|One Step Ahead: Security and Privacy Made Simple
December 7, 2010,
Volume 57, No. 14
Another tip in a series provided by the Offices of Information Systems & Computing and Audit, Compliance & Privacy.
Longer, More Complex Passwords = Stronger Passwords: Do the Math!
By “more complex,” we simply mean incorporating special non-alphanumeric characters such as @, #, &, +, % and others into your passwords whenever possible. Many of these are simply the shift characters along the top row of your keyboard. “Longer,” of course, speaks for itself. Did you know that by simply expanding your password from 8 to 12 (or more) characters and using special characters in addition to alphanumerics (A-Z, a-z, 0-9), you raise the difficulty in cracking that password by a factor of more than one hundred million?
Of course, if you base your password on standard dictionary words (including proper nouns), buzzwords, catchphrases, slang, etc., you give crackers leverage which can greatly reduce the “safety in numbers” that added length and complexity afford. In short, the more random your password appears to be, the less susceptible it is to the educated guesses that crackers program into their cracking dictionaries.
To help provide this randomness, experts continue to recommend that you select your password by thinking of a sentence that has meaning only to you—it can even be nonsensical, as in the well-known example “Orange elephants invade Alaska; film at eleven.” To construct your password, take the first letter from each word (maintaining case): OeiAfae. This is pretty strong, but not strong enough. Now, use special characters, digits, punctuation—and even a postal code—to add complexity: OeiAK;f@11:00. Now that’s a strong password! Yet, it’s still pretty easy to remember. (P.S. —“Orange elephants” is a well-known example, so don’t use it for your password.)
Remember, though, even the strongest passwords are worthless if you give them away and/or write them down where people can see them (or will know where to look for them).
For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/