Why you should treat passwords like your toothbrush

A Guest Article by Stefan Lüders.*

Your password is your entry token into the digital world. eBay, Amazon, Facebook, Twitter – your company accounts – all ask you for a password to authenticate and prove that you are you. And vice versa: If I know your password, I can impersonate you and use your money to buy from eBay or Amazon, post nasty messages on your Twitter or Facebook profile, or misuse computing facilities of your company or organization in your name!

Would you give me your UBS bankcard and its PIN number? Of course not! Please apply the same sensitivity to your digital credentials, i.e. passwords, SSH keys, certificates, etc. Beware of attempts to “steal” your password. Computing staff, including the Computer Security Team, will never ask for your password (nor will any other legitimate person at Facebook, eBay, etc.). So be wary of malicious e-mails, or other means requesting your password. Never send it via e-mail, and type it only into web interfaces you know and trust.

Remember: Your password should be treated like a toothbrush: do not share it, and change it regularly!

What is a good Toothbrush, erm, Password?

A good password is:

  • private: used and known by one person only
  • secret: it does not appear in clear text in any file or program or on a piece of paper pinned to the monitor
  • easily remembered: so there is no need to write it down
  • at least (!) 8 characters long with a mixture of at least 3 of the following: upper case letters, lower case letters, digits and symbols
  • not to be found in a dictionary of any major language nor guessable by any program in a reasonable time.

Here are some hints to help you choose good passwords:

  • Choose a line or two from a song or poem, and use the first letter of each word. For example, “In Xanadu did Kubla Kahn a stately pleasure dome decree” becomes “IXdKKaspdd”.
  • Alternate between one consonant and one or two vowels with mixed upper/lower case. This provides nonsense words that are usually pronounceable, and thus easily remembered. For example: “Weze-Xupe” or “DediNida3”.
  • Choose two short words (or a big one that you split) and connect them together with one or more punctuation characters between them. For example: “dogs+F18” or “comP!!UTer'”.

If you have to deal with multiple passwords, please do NOT reuse the same password for all accounts. Instead, use different passwords for different purposes. To remember those easily, you might take your favourite music CD and apply the aforementioned rules to its songs. Or alternatively, you might use a password management tool (like KeePass, Password Safe, Passwordsafe).

Stefan Lüders

* Stefan Lüders, PhD, graduated from the Swiss Federal Institute of Technology in Zürich and joined CERN – the European Organization for Nuclear Research – in 2002. Today Stefan is heading the CERN Computer Security Incident Response Team. You can reach him via e-mail stefan.lueders at cern.ch.

%d bloggers like this: