The Quaestor - Volume 7, Issue 2

Inform RIT

Contributed by Ben Woelk, Policy and Awareness Analyst, Information Security Office

Inform RIT is a recurring column provided by the RIT Information Security Office. The column highlights current issues and initiatives that impact the RIT community. In this issue, we’ll talk about creating a secure and memorable password.

Simplifying Password Complexity

Let’s be honest. Passwords are a pain. We all know that it’s important to have different passwords for different places and we all know that they need to be fairly complex. We also know that remembering numerous passwords, especially strong passwords, can be a challenge. So what’s the best strategy?

In this article, I’ll talk about how to create memorable (but strong) passwords and suggest a tool that will make constructing and remembering strong passwords easier.

In general, the strength of a password depends on two factors: length and complexity. Although there’s some disagreement, length is more important than complexity. (For a humorous illustration of password complexity, read the XKCD comic at http://xkcd.com/936/)

Increased complexity makes it more difficult to create a password that you can remember. The idea of a long complex password may be overwhelming. However, increasing password length alone can result in a password that’s memorable and stronger. Because of the way Windows stores some passwords, the “magic number” is 15 characters or more. A traditional complex password of 15 characters might look like this: “qV0m$$#owc2h0X5”. I don’t know about you, but there’s no way I’m going to remember a password like that. You COULD write it down and store it securely, but it’s not the easiest password to enter on a keyboard, and storing passwords in a browser or in a desktop application is insecure.

Here are a couple of strategies for strong passwords.

Strategy One: Use Passphrases

Because length is more important than complexity, using a passphrase, even if it’s relatively simple, provides a sufficiently strong password.

For example, you may have heard of the Bulwer-Lytton Fiction Contest (bulwer-lytton.com). Bulwer-Lytton was a novelist whose opening sentence, “It was a dark and stormy night,” was immortalized in a Charles Schulz Peanuts cartoon where Snoopy was typing a novel. With a few modifications, that phrase makes a pretty strong password: “ItwasaDark2&StormyNight” That’s a 23-character passphrase that most of us could remember. If you need to change the password, you could do it by incrementing the number. I recommend choosing the first line of a book or song and turning that into a passphrase.

Strategy Two: Use a Password Safe/Vault

You’ll find that you may need quite a few different passwords. Creating different passphrases is a great way to create strong passwords, but you would still need to remember quite a few different ones. A good way to manage multiple passwords is by using a password safe or vault. A password safe stores multiple passwords and may be configured to prompt you with the needed password when you visit a password-protected website. You  may want to use a password safe called LastPass. LastPass provides browser plugins for multiple browsers and there’s a version that will work with smartphones. LastPass will generate one of those long complex impossible-to-remember passwords on command and store that password for you. You should protect your password safe with a long passphrase constructed as described above. LastPass is just one example of good password safes. Other popular password safes include Password Gorilla, KeePass, and RoboForm.

A strong password is a key component in protecting information and unauthorized access. I hope you find these recommendations helpful.

Additional Information by IACA

What about ethics in the workplace?
Learn about the RIT Ethics and Compliance Hotline

IACA Team
Learn more about your IACA team.