IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more
In-depth

Building a better password

Is your password really as secure as you think it is? Davey Winder investigates.

So you think you know what a secure password is? Think again. No, seriously. The chances are that the hackers are way ahead of you in terms of truly understanding secure password construction, and more importantly password deconstruction methods as well.

Brute forcing tools abound, which use both dictionary and hybrid dictionary methods to break the kind of password that many think are impervious to such automated breakage. Simply not using dictionary words is no longer protection enough, hackers can crack substitutions such as P455w0rd! instead of password in a matter of minutes. So what does constitute a secure password these days then?

Secure password construction

Current thinking dictates that a secure password needs to be not just eight characters in length anymore, but at least 12. Current thinking also dictates that in order for an enterprise to successfully implement a secure password solution it must consider three parameters: the level of security, the cost implication and user-friendliness.

The last of these is often overlooked, and that's a big mistake as Jan Valcke, president and chief operating officer (COO) at VASCO Data Security, reminds us that "attention must be paid to ensure that extreme password complexity rules don't break the overall security of the scheme because users start writing down passwords".

But how can you build complex passwords that are at least 12 characters long, include special characters and are not dictionary words, without breaking that user friendly rule?

Rik Ferguson, senior security advisor at Trend Micro, suggests you think of a memorable phrase such as "Motley Crue and Adam and the Ants were the soundtrack of my youth" and then take the initial letters to form MCAAATAWTSOMY. "This will be the basis of the password" Ferguson advises "but we need to make sure to a mix of upper and lower case characters, numbers and special characters".

So mixing cases gives us McaAatAwTsomY, changing the o to an 0 produces McaAatAwTs0mY and finally the special characters are introduced by changing the first 'and' into + and the second to & which gives us Mc+A&tAwTs0mY. Ferguson recommends using the symbol as it's overlooked by many brute force tools, so the final password would be: Mc+A&tAwTs0mY

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to incorporate password protection into your security strategy
Sponsored

How to incorporate password protection into your security strategy

3 Aug 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022
The psychology of secure passwords
Sponsored

The psychology of secure passwords

14 Jul 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
Electrical explosion reported at Google's Iowa data centre
data centres

Electrical explosion reported at Google's Iowa data centre

9 Aug 2022