Column: Ditch passwords, use passphrases

Beluchukwu Ebede, Staff Reporter

As common as they are, passwords are like your fingerprint. Still, hear it again: Your password is your personal key to your accounts, be it online or local. That means it should be guarded with utmost jealousy. Well, this is common knowledge.

A password should be made up of at least 8 characters with a mix of numbers, letters and symbols. Passwords should be changed regularly, at least once in 6 months. Do not use same password on more than one online account. Do not write them down. Do not share them. Do not save them in any digital format. This is also common knowledge.

As simple as these may sound, and as important as this subject is, most of us still ignore these vital bits of advice. If you are guilty, well, accept my sympathy in advance.

Cyberattack has become so easy that almost anybody can learn how to do it. It has become that simple.

The other day, I tried a brute-force attack on an FTP server using Cane and Abel, a hacking program, and boom, in less than 4 minutes, it resolved the password. Although that was in my personal lab, it is no different from a public domain.

First, I provided it a password file of 1000 random passwords; it picked the right one. Secondly, I changed the FTP server password and, this time, did not provide any password file. It took a while but it still return the correct password. I repeated this with a more complex password, it took almost a day but, in the end, returned the correct password.

This brings us to a point. The more complex you make your password, the harder it gets to break it. Again, this is still common knowledge. At this point, the following questions may be going through your mind: How complex should a password be? How do I remember them if they must be unique per account and must be changed regularly without writing them down or saving them electronically?

The answer? Use a passphrase! My favorite.

Let us form a simple password using the passphrase technique. “I bought my first car at the age of seven.” Is this true? Nevermind if it is true or false. I can derive a password from it to form the password 1bmfc@ta07. It is easy to remember. This forms the root of my password. In order to have it unique across accounts, extract the first three consonant from the website and fix into the root. For example, Google would be GGL. This would give me G1bmfcG@ta07L as my unique Google password.

For regular changes, you may use year and month. For example, if you change every six months, say in January and June, your January password could be 16G1bmfcG@ta07LJa; you might notice that this password codes the year, 2016, at the start and the month, January (Ja) at the end. This is what I call password encapsulation. Is this also common knowledge? No. This is purely my idea.

Well, to some readers, most ideas I referred to as common knowledge may not be common. But whatever the case, congratulations. Because now, you know better. Nonetheless, as common as these may sound, most of us still take it for granted. My advice: love your account as yourself.

Beluchukwu Ebede is a technology graduate student. He can be reached at 581-2812 or [email protected].