Strong PasswordsStrong PasswordsStrong PasswordsStrong Passwords

How to make your passwords How to make your passwords work for you….work for you….

Linda A. LeBlancLinda A. LeBlancIT Security SupportIT Security SupportIS&TIS&T

Once upon a time….

The (old) Do’s & Don’ts of Passwords

DO!Pick a password you can remember! Make it REALLY hard to guess.Use upper and lower characters

DON’T!Write your password down ANYWHERE!Make them similar to each other.Use klingon or Elvish (Elven?)

Let’s be realistic… How many passwords do you have?Don’t forget your ATM, Insurance Phone Tree, your Bank Account Test question…How are we supposed to remember them ALL???

We know you write them

down….somewhere.Underneath your keyboard?In your top desk drawer?On your monitor?(Please say it’s on the back at least!)The little notebook marked PASSWORDS?The sheet of paper folded and sticking out of the dictionary above your head?

The Dilemma:I’m supposed to remember but it’s not supposed to be a word in any language & it’s supposed to be hard to guess.If I forget it, there’s no way to recover it because I can’t write it down.My dog’s (cat’s)name isn’t a word, and has upper and lower case characters.

New, more realistic rules…

Use letters, numbers, special characters (upper and lower case).If you must write them down, separate the password from the account name, and keep them somewhere secure.Similarity and composition are not the same. (brainiac23 & brainiac12 are similar; fre:sZib61 and glii:tZul72 are composed in the same way)

Risk Assessment & Reality

You have to decide for yourself what level of risk you are willing to

assume when choosing how to secure your passwords.

We’re always scheming…

Develop password generation methods that work for you, and are easy to replicate.

Number/letter substitutions, nonsense sounds

Passphrases and acronymsGroup by account type. (what’s good for

mail, might not be sufficient for the IRA)

Exhibit A: My Father

One Password, Many Places…

Insecure accounts sharing a password with sensitive data accounts.

One FIVE letter word.

A new method…The Book of PsalmsChapter and VersePreserve Case, PunctuationAnnotate account w/matching chapter verse pair.

Exhibit B: My Bohemian Sister

w0rDz not words! Use nonsense sounds that are pronounceable.Build a word with all the requirementsSubstitute a number for a vowelUse the number combination for the vowels to identify the password.

More Ideas:Your favorite formulas?Chemical compounds? (EtOH is a little too simple)What else?

Last Writes…Establish a password generation method for yourself. Find a place to keep your passwords and keep them secure.Never reuse passwords EVER. Build a fresh one.

T he EndT he EndT he EndT he End

(of passwords as we know (of passwords as we know them?)them?)

More information and More information and handouts are handouts are

available from ITSSavailable from ITSS

More information and More information and handouts are handouts are

available from ITSSavailable from ITSSEmail: leblancl@mit.eduEmail: leblancl@mit.edu