User:Evgenykorovin

The general rule in choosing passwords is, the longer and more complex the better. What is meant by “complex” is simply that the password should contain not only alphanumeric characters (A-Z, a-z, 0-9) but “special characters” (e.g. &, $, @, #) as well. With the continuing growth in the speed and power of personal computers available to people around the world - including hackers - passwords that are shorter and/or lack complexity are becoming easier prey to the sophisticated password-cracking software and tools that are widely available to hackers and computer thieves. And make no mistake about it, having one or more of your passwords stolen or compromised is a form of identity theft that permits someone else to impersonate you and gain access to your private data.

When setting up accounts on the web, some providers (including financial institutions) will unfortunately limit the length of the password you choose to less than eight characters, although in some instances they provide additional security measures that compensate for this to some de­gree. In general, though, eight characters are typically recommended as the bare minimum. Most Internet systems will not only allow passwords of eight or more characters, they will require them along with enforcing complexity. In some instances, you can choose a password that is up to 255 characters in length! (That might be a little hard to remember, though.)

Another important consideration in selecting a password is not to base it on words (including proper nouns and names) that are likely to appear in the many password cracking “dictionaries” that are available. These dictionaries often include not only most common English words (as well as from other languages) but references from popular culture, sports, entertainment and other sources. They will also test for simple character substitutions. So, for example, if you choose “EricCartman” as your password, it’s a good bet to be quickly cracked even if it is more than eight characters long. And, changing it to “3r1cC4rtm4n” won’t make it much stronger.

Some modern computer operating systems (including Windows XP/Vista) offer the opportu­nity to use “passphrases” for access to user accounts. These are pretty much the same things as passwords, except they can be much longer and can include spaces, punctuation and other char­acters that many systems do not permit in passwords. A passphrase stretching to twenty charac­ters or more is exponentially more difficult to crack than an eight-character password, even if the passphrase does not feature complexity. “Oh my God, they killed Kenny!”, in this case, would be a much more secure way to access your account than “3r1cC4rtm4n”. While it takes a few more seconds to type in a passphrase, the greatly enhanced security makes for a pretty good tradeoff, especially when you consider that passphrases tend to be more easily remembered than complex passwords.

Of course, even the strongest password or passphrase is useless if you give it away or make it easy for someone to guess or find out what it is. The more people who know you’re a South Park fan, the more likely it is that one of them may guess one of the examples above as your password/passphrase (and in fact, don’t use these - they’re just examples). Try to avoid writing passwords and passphrases down if possible, and if you do, don’t post or display them where snoops can see them or are likely to look (like on the underside of your keyboard). It is true that we are all acquiring more and more usernames and passwords to keep track of, and remember­ing them all is simply not an option anymore. Password “vault” programs are available that allow you to record them (and other sensitive bits of information) in a master encrypted file that you can protect with a single strong password for opening and retrieval. These programs are commercially available at minimal expense, and Macintosh OS X comes with such a program (“Keychain”) as part of the operating system.

Source: Actual Software Lab Blog