Passwords - the good, the bad and the ugly


Are you sick of hearing about passwords? All of those restrictions on what you can and can’t make your password, and then you can’t write it down. Passwords are just too difficult. You might think that passwords are difficult, but really, they don’t have to be difficult. You might have been told to never write down your password – but there are safe ways to write down your password.

Passwords are not just for work. We use passwords for home and for work.  Passwords are the first and usually the ONLY line of defense we have against unauthorized access. If you had $20,000 at home, would you lock it up in a tin box with one of those little luggage locks? If you have a password that can be easily guessed that is EXACTLY what you are doing!

So now the question is - how easy would it be for anyone to get your password?  Do you know?  If someone wanted to crack your password, and you had a tough one – one that was 11 characters long it would only take about 2 months for the average computer to crack it. That’s over 80 trillion possible password combinations!

There are, of course, poor passwords, good passwords and really good passwords.  The first thing to understand is that ANY password can be cracked – given enough time. That is why changing your password is a good practice.  

Common password Blunders

Using common passwords is one of the worst mistakes people can make.  Some common passwords are:
•      123456
•      Password
•      Password!
•      Password1
•      letmein
•      Iloveyou
•      Abc123
•      Asdf1234
•      Superman
•      Enter

Other common password mistakes are using any combination of:
•      Your name
•      Your spouse or significant other’s name
•      your kids name(s)
•      Your pets name(s)
•      Birthdates for the above people

Avoid dictionary words whenever possible -- even dictionary words in a foreign language. Unless you know a foreign language that is extremely rare, dictionary words are dictionary words regardless of the language.

Avoid keyboard patterns whenever possible.

Good Password habits

There are lots of ways to come up with good passwords that you will be able to remember.  Here are some tricks of the trade, and remember have some fun with this.  

Think about abbreviations in your area of expertise – use them in your passwords.  Some of the common abbreviations in my world are things like ATT (at this time), RX (receive) TX (Transmit).  I can use them to have a good password, like 0RXjnkM@il – that would be "not receive junk mail." I used a British term for 0 (nought for "not"), my abbreviation for receive (RX), removed the vowels out of junk (jnk) and substituted a special character for one of the vowels in Mail (M@il). As you can see there are no dictionary words, there are numbers, special characters, and upper and lower case letters.  And ... it’s something that I will remember!

Think about some of the vanity plates you have seen – 4N3L (Foreign Thrill), or think about the new language – Text Messaging.  This might not apply to all of you, but for those that understand it, you can use many of the text messaging slang and abbreviations to create your passwords.

Think about a phrase that means something to you, and use some form of this phrase. One of my favorite lines in a song is “The drummer from Def Leppard’s only got one arm”. I could turn that into *HrReEnG1r*. This is where the password reminder comes in handy. I have used the second letter from each word and capitalized every other letter. Again, you can see that there are no dictionary words, and there are numbers, special characters, upper and lower case letters. And again, it is something that I will remember!

Another trick you can use is the keypad on your phone. Spell out a word with numbers. Doritos becomes 3674261. Of course you don’t need to use long words.

Purposly misspell words! Have some fun with this one. Gud = good, or perpose = purpose. Spell things phonetically (fonetikly) or spell them fancy (phancy).  

Writing them down – good or bad?

Would you write down your PIN number for your debit or credit cards? Would you write the number ON your debit or credit cards? It’s much the same for passwords.  Of course the best ever password practice would be to memorize a randomly generated string of characters, and a different one for each logon ... and a different logon name for each account that you have ... oh and then never write them down, but always know what they are. I don’t know too many people that would be able to do that.

There are two practices that are relatively safe. You can write down a password hint and keep it with you. You can also write down your password, put it in a sealed envelope, put your signature over the seal, and keep it locked up. Does this mean that NO ONE can get your password this way? Of course not – but at least you will KNOW if your password has been compromised, and you can change it immediately.  

In the end

Yes, creating new passwords might seem like a nuisance. Instead, think of it as changing your locks after someone has possibly had access to your keys. Your personal information, and the personal information of EVERY patient with records in this hospital is only as secure as your worst password; it is only as secure as the worst password of all the employees. Don’t be the weak link in the chain fence – use good passwords. It’s your information too!

Comments (5)

Charlie CollinsManaging Director

We published an article last week about passwords that runs along a similar vein, see 
Author of the Year 2009

From a mathematical standpoint, length provides more security over 'complexity'. For example:

A password that is 8 characters long but 'complex' (using uppercase, lowercase, numbers, and special characters - 96 total characters) mathematically is 96^8 = 7,213,895,789,838,336 combinations.

If I chose to make a password that was 12 characters long but only used lowercase - 26 characters in a-z (as long as it was not a word in the dictionary) 26^12 = 95,428,956,661,682,176 (which has 13 times more combinations then the 'complex' password).

I disagree with the theory that 'complex' passwords are more secure as many people have a hard time remembering them so they do something to break the golden security rules which can make a 'complex' password a greater risk. Can 'complexity' add more security? Absolutely!

Which is easier for your grandmother to remember and which is more secure from cipher attacks (rainbow, CUDA, dictionary, brute force)?

1) #7H1spa$$ or
2) thebigbrowndogthrewouthisoldpassword

#1 has a 9 character 'complex' password which is easily recoverable using modern technology and methods.

"If someone wanted to crack your password, and you had a tough one – one that was 11 characters long it would only take about 2 months for the average computer to crack it. That’s over 80 trillion possible password combinations!"

Note: I think your math is off. 11 characters using only lowercase (26^11) = 3,670,344,486,987,776 combinations (yes, it is greater the 80 trillion combinations).

What are your assumptions on the encryption used (each takes a different amount of time so some are slower to generate a key then others)? For example MD5 vs LANMAN take a completely different amount of time.

Let's assume you have a computer that can cycle through 10,000,000 combinations per second. 3670344486987776 / 10000000 = 367,034,448.6987776 seconds.

Divide that by 60 to get 6,117,241 minutes.

Divide that by 60 to get 101,954 hours.

Divide that by 24 to get 4,248 days.

Divide that by 365 and you get 11.6 years to go through all of the possible combinations of an 11 character password (*that is not a dictionary word) at a rate of 10,000,000 combinations per second.
Author of the Year 2009

One problem (of several) with a password like:
is that the password-input box is nearly always masked, so an arthritic-fingered grandma has that many more chances to miss a keystroke -- and then wonder why it failed.   At least with an 8-character password, one can count the asterisks as a sort of checksum before pressing Enter.

On the other hand, on mobile devices, using uppercase, digits, and/or special characters adds its own set of complications: shift keys and input-mode changes.  There is something to be said for using longer, but all-lowercase passwords there (when that is allowed).
Very good point, I hadn't thought of that for my example but I hope I still got my point across (passphrases are easier to remember then 'complex' passwords).

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.