (or even choose) a unique password for each account. This makes it very tempting to use the same password for each account, or to use something like a child’s name, spouse’s name or place name which has personal significance and is therefore easy to remember.

Another common approach is to recycle passwords, perhaps using ‘password1′, ‘password2′, ‘password3′ and so on for successive accounts. Using any of these approaches increases the likelihood of a cyber-criminal either guessing the password, or, if one account is compromised, getting easy access to other accounts.

Guidelines for choosing secure passwords
Choosing a good password is an important part of lowering the risk of becoming a victim of cyber crime. The following guidelines should help you when choosing passwords for your online accounts
> Make your passwords memorable, so that you don’t have to write them down or store them in a file on your computer (remember, this file could be stolen by cyber-criminals).
> Do not use real words that a hacker or cyber-criminal can find in a dictionary.
> Use a mixture of uppercase and lowercase letters, numbers and non-alphanumeric characters such as punctuation marks (although the latter are not always allowed).
> Do not recycle passwords, e.g. do not use ‘password1′, ‘password2′, ‘password3′, etc. for different accounts.
> If possible, use a passphrase, rather than a single word.
> Do not use the same password for multiple accounts. If a cyber-criminal finds the password to one account, they can use to access other accounts.

Generating a secure password
Instead of trying to remember individual passwords, start with a fixed component and then apply a simple scrambling formula. Here is an example: start with the name of the online resource, let us say ‘password’. Then apply the formula:
1.    Capitalize the fourth character.
2.    Move the second last character to the front.
3.    Add a chosen number after the second character.
4.    Add a chosen non-alphanumeric character to the end.

This would give a password of ‘rp2asSwod@’. Using this method gives a unique password for each online account by following the same four steps each time.  

How to keep your passwords safe
> Do not use obvious passwords that can be easily guessed, such as your spouse’s name, your child’s name, pet’s name, car registration, postcode etc.
> Do not tell anyone your password. If an organization contacts you and asks for your password, even by phone, do not give them any of your personal details. Remember, you do not know who is at the other end of the telephone line.
> If an online store, or any web site, sends you an email confirmation that contains a new password, login again and change your password immediately.
> Check that your Internet security software blocks attempts by cyber criminals to intercept or steal passwords.

This article has been written with inputs form Kaspersky Labs.