Teaching a dead dog new tricks about stronger passwords

Linda Musthaler
By | January 27, 2012

Posted in: Network Security Trends

Some time ago I enjoyed a cartoon where a family was eulogizing their recently deceased pet. The caption was something like, “Rex, you were a good dog, and though you may be gone from this life, you will live on forever as our computer password.” The cartoon amused me, but it also made me uneasy because I realized I was guilty of using old pets’ names as passwords back then. (I've since wised up and started using what I hope are stronger passwords. Sorry, Rex.)

Unfortunately, a lot of people use passwords that are way too simple to guess. And, they use the same password over and over for many different applications and computer systems. Who can blame them, however, when it seems that every website wants you to create a username and password these days? It’s just too hard to create and remember really strong passwords without writing them down somewhere.

What constitutes a strong password anyway? It’s one that is sophisticated enough so that humans and automated password crackers can’t figure it out, but also easy enough for the user to remember it without difficulty. (How many times do you click on “forgot my password” and then wait to have a reminder sent to your email account?)

Federal guidelines for passwords

The U.S. Federal government has issued guidelines for passwords as part of the Federal Desktop Core Configuration (FDCC), a set of security standards that was mandated in 2007 to improve the security and stability of end user computing within government agencies. The FDCC guidelines say that passwords must:

  • Be at least 12 characters in length.

  • Contain at least 3 of the following 4 character types:


    • Lowercase letters  (abcdefghijklmnopqrstuvwxyz)

    • Symbols  (,./’~<?;:”[]{}\|!@#$%^&*()_=-+)

    • Numbers (0123456789)


  • Not be similar to or contain any portion of your name or login name

  • Not contain English words that are longer than 4 letters

  • Not begin or end with a number

  • Not be the same as any of the previous 24 passwords in the password history

  • Be changed at least once every 60 days


In addition, the FDCC says that passwords should not:


  • Use a sequence of keys on the keyboard, such as QWERTY or 12345

  • Use information about yourself, family members, friends or pets. This includes (in whole or in part) names, birthdates, nicknames, addresses, phone numbers

  • Use words associated with your occupation or hobbies

  • Use words associated with popular culture, such as song titles, names of sports teams, etc.

  • Be reused for multiple accounts


When creating passwords, users can use the following techniques to make the password more difficult to crack while also making it easier to remember:



  • Substitute characters for letters:

    • ‘a’ can be replaced by ‘@’

    • ‘e’ can be replaced by ‘3’

    • ‘i’ can be replaced by ‘1’

    • ‘o’ can be replaced by ‘0’

    • ‘s’ can be replaced by ‘$’

    • ‘t’ can be replaced by ‘+’

    • And so on…


  • Use passphrases rather than passwords, and use only the initial letter of each word in the pass phrase. Example:

    • Pass phrase: “Now is the time for all good men to come to the aid of their country”

    • This becomes “nittfagmtcttaotc.”

    • Using substitutions, this becomes: “N1++f@GM+ctt@0+c”



In theory, this is great advice, but I have my doubts about how effectively this can be enforced – especially if a person needs to create, say, a dozen unique passwords, and they must be changed every other month. At some point, the process becomes so complicated that the user community will just write their passwords on scraps of paper to keep from forgetting them. And doesn’t that defeat the purpose of a strong password?

What are the password policies in your organization? How do you guide your user community to create – and remember – strong passwords?


You May Also Be Interested In: