Microsoft Chairman Bill Gates declared the password dead. He told his audience that the password can't meet the challenge of keeping sensitive information protected, saying "People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure."
That was six years ago at the 2004 RSA Security Conference. Paraphrasing some wisdom from Samuel Clemens, the rumors of the password's demise have been greatly exaggerated. It is still the primary security control used to protect data, accounts, and pretty much everything else on a computer.
[ InfoWorld's Roger Grimes explains how to stop data leaks in an enlightening 30-minute webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]
Gates may have been premature in calling the time of death on the password, but his assessment of why the password is inadequate as a security control were accurate. A study of more than 30 million passwords exposed when Rockyou.com was hacked found that almost half use names, common dictionary words, or sequential characters like "qwerty".
Fingerprint scanners and other biometric controls are becoming more mainstream, but the password will still be the main barrier between hackers and your data for the foreseeable future. With that in mind, here is how to create a secure password that you can actually remember in "12345" easy steps.
1. No Personal Information. Any novice hacker can easily find out your full name, the names of your spouse or children, your pets, or your favorite sports teams. Never choose a password that has anything to do with you personally.
2. No real words. Let's take that a step farther. Not only should you not use your name or your pet's name, you shouldn't use any actual word that can be found in a dictionary. Passwords like that can be easily cracked by password software.
3. Mix Character Types. Passwords are almost always case-sensitive, so use both upper and lower case letters to make it more difficult. To really make it complex, be more creative than just capitalizing the first letter. For example, do "paSswoRd" instead of just "Password". Better yet, throw in some numbers and special characters to substitute for letters, and do "p@Ssw0Rd".
4. Use a Passphrase. Scratch that. Some password cracking utilities are also smart enough to use common character substitutions for common words. Cracking "p@ssw0rd" may take longer than cracking "password", but it will still be relatively trivial to crack because, special characters or not, the password is still "password".
Instead, take your favorite line from a movie, song, or book and convert it to a passphrase. If you like the scene from A Few Good Men when Jack Nicholson is on the stand, take the line "You want the truth? You can't handle the truth!" and convert it to "Ywtt?Ychtt!". It has upper case and lower case letters, as well as special characters. It is not a word appearing in any dictionary, yet it is simple for you to remember.