Passwords: Make them Effective

Leo Noteboom answered the question "Is it possible for a hacker to get my Hotmail password without access to my computer?" which gets at most of the ways that passwords are compromised. It could be a password for any account, but I think his answer covers the bases, and is humorous too boot. Steve Bass has a not-so-humorous story on how his PayPal password was hacked, and more practical advice.

Even very strong passwords are extremely vulnerable if you're using a public — library, hotel business center, cyber cafe — computer. [more]

Quick rules for passwords

Don't use the same password for more than one account. The more places you use it, the higher the probability one of them is vulnerable to attack. You've just make it easy for hackers to take advantage of your corner-cutting, and use that password to get into the other places you thought were going to be secure. This may be the most important password rule of them all.

On the other hand: Most password advice writers stress changing your passwords frequently. Sounds logical, but it's mostly a waste of time. If someone is going to scrape or break your password, they will attack the one in use at the time. It makes no difference how many times you've changed it in the past. When it falls, it fall.

Passwords to avoid: You may think nobody could guess them. Someone who knows you can easily guess some of them. All of them can be broken is seconds by any ordinary PC running cracking software. They may seem unique, but crackers know all these tricks and many more.

Any word that would be found in a dictionary -- English or foreign
A password that includes any part of your name or user ID
A password comprised of any simple sequence like abcde, edcba, 9876543 or qwerty (simple keyboard pattern).
Names of pets, family members, streets, sports teams, etc.
Birth dates.
Passwords formed by shifting your hands on the keyboard, for example 3q5wqhe47hw instead of eatsandruns (formed by shifting up one row).

Creating passwords:

Make them at least 8 characters in length, but 20 is sextillion times better. ;-)
Use a mix of upper and lower case letters, numbers, and special characters if you can, for example AN\~Bx]Oz&:
Another trick: Use a phrase that's easy for you to remember to generate the password. Example: The Red Sox won the World Series in 2004! would become "TRSwtWSi2!" (without the quotes).
If the length is not restricted, the phrase — TheRedSoxwontheWorldSeriesin2004 — would make a good passphrase.

How strong is your password? You can check it online at Microsoft.com. You can also learn more there about creating passwords.

Farhad Manjoo at Slate has simple advice on creating passwords.
Becky Waring at Windows Secrets has comprehensive advice on creating passwords.

Use categories to segregate your passwords

It's easier to manage Web site passwords if you keep them in separate categories. I use "nuisance", "sensitive", and "paranoid" for my categories. Any old password will do for the first. You need something stronger for the second, and critical passwords should be "very strong".

"Nuisance" passwords are for Web sites that require a password before you can access content -- "The New York Times" for example. You can just use one common password for all sites in the nuisance category. For example use "look" as the common password, with "loooky2" as the alternative when a numeral must be part of the password.

Use a password generating formula for "sensitive" Web sites. Examples might be your Excite.com personalized page, an About.com forum, and your Yahoo.com email account. The passwords would be exc73xyz, abo73xyz, and yah73xyz for these three sites. You can guess my formula (but don't use it) from these examples. If a hacker did get one of these passwords, they could easily figure out all your other "sensitive" passwords, but you don't have that much at risk except inconvenience.

Use a different, strong password for each and every situation where you are "paranoid" about compromise. Online banking, mutual fund accounts and broker accounts are examples of sites that you should put in the paranoid category.

Strong Passwords

Don't reuse sensitive or critical passwords. Generate a new one for each account or website that needs a strong password.
Don't use a word or number which can be identified with you, such as your phone number, your dog's name, your license plate, or the names of family members. These are the kinds of password elements that thieves and hackers try first.
Don't use single words, for example elephant. Hackers can easily try all the words in the dictionary with their computer.
Don't use number's in simple phrases, for example, 2myvisa or password4me. These are also easy to guess because they're so commonly used.
Use a random combination of letters and numbers, for example, ry83xt9q. Use at least eight characters if that many are allowed. A password manager (see below) is a good way to "remember" passwords like this.
Use upper and lower case letters if allowed, for example, rY83St9Q. That makes the password twice as strong. And if you can include symbols, rY83$t9# is even stronger.
If a long password is allowed -- many times they are not -- you can use a "passphrase". For example, "ArizonaYankeesNewYorkDiamondbacks" or "TwentySevenDucks27andThree3Geese" might be easy ones to remember.
Don't write the password down and leave it where it can easily be found.

Perfect Passwords :-)

Steve Gibson's password page.
Fred Langa's advice.
Password Safe generates very secure passwords.
Microsoft's password checker.

Remembering passwords

I have two strong passwords that I don't keep on my computer and I don't write down either. (I'd need them if the house burned down anyway, so it's better to rely on memory.) These passwords let me in to Password Safe (see below) to get my critically sensitive Passwords. I use them frequently enough to remember them, so memory works for me (in this case).

I use Firefox as my browser. Firefox stores passwords and form data. When you return to a particular website, Firefox fills in your user ID and password (or other form data) automatically. Don't allow Firefox to store your critical passwords. That's one of the first places a hacker would look. ;-)

Don't rely on your browser as the only place you keep your passwords. It's too easy for them to be erased.

Password programs

The most secure program that I know of for storing passwords is Password Safe. This free program will also generate strong random passwords to use. I have confidence that Password Safe will keep my passwords secure because it was developed by people who are top experts in security and encryption.

Don't be confused by the fact that the full name for KeePass below is KeePass Password Safe. The Password Safe above is a different program. ;-)

I use KeePass for most of my passwords though. I think it's easier to use for lots of passwords than Password Safe, because it's easier to organize them with KeePass. There are many other programs out there like KeePass. I'd be careful about selecting others. Some are spyware in disguise. Especially those that seem heavily promoted.

Many people swear by Roboform. It's a Password Manager, Form Filler and Password Generator. They have free and "pro" versions.

• map of security section

• email security
• web smarts
• catalog of threats
• elements of defense
• security software
• strong passwords
• 7 steps to security
• bullet-proof security
• WiFi and hotspot security
• how to wipe your hard drive
• how to remove malware

• attack vectors: deception: the #1 threat; spam and scams; phishing; bogus and booby-trapped webpages; poisoned ads, comments, etc.; popup warnings; drive-by email; attachments; downloads; social and p2p networks; hackers and worms
• malicious content: spyware; viruses and worms; trojans

"If at first you don't succeed, destroy all evidence that you tried." --Ursula K. LeGuin