Cybersecurity Tip: Strong Passwords
Hi, my name is Rinku Dewri and I’m a professor here in computer science, University of Denver. And I’m here today to talk about passwords. So here’s the thing about passwords. Do not judge a password strength based on how unintelligible it is for a human being. For example, something like “~ % Y M ,” is not a strong password. Do not also judge a password strength by how long it is. For example, something like “Alice in Wonderland” is also not a strong password. The strength of a password is actually based on how much time it would take for a computer to run through all the possibilities. The number of small-length passwords no matter how unintelligible it looks to you is really so small that a computer can run through them in less than a second. Now for a computer it will take a longer time if the length of the password is longer but an adversary will probably not try all possible passwords, they’re going to try only those that include phrases that are meaningful to a human being and easy for them to remember. So the strength teller password meter shows in most of these websites could be a little deceptive as they are based on how long it will take a computer to run through all the possibilities. Therefore, the best password that we can have is actually a sequence of long random characters, preferably composed of different character types, say uppercase letters, lowercase letters and punctuation marks, but then it would be very difficult for a human to actually remember such passwords. The next best alternative would then be to come up with a long phrase that seemingly looks meaningless for a person but it’s easy for you to remember say something like “the donkey flies with the chicken.” That’s a phrase that you probably won’t see any place on the internet. Also always keep an eye on the recovery options. Try not to give the correct answers to your secret questions. For example, if the question is, what is your mother’s maiden name, you can use an answer something like “the queen of Timbuktu.” Again, the more meaningless the answers are, the better it is from the perspective of security. Also, if you have two factor authentication available, use it or at least opt for email-based recovery. In summary, use long meaningless pass phrases preferably 12 or 15 characters long that is easy for you to remember. Also try to use different pass phrases on different websites. See if you can find a creative way to change your pass phrase and include a modification to it so that you can have a different pass phrase for different websites.