The terrible truth about Passwords

Passwords can be a pain. You need a password for everything and we do tend to take them for granted, but consider these facts

Did you know that studies show more than 40 percent of all personally chosen passwords are easily guessed by someone who knows the person?

Generally speaking nearly a quarter of all passwords (across many languages) are easily crackable using relatively easily to obtain tools?

Many people use the same username and password for most, if not all, of their accounts (for example e-mail, banking, social sites, and so forth)

Does that worry you ? It should!

Passwords are our first line of defence against misuse but they are often the weakest link. If someone obtains your password, they may find a way to access your e-mail or IM messages, your bank accounts, your research, your contact lists, and whatever else you have on your computer. Your files may be altered or destroyed. Sometimes hackers even take over a computer and turn it into a zombie, using it to perform malicious tasks such as sending out large amounts of spam. They can sometimes even pretend to be you !

How Passwords are stolen

When you are creating a strong password, it can help to know the tactics hackers use to steal them. Here are some of the most frequently used techniques:

Guessing : Either manually trying to guess passwords or using a piece of software to automate the process. Often personal information which is found online such as names, birth dates, names of friends or significant others, pet names or license plate numbers is used as a starting point. Even spelling backwards or using common letter <-> number replacement tricks to not work as well as you might think.

TIP: It’s best to steer clear of any personally identifying information when creating a password.

Dictionary-based attacks: Programs exist that run every word in a dictionary or word list against a user name in hopes of finding a perfect match.

TIP: Staying away from actual words, even in a foreign language, is recommended.

“Brute Force” attacks: By trying every conceivable combination of key strokes in tandem with a user name, brute force attacks often discover the correct password. Programs can execute a brute force attack very quickly, especially against shorter passwords. With today’s technology, passwords over 8 characters are recommended, with 12 characters being a good target.

TIP: The best way to beat such an attack is with a long, complex password that uses upper and lower case letters, numbers, special characters and punctuation marks.

Phishing : Scams usually try to get your interest an urgent IM or e-mail designed to alarm or excite you into responding. Often these will appear to be from a legitimate source you are familiar with such as a friend or bank. They try to direct you to phoney Web site designed to trick you into giving them information such as your user name and password.

TIP: Best advice is don’t click a link in any suspicious e-mails, and don’t provide your information unless you trust the source. If you visit a bank, type in the address rather than clicking on a link.

“Shoulder surfing.” : Passwords are not always stolen online. Anyone lurking around in a lab, café, or library may be there for the express purpose of watching you enter your user name and password into a computer. A good place to see this in action is in the movie “Hackers” (one of our favourites)

TIP: Try to enter your passwords quickly, without looking at the keyboard, as a defence against this type of theft.

Social engineering: Sometimes as simple as physically grabbing the password off a Post-It from under someone’s keyboard, or through imitating an IT engineer and asking over the phone. Even stealing a phone and SMSing someone in the contact list for a PIN number !

TIP: Do not give anyone your password unless there is no other option, and even then only if you can 100% identify the person. Once they have finished what they had to do, change your password immediately.

So, now for the good oil.

How To Choose Good Passwords

To create a strong password, it helps to know what makes up a weak password.

No Dictionary Words, Proper Nouns, or Foreign Words

Cracking programs basically just hammer away using a large list of words. Spelling it backwards will not help.

No Personal Information (no, not even your nick-name)

Personal information is deceptively easy to come by and makes, as we have seen, great password fodder!

Length, Width and Depth

The longer a password is, the more types of characters you use, and the less obvious you make it, often the longer it will take to crack it.

While not every system will allow you to use all of them, you can often choose from all the following:

uppercase letters such as A, B, C;
lowercase letters such as a, b,c;
numerals such as 1, 2, 3;
special characters such as $, ?, &; and
alt characters such as µ, £, Æ. (Cliff)

Memorable (to you)

It’s no good having a strong password if you have to write it down. There are some good tips coming up on making a password memorable.

Tips for creating good, secure passwords

It is best to use “non-words” that are not made up of only numbers or only letters. For example, you can use the first letters from the words in a phrase, song or rhyme to help you remember:

I Love Paris In The Spring (ILPITS6)
My four children are wonderful when they’re sleeping (M4CAWWTS)
My anniversary is April 4 remember that date (MAIA4RTD)
Ali Baba had forty thieves (ABH40T)

Another trick is to substitute letters for numbers (or vice versa), such as : E equals 3, I equals 1, for equals 4, two equals 2, B equals 8, see or sea equals C, o equals (), etc. For example:

Use R3dJ3llo instead of RedJello (substitute the E’s with 3’s)
Use BCL1NT0N instead of BCLINTON (substitute I & L with 1’s and O with zero)
Use G()()dniGht instead of Goodnight (substitute o’s with () )

Try using keywords related to a theme, such as a significant event: a honeymoon, the birth of a child, a new car, a new job.

Example phrases associated with a birth might be blueeyes, hurry, onemorepush, crankyRN, coldbracelet, roomsix and icechips.
Ideas associated with a new car could be deepblue4, 6CDs, 5speed and TiresGrip7.

The idea here is that you use a variety of words associated with an event that other people would not readily guess.

Consistently capitalize the nth letter(s) of your password. Some systems require that at least one character be uppercase. Many people capitalize the first character, but this is too predictable. Instead, always capitalize the second, third or fourth letter, or perhaps always the last or next-to-last. Some examples:


For further interest, you can capitalize more than one letter, for instance the first and third, or the second and fourth. Avoid predictable week-to-week or month-to-month changes. One example of a predictable pattern to avoid:


If someone was lucky enough to discover your password long ago, you don’t want him to be able to predict what it will be in the future.

Use a “Pass Phrase” and not a “Pass Word”. Stop thinking in terms of passwords and start thinking in terms of phrases. The purpose of a mnemonic phrase is to allow the creation of a complex password that is easy to remember and does not need to be written down. Examples of a mnemonic phrase may include a phrase spelled phonetically, such as

‘ImuKat!’ (instead of ‘I’m a cat!’)
The first letters of a memorable phrase such as ‘qbfjold*’ = “quick brown fox jumped over lazy dog.”
An actual phrase such as “! Th1s 1s MY c()mputer !” combining mixed capitalisation, letter substitution, special characters and spaces

Some more useful tips

Change your password

Even a strong password will eventually be guessed or cracked. For this reason you should always regularly change your password. This not only minimizes the chance that someone could guess or crack your password, it also shortens the length of time that person would have control of your system.

Use a different password for each of your accounts.

Using one password for all your accounts could be compared to using one single key for your car, house, and office. If someone gets your key they have access to everything. Using different passwords means you have to remember more but it reduces the possibility that someone could gain access to all your accounts.

Don’t check “remember my password” boxes.

I know it’s tempting, but the “remembering” of passwords by applications is not generally a good idea. Many of them have no (or inadequate) built-in security to protect them. Some programs actually store the password in clear text in a file meaning anyone with access to the computer can read the password.

The summary – at last

Have policies in place that mean we need to change our passwords regularly and meet a certain minimum password strength. Unless you are using systems that do not accept the stronger password tips discussed earlier there is no reason why you cannot start putting some of these things into practice. But these tips do not only apply at work, they are equally applicable at home.

If you want some ideas about strong passwords you can go to “” (yes, you can trust this link ….). Please DO NOT type in your ACTUAL password, just use it as a guide.

If you think you might have received a Phishing scam, you can visit or and search for information on the e-mail received

The last words: Don’t be worried, be safe!

Leave a Reply

Your email address will not be published. Required fields are marked *