• A Good and Strong Password Generator
    By: Will Bontrager

    As developers, we install our software on many domains.

    Some folks use really good passwords, others use passwords more crackable. And sometimes I'm aghast at the seeming carelessness. For example, I've even seen a case where someone used the same password for everything — FTP, software control panels, membership site log-ins, everything. This article is not a definitive work about passwords. It does, however, present a few concepts that, if kept in mind, can result in better and stronger passwords.

    Who Knows About Your Passwords

    The passwords you use for password-access sites may be visible to the site owners and anybody else who has access to the hosting account (designers, programmers, and advertising representatives, as examples). For these types of sites, expect the password to be seen. Use only passwords whose disclosure would not cause a catastrophic situation.

    Software installers know your FTP password. If possible, create a separate FTP account with a unique password for your software installers. Once the installers are done, delete the account.

    Unix/Linux hosting account passwords are known only to others if you disclose them intentionally or inadvertently. Examples of inadvertent disclosure are sending them in email, giving it out to tech support, and writing it down where others might see it.

    (By the way, never give your password to hosting tech support. If any say they need your password to access your account, s/he is not the right person to talk to.)

    If you're wanting to keep the number of passwords to a minimum, it is not absolutely necessary to use a different password for every password-access site. Yes, the password is relatively insecure, but those who would use it would still need to know where your other accounts are before it would do them any good.

    Some people use a combination of a specific sequence of characters with the domain name of the password-access site appended. The technique is transparent to those who have access to password files and a loud indication that the same technique is used at other sites.

    Using one specific password for password-access sites is better than appending domain name information to it. At least it would not be readily apparent that the same password is used at other sites.

    One easily remembered password for all password-access sites is usually preferred over using many and having to write the passwords down. (See "Keeping Track of Passwords" later in this article.)

    With discretion, the same password might be used for the various control panels of software installed on your domains. The control panels of critical software, such as account creation or uploading scripts, should have their own unique password.

    Use a unique password for each of your FTP accounts.

    Use a unique password for each hosting account.

    The Concept —

    Where password databases are relatively insecure, such as password-access sites (although some do encrypt the passwords), use passwords that don't matter so much if they are disclosed, although these should still be good passwords. Use the strongest passwords for control panels, FTP access, hosting accounts, and access to other critical areas.

    Passwords to Avoid

    Avoid words in any dictionary. Avoid such words even when you put a number in front or back of the word. Numbered, weird capitalization, repeated, reversed, and mirrored words are all things crackers look for. Examples:

    Word: fish
    Numbered: fish24
    Weird Capitalization: fiSh
    Repeated: fishfish
    Reversed: hsif
    Mirrored: fishhsif

    Crackers might not know your dog's middle name is Woofer. But one can get a huge list of hundreds of thousands of names and try each one.

    The Concept —

    Passwords should contain no words, no names, no abbreviations, however numbered, capitalized, repeated, reversed, or mirrored.

    Choosing Passwords

    The best passwords, in the sense that they are least likely to be cracked, are 8 or more characters long and contain a random mix of upper- and lower-case letters, numbers, and punctuation characters. The Password Generator can generate dozens of good and strong passwords for you in seconds.

    When password forms allow spaces within a password, one or several may be used for a stronger password.

    Passwords should never be written down or recorded in such a way that others might find out what they are. Yet, randomly generated passwords are hard to remember. For some relatively secure ways to record passwords, see the "Keeping Track of Passwords" section, below.

    If you must actively remember certain passwords, a random string of characters is not the best. Here are some rules to help construct strong yet memorable passwords:

    ( 1 ) Insert numbers and/or punctuation characters within words that are easy for you to remember.
    ( 2 ) Substitute certain letters of words with numbers or punctuation characters. Obvious substitutions that should be avoided are digit "1" or character "|" for letters "l" or "i," digit "0" or character "@" for letter "o," character "@" for letter "a," and character "#" for letters "n" or "p."
    ( 3 ) Create pseudo-acronyms from uncommon but easily remembered phrases. The password can be composed of the first letter of each word, or each last letter, or each third letter. The idea is to remember the phrase and be able to mentally construct the password whenever you need it.

    The Concept —

    Passwords generated randomly from all characters of the keyboard are the best passwords, unless they have to be remembered. For memorable passwords, selectively insert numbers or punctuation characters, or selectively replace letters, or construct pseudo-acronyms from phrases.

    Keeping Track of Passwords

    I know, it's tough to keep track of lots of passwords. There is software to help keep track of things, but a person still needs to have them available for reference in case something happens — if the password tracking software crashes, for example.

    Passwords should never be written down or recorded in such a way that others might find out what they are.

    The passwords generated with this generator are not easy to remember.

    When recording passwords, they will ideally be protected by a master password. The master password should be strong yet easy to remember.

    Some options for recording passwords behind a master password:

    A PDF file that requires a password to open.
    An encrypted file that requires a password to decrypt.
    An office safe with a secret combination lock.

    Resist any temptation to use a password-protected directory on your server to store your passwords. Anybody with FTP access to those parts of your domain and everybody with physical access to the server also has access to the content of your password-protected directories.

    The Concept —

    Passwords should be recorded only behind a strong master password.

     
    As mentioned earlier, this article is not a definitive work on the subject. Lots of good information can be found by searching for "good password" or "strong password" at various Internet search engines.

    Sleep easy :)




  • BACK