This blog post was created from a conversation we had with one of our clients since they sent us this link with a subject line of "interesting?" Advice From A Real Hacker which is worth reading first.
There are many thoughts on this. The suggestion is that we as IT companies should stop forcing password changes so often. Users simply make every new password simpler than the last which is counter productive. Don’t forget, Password1 is a 9 character password containing uppercase, lowercase and numbers!
It has been suggested that we enforce a policy of not using dictionary words, this is not a good argument in reality. It forces passwords to get shorted and shorted, as jumbled characters are hard to remember. How about a (misquoted!!) phrase: ItWasTheWorstOfTimesItWasTheBestOfTimes No matter how many dictionary lists you are using, you will still have to run them all 12*12 times to spot a 12 word phrase.
If “it doesn't take me very long to test every … word combination in the dictionary” then use a word combination that is not in the dictionary, or indeed in any book anywhere...
Please note he suggests using munging, even tho Wikipedia has a munging lookup table: Munging
Step 1: Use the same password on all the sites you don’t care about. The forum you registered on just to say “lol” on a post? Pasword1. The site you had to register on to download some shareware? Password1. The city council site you have to register on to receive SMS alert about your dustbins? Password1. Who cares if they get cracked, and it makes your life easier.
Step 2: Use a password manager. For the (few) sites that you actually care about, generate a unique, strong (20 random characters, with all of the Allowable Character Types) password. You will need a password manager, as there is no way you can remember one of these, let alone a few of them for important sites. I define important as “I could lose money if this was hacked”. That loss can take place via simple theft (i.e PayPal) or via complicated ID fraud (i.e. UK Govt. Website). I like KeePass, and LastPass is a strong offering too. They will generate the password, store it encrypted, and when you need it auto fill it onto the web page. Now, you only have to remember 1 password. How about:
(with apologies to Jane Austen).
At Bongo IT, we know that technology is increasingly dominant and crucial to maintaining business performance and productivity.
Organisations should make sure they are making the right IT decisions for their current needs, whilst also planning for the future with flexible and scalable solutions.
As a special offer, we are offering a FREE one hour consultation to address your current IT setup and recommend an effective strategy for your future requirements.
Addressing issues such as computer hardware, broadband, data security, file sharing, compliance and more, we’ll help you build a plan and ensure you deploy the most cost-effective IT strategy for your company’s needs.