Ask an Engineer – Passwords

Every newsletter we answer your tech questions in “Ask an Engineer.” If you have a question you’d like answered, write us at bergeronl@alliancetechnologies.net. If your question is selected you’ll be answered in our newsletter!
 
“What makes a good password? How often should I change my password?”
 
This is a great question. Though the prevailing line of thought on what makes a good password has been standard for quite a while now, the frequency you should change your password is still debated. Let’s talk about what makes a good password first.
 
The best passwords contain many types of characters – upper and lowercase letters, numbers, and symbols. It’s also best to avoid words in the dictionary when crafting a good password, since dictionary brute-force attacks are a common way to hack passwords. Of course, any good password is also memorable, so we recommend a little trick – make your password spell a word using numbers and symbols in place of letters.
 
For instance, pick a word that’s easy for you to remember, like your favorite food. Let’s use “green beans” as an example. Instead of just creating a password like “greenbeans”, substitute symbols and numbers in for some of the letters, like “Gr33nbe@n$” or “g12eenB3ans.” This way you increase your security by including multiple types of characters without using a common dictionary word, but your password is still memorable. Full phrases can also be a good idea, such as: "ILikeGreenBeansForDinner."
 
Most importantly, DO NOT use the same password for every account. Especially for business accounts and personal accounts, like Facebook and Twitter. The vulnerabilities of Facebook and Twitter have been well documented, and a comprised social networking account could lead to compromised business accounts if the password is the same.
 
Now, on to password change frequency. Security-minded IT managers used to tell users that they should regularly change their passwords, say every 30 or 60 days. However, this system, coupled with policies that forced users to generate complex passwords that combined multiple character types, meant that users would typically just change their password then write it down. Since there wasn’t enough impetus to properly memorize a complex password every 30 days, the password usually got stuck to the monitor or inside a desk drawer on a post-it note, which defeats the purpose of a good password in the first place. It’s better to simply have a properly complex password that you can remember, a password that contains multiple character types, and memorize it. We still recommend changing the password at least once every year.
 
Thanks for the great question. And remember, your passwords are only as strong as you make them.