By, Joe Purcell
Staff Writer
05-12-2011

Perhaps the most overlooked feature of security is the password. Let's consider an analogy: your information, whether it be your home computer or Facebook, is like treasure. Only you have access to that treasure because it's protected by a password, a secret. The only way someone can steal your treasure is if they know how to get to it, that is, if they know your secret password. 

Let's say for example, you have money hidden under your matress. Anyone wanting to steal from you would easily guess to look there. In the same way, hackers would easily guess "123456" for your password. Which, by the way, was the password of almost 300,000 users at RockYou in 2009, according to a report by Imperva. Choosing a strong password isn't easy, but surely one could come up with a better password than that!
 
Ok, so passwords are our first line of defense. There are four main characteristics of a strong password:

 1.Length - the more characters the better; with each additional character (if you are considering uppercase, lowercase, numerals, and special characters) the complexity of cracking the password goes up by a multiple of 94, so 2 characters has 8,836 possibilities, but 3 has 830,584!

2.Diversity - the more types of characters the better; use numbers, special characters, uppercase, lowercase, but don't use dictionary words, backwards words, or repeated characters

3.Associativity - hackers can socially engineer your password, so the more obvious the association between you and the password is, the more likely it can be guessed; for instance, don't use your name or anything that obviously identifies you

4.Duration - the longer your password stays the same, the more chances a hacker has at attempting to crack it; duration of 3 months is ideal
 
Ok, but how can one create a strong password that can be remembered? The best I've found is summed up by an article by Microsoft which starts with a sentence and modifies it to become a password impossible to guess. Here are the steps, with a few modifications:

 1.Choose a sentence - Choose a sentence you can remember with about 10 words, maybe a quote or start going through lines of your favorite poem or book (you'll need a new sentence every 3 months). I'll use the quote: "Treat your password like your toothbrush. Don't let anybody use it, and get a new one every six months." (it's longer than 10 words, but I can remember it--that's the key)

2.Extract characters from the sentence - The simplest is to choose the first letter of each word, maybe convert number words to numbers and words like "at" and "and" to @ and &, so mine is: "Typlyt.Dlaui&gan1e6m."

3.Add complexity - Microsoft suggests making the letters in the first half of it upper case, but a great alternative is to use l33t speak, so make T's into 7's, a's into @'s, and such, here's a complete list of l33t conversions. This can also be done in the process of step 2 as I did, so since mine is already complex--it has uppercase, lowercase, numbers, and special characters--I can skip this step.
 
So, I have a password, "Typlyt.Dlaui&gan1e6m.", that is 21 characters long, which is crazy, but I can remember it. The first few times you will have to quote it in your head and remember which characters you've changed, especially the l33t characters. But, it's much more memorable than something arbitrary and it's nearly impossible to crack. However, we still have some issues.