Passwords: Make them Effective

Leo Noteboom answered the question "Is it possible for a hacker to get my Hotmail password without access to my computer?" which gets at most of the ways that passwords are compromised. It could be a password for any account, but I think his answer covers the bases, and is humorous too boot.

Even very strong passwords are extremely vulnerable if you're using a public — library, hotel business center, cyber cafe — computer. [more]

Quick rules for passwords

Don't use the same password for more than one account. The more places you use it, the higher the probability one of them is vulnerable to attack. You've just make it easy for hackers to take advantage of your corner-cutting, and use that password to get into the other places you thought were going to be secure. This may be the most important password rule of them all.

On the other hand: Most password advice writers stress changing your passwords frequently. Sounds logical, but it's mostly a waste of time. If someone is going to scrape or break your password, they will attack the one in use at the time. It makes no difference how many times you've changed it in the past. When it falls, it fall.

Passwords to avoid: You may think nobody could guess them. Someone who knows you can easily guess some of them. All of them can be broken is seconds by any ordinary PC running cracking software. They may seem unique, but crackers know all these tricks and many more.

• Any word that would be found in a dictionary -- English or foreign
• A password that includes any part of your name or user ID
• A password comprised of any simple sequence like abcde, edcba, 9876543 or qwerty (simple keyboard pattern).
• Names of pets, family members, streets, sports teams, etc.
• Birth dates.
• Passwords formed by shifting your hands on the keyboard, for example 3q5wqhe47hw instead of eatsandruns (formed by shifting up one row).

• Updated 09/01/2010: New developments in GPUs (graphics processor units, i.e. video cards) have made it much easier to break passwords. Passwords for important accounts should now have a length of at least 12 mixed (see next point) characters and symbols. Eight or more is still adequate for ordinary use.
• Use a mix of upper and lower case letters, numbers, and special characters if you can, for example AN\~Bx]Oz&:
• Another trick: Use a phrase that's easy for you to remember to generate the password. Example: The Red Sox won the World Series in 2004! would become "TRSwtWSi2!" (without the quotes).
• If the length is not restricted, the phrase — TheRedSoxwontheWorldSeriesin2004 — would make a good passphrase.

How strong is your password? You can check it online at Microsoft.com. You can also learn more there about creating passwords.

• Farhad Manjoo at Slate has simple advice on creating passwords.
• Becky Waring at Windows Secrets has comprehensive advice on creating passwords.

Strong Passwords

• Don't reuse sensitive or critical passwords. Generate a new one for each account or website that needs a strong password.
• Don't use a word or number which can be identified with you, such as your phone number, your dog's name, your license plate, or the names of family members. These are the kinds of password elements that thieves and hackers try first.
• Don't use single words, for example elephant. Hackers can easily try all the words in the dictionary with their computer.
• Don't use number's in simple phrases, for example, 2myvisa or password4me. These are also easy to guess because they're so commonly used.
• Use a random combination of letters and numbers, for example, ry83xt9q. Use at least 12 characters for sensitive cases if that many are allowed. A password manager (see below) is a good way to "remember" passwords like this.
• Use upper and lower case letters if allowed, for example, rY83St9Q. That makes the password twice as strong. And if you can include symbols, rY83$t9# is even stronger.
• If a long password is allowed -- many times they are not -- you can use a "passphrase". For example, "ArizonaYankeesNewYorkDiamondbacks" or "TwentySevenDucks27andThree3Geese" might be easy ones to remember.
• Don't write the password down and leave it where it can easily be found.

Perfect Passwords :^)

• Steve Gibson's password page.
• Fred Langa's advice.
• Password Safe generates very secure passwords.
• Microsoft's password checker.

Remembering passwords

There are simply too many passwords for you to remember if you use a different strong password for each online account. I start with one strong key password that I don't keep anywhere on my computer. I do have access to it in an unknown location, but I rely on memory for day-to-day use. This password lets me into KeePass Password Safe, where my other passwords are stored. Don't confuse KeePass (long name is KeePass Password Safe) with Password Safe (below).

I do not allow my browser to store passwords either. Instead, I use the LastPass extension to store working copies of my passwords, and to sync them between browsers and computers. I use both KeePass and LastPass, because I think it's important to have two independent places to store passwords. I use KeePass to generate new passwords and for my fallback source, and I use LastPass on a day-to-day basis.

I use KeePass because I like its features a little more than Password Safe's, but that's another excellent password manager. Many other people swear by Roboform. It's a Password Manager, Form Filler and Password Generator. They have free and "pro" versions.

There are many other password management programs out there. I'd be careful about selecting one of them though. Some are spyware in disguise. Some use naive encryption methods. I'd stick with the ones that have good, long-term reputations.