Pick Passwords



Making Passwords Work

Protecting personal information can be a difficult proposition especially considering the number of passwords we each need on a daily basis.

Passwords, of course, should never be easy to guess, but if, instead of choosing personal details like birthdays, addresses, phone numbers, or license plates, we try to choose something obscure that “nobody would ever guess”, we only protect ourselves from people who know us well.  By substituting (or capitalizing) a character or two in an easy-to-remember term, we make our passwords more obscure, but not more secure. Most people trying to crack our passwords don’t know us, so the strength of a password is more in its complexity than its obscurity.

Choose passwords carefully

Password cracking today is a highly automated procedure that can test as many as 1,000 tries per second 24 hours a day and seven days a week.

The computers usually start from very common passwords and work their way down to less common terms, then eventually to words compiled from an online dictionary and other sources. This approach is more likely to find passwords that are valid words or variants on them, even if they’re obscure.

In theory, an eight character password could take over 1.6 quadrillion guesses (1,677,721,600,000,000). If a password cracker were able to make 1,000 guesses a second, it would need more than 53,000 years to run all the combinations. Typical user-selected eight-character passwords with mixed case, numbers, and symbols only have a little over a billion possible combinations. That’s because the list of terms on which people base their passwords is far smaller than the total possible combinations of letters, numbers, and symbols. Applying today’s cracking tools to stolen lists of passwords, that typical 8-character password can be broken in about half an hour.

If you’re using the same password you’ve used since the Internet came to town in the early 90’s –- and it’s the same for everything you do –- then you are restricting your own privacy by giving it away. If a password is compromised, the hackers will try the same one in lots of other places, so each password needs to be unique.

The following are tips I’ve collected from various experts to help you choose a secure password:

  • Make them long: When it comes to passwords, longer is better.  Each extra character you add to a password doesn’t just add to your security, it multiplies it many times.  So aim for eight characters or more.
  • Don’t use a dictionary: Never use a word you can find in the dictionary as a password, no matter how long or obscure the word is.  Hackers have tools that quickly check every single word in the dictionary.
  • Be creative: Most people choose passwords that are easy to remember. That makes their passwords common and easy to guess. So don’t be predictable and base your password on a person’s name, a pet’s name, a team name, a nickname, a pattern on the keyboard, or a string of numbers in sequence.
  • Use the whole keyboard: The strongest passwords contain a combination of letters, numbers, and other characters on the keyboard.
  • Use Phrases: You can also create secure passwords that are easy to remember by using pass phrases. Connect short words with spaces or other characters to create things like  “odd people”, “Not-Here!” or “!FlatTire#”
  • Use mnemonics. The downside of long passwords is that they can be difficult to type, especially on a mobile device. Another trick some people find useful for generating complex shorter passwords is using the first character of every word in a phrase or lyric. “How many roads must a man walk down” could become HmrmamwD—only eight characters, but relatively complex from the point of view of a password-cracking program.  Add a ! or a # at either or both ends to improve it.
  • Special Cases: create your most secure passwords for email accounts (like Gmail and Yahoo Mail) and financial accounts (especially PayPal, online banking, and credit cards).  These are the most valuable accounts you have, so they deserve the most protection.  The email account is important because it can be used to reset passwords on many sites (with the ubiquitous “forgot password” feature).  If you’re going to cheat on these rules, at least be sure the passwords for your email and financial accounts are strong and different than the ones you use other places!
  • Save Them Securely: Keep a password-protected spreadsheet of your passwords or use an on-line password service to keep your passwords safe.