In yesterday’s post, we offered a quiz to rate your password IQ. Here are the answers.1. How often should you change your password?
a) Every 30 days
b) Every 60 days
c) Every 90 days
d) When IT tells you to
Answer: (a) – And the more often you replace your strong password with
another strong password, the better. What’s a “strong” password? Read
2. One of your co-workers is working on a critical report this weekend
and needs access to some of your files. How should you give her your
a) Send it in an email message
b) Call her on the phone and tell her the password
c) Don’t give it to her or anybody else
d) Write it on a piece of paper, seal it in an envelope, and mail it to
Answer: (c) – If she needs access to your files, call your IT department
and ask them to give her access without the use of your password.
3. What is the most common (and so the weakest) password used in 2009?
Answer: (a) – Actually, the list is in order, according to PC
Magazine.* If you are using these passwords or anything like them, you
might as well just give people access to your computer or your bank
4. What characters should you use in a password to make it strong?
a) Letters only
b) Numbers only
c) Letters and punctuation
d) All of the above
Answer: (d) – The more complex a password is, the harder it is for a
person to guess it. Some systems and websites may not allow you to use
all of the punctuation symbols, but most allow some of them.
5. How long should a strong password be?
a) Five characters
b) Eight characters
c) As long as possible
d) Size doesn’t matter
Answer: It depends! For technical reasons, a minimum length of 8
characters is recommended. But not all eight-character passwords are
equally strong. For example, “football” wouldn’t be hard to guess, but
guessing the 8 characters of 7xkM*vh$ presents a real challenge.
6. Now that you are an expert, choose the strongest password from this list:
Answer: (d) – (a) is obviously easy to guess, even though it’s long
enough; (b) is “hacker-speak” for Mickey Mouse – a bad idea; (c)
contains no letters – and it’s the approximate value of Pi; and (e) is
a proper name.
Strong password checklist
- at least 8 characters
- at least one number
- at least one uppercase and one lowercase letter
- at least one symbol (examples: &, !, @, #, $, ^, *)
- no proper names or words (English or otherwise)
- no personal information, like your SSN, phone number, or date of birth
- no repeating characters
- no easy-to-guess patterns like 123qwerty
- no well-known mathematical values (like Pi) or equations (E=mc2)
- Treat passwords like your toothbrush: Choose a good one and replace it regularly.
- Change your passwords at least every 30 days.
- Use a passphrase. Choose an easily remembered phrase like “Liberty and Justice Forever” and use the first one or two letters of each word with some punctuation and numbers in between. Example: Li.an1Ju*Fo.
- Use a password pattern. Pick a starting point on the keyboard, trace out an easily remembered pattern, and add some twists. Example: The eight-character pattern 1qscvhU* describes a “V” on your keyboard starting with the number 1 key, with the added twists of an uppercase U and an asterisk.
- Use a password manager. If you use Firefox, for example, you can have your browser remember your passwords. Then be sure to set a strong master password in Firefox to protect your “remembered” passwords.
- Other versatile, no-cost or low-cost password managers include Roboform and KeePass.
This material is reprinted, with permission, from the February edition of the SANS Ouch! newsletter.