Password Performance That Isn’t A Compromise

Posted by Grant Mongardi on Wed, Nov 04, 2015 @ 09:12 AM

Tags: Security, AD, cloud security, Password, SSO

So the question often arises of how can I have a secure password that I can remember and that meets the criteria of my policy? It comes up all of the time. Most systems place criteria on setting a new password to something like this:

  • must be at least 8 characters
  • must contain uppercase & lowercase characters
  • must contain a number
  • must contain a symbol

and often:

  • cannot contain the username
  • cannot contain consecutive duplicate character

Although there is some dissention as to whether or not all of these criteria are necessary, it certainly does help. It means you can't only have your dog's name or your daughter's birthdate as your password. But most people have a problem even creating passwords that meet the criteria, never mind remembering them.

I suggest thinking of the password differently. If you think of your password as a "pass-phrase" rather than a single word then you are much more likely to both remember it and to create one that is very secure. First you can think of a subject that you're connected with. For example let's say that you're a huge fan of computer games. Perhaps you might create a password like this:

It's a-me, Mari0! 

    or 

It's super effect1ve!

So those certainly meets our criteria, assuming your name isn't Mario. And hopefully you can remember it. What if you're a SciFi movie buff? How about these:

Han sh0t first.

I'll b3 back.

We're all standing n0w!

I'm afra1d, Dave.

I'm my 0wn best friend!

In any case, the idea is that you create passwords based upon a phrase that you can remember. You should utilize punctuation just as you would because that helps meet the requirement of special characters. And finally you replace a part or a character with a number or symbol until you've met the criteria required.  

Mind you, this isn't the perfect solution but it meets the criteria and is far more secure than an 8-character password that you can never remember (and then can't reuse). Using a password like this for 60 days far exceeds the security of a random string of 8 characters. A desktop PC utilizing a couple of GPUs can crack 3750 8-character passwords in the about the same time it takes to crack a single 10-character password. Add more characters and those numbers get even better. Most of the passwords above would take years to crack, if not decades.

Contact The Experts <[email protected]> for options to ensure better security with less work and better compliance across all of your services & websites! Single Sign-On and ZERO Sign-On for all of your corporate web services!