Help      |      Chebucto Home      |      News      |      Contact Us     

157. The Neglected Password

By Andrew D. Wright

A password is usually the weakest link in any secure system. Many users already have passwords to keep track of and remembering things without prompting is hard for some.

Still, this doesn't change the fact that passwords are generally there for a good reason. Internet access and email access are more powerful than people give credit for. Words in an email can be passed on to thousands of other people for example. Jobs have been lost and careers ruined over leaked emails.

Your protection against abuse is your password. This is how you keep people out of your business. Whether you are famous or not, yes, there are people looking to break into your email.

Some people are vague on what a password is. They confuse it with their login or username, they can't understand computer terms, they throw their hands up in the air over such complex things.

It's easy. Logging in to something is a Challenge followed by a Response. You are walking up to a big fort. The guard asks who you are, the Challenge. You tell them your username and they say they have heard of you but before they can let you in, you have to prove you are who you say you are. You then give them the Response, your password. The guard now knows it's really you, the gate opens and you are allowed into the fort.

Recently a scam email was sent out to users at a local Internet provider telling them that due to system upgrades they should reply to the email with their username and password or risk being locked out of their email. One user did send in their password and within a week thousands of spam emails were being sent out from their account with their real name and address on them. The Internet provider was flooded with complaints and their domain found its way onto email blacklists all over the world as a source of spam.

The lesson here is that no matter who an email says it is from, your password is private information that you NEVER give out over email no matter what they say to you. Don't write your password on your cheques, don't tell it to strangers, keep it to yourself. If you do keep written copies of your passwords someplace, make it someplace secure under lock and key. Nobody without a court order in their hand has the right to ask you for any password.

For security, passwords should be remembered, not saved. Passwords shouldn't be words found in the dictionary, since dictionary-based attacks can be done quickly. Ideally passwords should be at least eight characters long, using numbers, punctuation marks and upper and lower case letters since these add many more possible passwords to the mix.

Every person has things that they know well that others do not. A childhood pet, a place they went as a teenager, the car their father drove. Details which are firm in memory, not possible to lose in the normal run of events. So given Spot, The Quarry, and Impala, a password like Spot;Quar+1mpala might be hard for this person to forget but pretty close to impossible for anyone else to guess or brute force by trying all possible combinations of characters.

If you know the words to a song, use the first two letters from each word to make a password. If you know some technical terms for something, take pieces from each word and mix in some numbers. Avoid simple patterns, car license plate numbers and using your street address or phone number.


The Mousepad runs every two weeks. It's a service of Chebucto Community Net, a community-owned Internet provider. If you have a question about computing, email or click here. If we use your question in a column, we'll send you a free mousepad.


The Mousepad Index


Originally published 28 August 2009


Our community is online here!


This column is provided as a community service by