Allow me to turn that question around: “How valuable is the information that you are trying to protect with a specific password?” The more valuable the data, the stronger the password you should use. Let’s take a look at a few examples:
Your Corporate Domain Account Password
At my company, policy dictates that my password be at least 7 characters. But, I am not required to use complex passwords (with both upper and lower case, or numbers, or symbols). So, in theory, I could use a short, simple password. But, as we learned in my previous post, short, simple passwords are trivial to crack, taking less than an hour of a computer’s time.
Of course, our corporate policy also requires me to change your password every 60 days. So, I might feel safe enough with an 8 letter password containing lower case letters, numbers and symbols, which would take an average of 1 year to crack.
That said, the advice from the author of the open-source Jack the Ripper password cracking software is to use pass-phrases rather than pass-words, whenever possible:
“Yes, for operating systems, applications, etc. which do not have a low limit on the length of passwords they accept, I recommend the use of passphrases instead of passwords. For even better security and/or to have fewer characters to type, both approaches can be combined: separate some words with punctuation rather than spaces, embed numbers and other characters, etc. Ideally, the passphrase should be something you can remember or derive again, but it must not be based on information that is known to others (e.g., your name, a quotation, a piece of the output of a Unix shell command, etc. - those are all to be avoided).”
Your Personal Email Account Password
As I mentioned in an earlier post, reusing your personal email account password across the web is a gigantic hole in your personal information security – not because your email with your Mom about her casserole recipe is particularly valuable, but because your personal email account can be leveraged by a cracker to change your passwords on other systems. In other words, the “information” you are trying to secure with your email account password is every password to every account you have. For that reason alone, I recommend using the longest, most complex password (or passphrase) possible under your email provider’s authentication mechanism.
And, whatever you do, NEVER reuse your email account password on other systems!
I was guilty of this until recently. Never again!
NOTE: Google Gmail requires 8 letter passwords and provides some good advice regarding how to create strong passwords. Microsoft Live only requires 6 letters. Who do you think values your security more?
Your Other Web Passwords
So, what about all those other passwords you have to create for use across the Internet? Well, as with Gmail and Live.com, policies differ wildly from site to site. For example, here are the password policies for four sites I use frequently: AmericanExpress.com, CapitalOne.com, Facebook.com, and Twitter.com. (Can you guess which is which?)
- Do not use the same password that you use for other online accounts.
- Your new password must be at least 6 characters in length.
- Use a combination of letters, numbers, and punctuation.
- Passwords are case-sensitive. Remember to check your CAPS lock key.
- Be tricky!
- Your password should be at least 6 characters.
- Your password should not be a dictionary word or common name.
- Change your password on occasion.
- 8-15 characters
- Not case sensitive
- Aa-Zz, 0-9, ( - ), and ( _ ) only
- At least 1 letter and 1 number
- No spaces
- Contain 6 to 8 characters
- Contain at least one letter and one number
- Not case sensitive
- Contain no spaces or special characters (e.g., &, >, *, $, @)
- Be different from your User ID and your last Password
I ordered the sites in the order I consider to be the the strongest password policy to the weakest.
Note that the first two, while only requiring six characters, both allow you unlimited flexibility in the characters you choose. So, while they allow short passwords (insecurely short, in my opinion), they don’t prevent you from using longer, more complex passwords. (I prefer the first one because it recommends using letters, numbers and symbols – the green line on my graph.)
The third policy is fairly week due to the lack of case sensitivity or the ability to use most symbols.
That final policy is extremely weak. It has me seriously considering my options there. Either I’ll need to start changing that password regularly. Or, I’ll need to take my web browser elsewhere. Fortunately, the site takes other precautions with my data – such as only displaying the last four digits of sensitive numbers, and asking a series of personal questions before allowing me to change my password.
So, which of these organizations values my personal information most?
One more post to come…