This is a guest post by Claudia Somerfield.
With the virtual world threatening to envelope the real world in terms of impact and the host of activities that happens online, security assumes paramount importance. Creating and using passwords is an integral part of this security. With the goal of helping the users create better, easy-to-remember and tough-to-crack passwords, we go on a myth-busting spree. Here are 9 myths laid bare before you.
1. 14 characters form the optimal password Length: LanManagers (LMs) used two separate 7-character hashes for passwords which made them very susceptible to brute-force attacks. For instance, a 10 character password could be cracked by easily by breaking it into a 7-character and a 3-character has which could be processed simultaneously by the hacker.Today, things have changed - a lot at that. Windows 2000 onwards, it is possible to store passwords that are up to 127 characters long. Actually, when a password is more than 15 characters long, Windows stores a constant, AAD3B435B51404EEAAD3B435B51404EE, as the LM hash, which is equivalent to a null password. It then becomes almost impossible to crack the password. So, go on and get longer and stronger passwords.
2. Passwords give an insight into your personality: It is often construed that obsessive people who lack imagination would generate a password with their lover's name. So also, an unimaginative, career-obsessed person would choose a work-related password, an extra-logical and humorless person would choose a numerical password, a fantasist would use own name or words like 'sexy' and 'stud' and so on. This better not be true for, if it is, it will only make the hackers work that easier because any intelligent hacker starts by working on related terms.
3. It is best to use passwords created by Random Password Generators: Random password generators create very complex passwords. These are very tough for the maker to remember. For instance, try remembering '4rfgo*ql9p'. On the other hand, as far as cracking the password is concerned, it is as easy or tough as any other password of similar length. For instance, '4race*car4' is equivalent to '4rfgo*ql9p' for a hacker but is much easier to remember for the user. Complexity may be useful in a classroom, but in the real world password length is much better than complexity for security.
4. Any password can eventually be cracked: Theoretically this is true. Practically, it is definitely not - unless the Federal Government loans the hacker their impressive computing powers! Unless it is something vital like a nuclear installation, hackers will usually give up after a few minutes of effort. There is no need to get paranoid about no password being secure for the 'eventually' can take a lifetime!
5. Use ALT+ 'number' for the strongest possible password: For those that are unaware, here is something interesting. Holding down the 'ALT' key and typing any character's ASCII value on the numeric keypad creates a hitherto unavailable character. For example, the sequence ALT-020 creates 'ú'. But again, this is difficult for the creator to remember and it also involves holding down the 'ALT' key which hints anyone watching nearby.It is also more time-consuming. Better would be to increase the password by the same number of keystrokes! One trick that can however be used is ALT+ 0160 which creates a 'non-breaking' space which can fool a hacker.
6. Passwords cannot have spaces: Another absolute misnomer! Maybe it arose from the different forms which advise you not to leave any blank space between characters. From Windows 2000 onwards, 'space' is a legit character. Since space is used between words, it automatically encourages users to create a complex password with multiple words that is also easy to remember.
7. It is safer to store passwords in software utilities rather than writing it down: What guarantee is there that the software utility itself will not be cracked open? It would then be like locking all the rooms of a home and handing over the master key to the thief. Writing it down on paper is better because it would require the 'thief' to be physically present at the place where the paper is stored.Where it is critical, it would be a good practice to note the password on paper and store the same in a safe or locker.
8. Passwords must be changed regularly (once a month): This is one of the most irritating and self-defeating myths. Constant changing of passwords forces one to come up with passwords that are easy to remember. Multiple passwords can lead to the creation of a new password which is much weaker than the original.It would be advisable to have good password-creation measures and advice in place rather than the compulsory and regular changing of passwords.
9. Using Passfilt.dll is the best way to enforce strong passwords: Though it is a component to enforce 'complex' passwords, Passfilt.dll is likely to bug and irritate users who find their passwords getting rejected. Again, it would be a better idea to enthuse users into making longer passwords rather than complex ones.