A Good and Strong Password Generator
As developers, we install our software on many domains.
Some folks use really good passwords, others use passwords
more crackable. And sometimes I'm aghast at the seeming
carelessness. For example, I've even seen a case where
someone used the same password for everything — FTP,
software control panels, membership site log-ins,
everything.
This article is not a definitive work about passwords. It
does, however, present a few concepts that, if kept in mind,
can result in better and stronger passwords.
Who Knows About Your Passwords
The passwords you use for password-access sites may
be visible to the site owners and anybody else who has
access to the hosting account (designers, programmers, and
advertising representatives, as examples). For these types
of sites, expect the password to be seen. Use only passwords
whose disclosure would not cause a catastrophic situation.
Software installers know your FTP password. If possible,
create a separate FTP account with a unique password for
your software installers. Once the installers are done,
delete the account.
Unix/Linux hosting account passwords are known only to
others if you disclose them intentionally or inadvertently.
Examples of inadvertent disclosure are sending them in
email, giving it out to tech support, and writing it down
where others might see it.
(By the way, never give your password to hosting tech
support. If any say they need your password to access your
account, s/he is not the right person to talk to.)
If you're wanting to keep the number of passwords to a
minimum, it is not absolutely necessary to use a different
password for every password-access site. Yes, the password
is relatively insecure, but those who would use it would
still need to know where your other accounts are before it
would do them any good.
Some people use a combination of a specific sequence of
characters with the domain name of the password-access site
appended. The technique is transparent to those who have
access to password files and a loud indication that the
same technique is used at other sites.
Using one specific password for password-access sites is
better than appending domain name information to it. At
least it would not be readily apparent that the same
password is used at other sites.
One easily remembered password for all password-access sites
is usually preferred over using many and having to write the
passwords down. (See "Keeping Track of Passwords" later in
this article.)
With discretion, the same password might be used for the
various control panels of software installed on your
domains. The control panels of critical software, such as
account creation or uploading scripts, should have their own
unique password.
Use a unique password for each of your FTP accounts.
Use a unique password for each hosting account.
The Concept —
Where password databases are relatively insecure, such
as password-access sites (although some do encrypt the
passwords), use passwords that don't matter so much if
they are disclosed, although these should still be good
passwords. Use the strongest passwords for control panels,
FTP access, hosting accounts, and access to other critical
areas.
Passwords to Avoid
Avoid words in any dictionary. Avoid such words even when
you put a number in front or back of the word. Numbered,
weird capitalization, repeated, reversed, and mirrored
words are all things crackers look for. Examples:
| Word: |
fish |
| Numbered: |
fish24 |
| Weird Capitalization: |
fiSh |
| Repeated: |
fishfish |
| Reversed: |
hsif |
| Mirrored: |
fishhsif |
Crackers might not know your dog's middle name is Woofer.
But one can get a huge list of hundreds of thousands of
names and try each one.
The Concept —
Passwords should contain no words, no names, no
abbreviations, however numbered, capitalized,
repeated, reversed, or mirrored.
Choosing Passwords
The best passwords, in the sense that they are least likely
to be cracked, are 8 or more characters long and contain a
random mix of upper- and lower-case letters, numbers, and
punctuation characters. The
Password Generator
can generate dozens of good and strong passwords for you
in seconds.
When password forms allow spaces within a password, one or
several may be used for a stronger password.
Passwords should never be written down or recorded in such a
way that others might find out what they are. Yet, randomly
generated passwords are hard to remember. For some
relatively secure ways to record passwords, see the
"Keeping Track of Passwords" section, below.
If you must actively remember certain passwords, a random
string of characters is not the best. Here are some rules
to help construct strong yet memorable passwords:
-
Insert numbers and/or punctuation characters within
words that are easy for you to remember.
-
Substitute certain letters of words with numbers or
punctuation characters. Obvious substitutions that
should be avoided are digit "1" or character "|" for
letters "l" or "i," digit "0" or character "@" for
letter "o," character "@" for letter "a," and
character "#" for letters "n" or "p."
-
Create pseudo-acronyms from uncommon but easily
remembered phrases. The password can be composed of
the first letter of each word, or each last letter,
or each third letter. The idea is to remember the
phrase and be able to mentally construct the
password whenever you need it.
The Concept —
Passwords generated randomly from all characters of the
keyboard are the best passwords, unless they have to be
remembered. For memorable passwords, selectively insert
numbers or punctuation characters, or selectively replace
letters, or construct pseudo-acronyms from phrases.
Keeping Track of Passwords
I know, it's tough to keep track of lots of passwords. There
is software to help keep track of things, but a person still
needs to have them available for reference in case something
happens — if the password tracking software crashes, for
example.
Passwords should never be written down or recorded in such a
way that others might find out what they are.
The passwords generated with this generator are not easy to
remember.
When recording passwords, they will ideally be protected by
a master password. The master password should be strong yet
easy to remember.
Some options for recording passwords behind a master
password:
-
A PDF file that requires a password to open.
-
An encrypted file that requires a password to
decrypt.
-
An office safe with a secret combination lock.
Resist any temptation to use a password-protected directory
on your server to store your passwords. Anybody with FTP
access to those parts of your domain and everybody with
physical access to the server also has access to the
content of your password-protected directories.
The Concept —
Passwords should be recorded only behind a strong
master password.
As mentioned earlier, this article is not a definitive work
on the subject. Lots of good information can be found by
searching for "good password" or "strong password" at
various Internet search engines.
Click here for the Password Generator.
Sleep easy :)
Will Bontrager
©Copyright 2006 Bontrager Connection, LLC Bontrager Connection, LLC
Please note:
Articles on this website are presented "as is". However -
If you have a question about a CGI script, HTML, CSS, PHP, or JavaScript
Ask one of our Experts and you'll have your answer!
Click here for details.
