Mac Security 101
Secure Building Blocks: Creating a Complex Password
by Kale Feelhaver aka: Applemacpunk
The password is the first and foremost building block of security. The complexity of a password determines how strong this building block will be. Many Mac users have heard of complex passwords, but have no idea what they are, or how to create one. This article takes a brief look at complex passwords and several methods to easily create them. The tips in this article can be used to create user account passwords on your Mac, but can also be used to create passwords in general. From user online banking to email, passwords are everywhere. Complex password can create a strong building block to help avoid identity theft and data loss.
The phrase “complex password” has no definite meaning. This definition will vary from person to person. For certain applications, a complex password may be 16 characters or more (and may include several non-alpha or non-numeric characters), but for the sake of this article, I will define a complex password as having the following four requirements. It should be at least 8 characters in length, have at least one uppercase letter, at least one lowercase letter, and have at least one number or symbol. However, simply meeting these requirements does not necessarily guarantee a complex password. Here are some examples of passwords that meet the above requirements and still are not complex passwords: P@ssword, 116ElmSt, Monday01.
Even though these passwords meet the requirements, they are easy for a hacker to guess. A complex password is not only a mixture of uppercase, lowercase and non-alpha characters, but also not based on a dictionary word. There are hacking tools circulating the Internet, which can cycle through every word in the dictionary (including foreign languages) in a matter of minutes. A password based on a dictionary word can easily be compromised using such a tool.
To create a complex password, Mac users should try to avoid dictionary words and other common hacking targets. Do not use things like dates, family member’s names, license plate numbers, social security numbers, usernames, or addresses in your passwords. These can be easily guessed by anyone who finds out a little about you. Complex passwords should be easy to remember, hard to guess, and easy to type quickly. Once you have created a complex password, keep it a secret. Giving away your password defeats the purpose of creating one. Most importantly, never leave a password blank. Even if the system allows you to do so, this is not a good security practice.
“So how do I create a complex password?” There are several ways to create one. First, I’d like to talk about Mac OS X’s built-in Password Assistant. To access this utility, launch System Preferences, click on the Accounts icon, select your user, click the Change Password button and click the lock icon.
This utility can be used to generate random passwords, and also to test the complexity of the passwords you create. This tool is extremely comprehensive, very easy to use, and free with Mac OS X. If this program is not your style, there a number of websites that have similar tools for creating random passwords. Among them are http://www.techzoom.net/security-password.asp and http://www.authenticator.com/.
While password generators produce very complex passwords, the average user would find many of them hard to remember. For the remainder of the article I will discuss 4 alternate methods to create complex passwords that are easy to remember. I will approach these methods using the criteria defined above, but you can easily apply your own criteria to create passwords that are longer or require more special characters.
The first is the “Keyboard Pattern” method. This method is simple. Create a pattern on the keyboard and look at the password as a series of keystrokes rather than as a series of characters. An example would be ZXdrty78. The keyboard pattern is shown below.
This can be a great way to create passwords, but be careful when using this method. Do not use obvious patterns like qwerty, and make sure to use a mix of uppercase letters, lowercase letters, and numbers or symbols. Don’t make the pattern too symmetrical, or it can be easy to guess. Always use a pattern that is easy to remember, but not obvious.
Method two is the “HaXor” method. This process involves using simple words or phrases, but replacing letters with numbers (or symbols) and intermixing capital and lowercase letters. An few examples are listed below:
- Sea Lions = S3aL!0n5
- I Like Tea = il!k3tEA
- Encryption = 3Ncrypt10n
The “HaXor” method is an easy way to make a password that is hard to guess, but easy to remember.
The third method is the “Acronym” method. Think of a sentence that means something to you and nobody else. Use the first letter from each word in the sentence to create a password. For instance, I had a 1977 Buick LeSabre that was stolen from my driveway several years ago. I could use a sentence like: “My 77 Buick was stolen from my driveway”… and translate it into this password using the “acronym” method: M77Bwsfmd.
The “Acronym” method produces a password that is both easy to remember and difficult to guess. This is my preferred method of creating passwords, and perhaps the simplest of the methods discussed.
The final method I want to discuss is the “cipher” method. The word cipher is defined as a code used to disguise a message. A simple way to create a cipher is to use a book. Any book will work. Turn to any page in the book, and use the first 3 letters and last 3 letters off that page in conjunction with the page number. For instance, let’s say you turn to page 13 in your favorite novel. If the first word on the page is “During” and the last word on the page is “ever”, your cipher would be 13Durver. The “Cipher” method produces a password that is very difficult to guess. If you ever forget it, you only have to remember which book and which page you used to create it. The process is called the “Cipher” method because there is always a key to decrypt it. You can further increase the complexity by adding more characters, or characters from multiple pages. For instance, you could use the first and last letter of the first paragraph on the page, coupled with the page number and the last 4 letters of the author’s last name. The possibilities here are endless.
What happens when you create an account password that is so complex you can’t remember it? Luckily, Mac OS X includes a Password Reset utility on the install disc. To use this utility, put your Mac OS X install disc in the optical drive, and restart your Mac with the “C” key held down. This will force your Mac to boot off the CD instead of the hard drive. Once your reach the installer screen, choose Reset Password from the Installer menu (if your using Panther or Jaguar) or the Utilities menu (if you’re using Tiger). Select your user account and set a new password. Then reboot and log in with your new password. For this reason, your Mac OS X CD’s should never be stored near your Mac. Store them in a safe or other out of the way area. If someone was to gain access to your Mac and your Install Disc, they could change all the password and render your Mac unusable. Remember, the Install CD is not only possible security threat, but it is also your license for Mac OS X. Keep this disc in a secure place.
If you ever forget a password for a website, bank account, or other password protected service, simply follow the company’s policy to retrieve it. Most banks, forums, shopping carts, and other sites have a lost password policy. Normally this can be done through the browser, but sometimes the company may require you to make a phone call or send an email. In any case, most sites post their password retrieval policy and make it easy to find. Don’t panic, just breathe and follow the policy.
Using these steps, all Mac users should be able to quickly and easily create complex passwords that are both secure and hard to forget. You should also to be able to regain access to your data in the event of a lost password. Since the password is the building block of security, a complex password can be the difference between a house built on rock or a house built on sand. When it comes to security, put your Mac on the rock.
