Passwords: Make them Effective

Leo Noteboom answered the question "Is it possible for a hacker to get my Hotmail password without access to my computer?" which gets at most of the ways that passwords are compromised. It could be a password for any account, but I think his answer covers the bases, and is humorous too boot.

Quick rules for passwords

Passwords to avoid: You may think nobody could guess them. Someone who knows you can easily guess some of them. All of them can be broken is seconds by any ordinary PC running craching software. They may seem unique, but crackers know all these tricks and many more.

• Any word that would be found in a dictionary -- English or foreign
• A password that includes any part of your name or user ID
• A password comprised of any simple sequence like abcde, edcba, 9876543 or qwerty (key sequence)
• Names of pets, family members, streets, sports teams, etc.
• Birth dates
• Passwords formed by shifting your hands on the keyboard, for example 3q5wqhe47hw instead of eatsandruns, formed by shifting up one row.

Strong passwords:

• Make them 8 characters or more in length
• Use a mix of upper and lower case letters, numbers, and special characters, for example AN\~Bx]Oz&:
• Hint: Use an easy to remember phrase to generate the password. Example: The Red Sox won the World Series in 2004! would become "TRSwtWSi2!" (without the quotes).
• If length is not restricted you could use just use the phrase -- TheRedSoxwontheWorldSeriesin2004!

How strong is your password? You can check it online at Microsoft.com. You can also learn more there about creating passwords.

Use categories to segregate your passwords

It's easier to manage Web site passwords if you keep them in separate categories. I use "nuisance", "sensitive", and "paranoid" for my categories. Any old password will do for the first. You need something stronger for the second, and critical passwords should be "very strong".

"Nuisance" passwords are for Web sites that require a password before you can access content -- "The New York Times" for example. You can just use one common password for all sites in the nuisance category. For example use "look" as the common password, with "loooky2" as the alternative when a numeral must be part of the password.

Use a password generating formula for "sensitive" Web sites. Examples might be your Excite.com personalized page, an About.com forum, and your Yahoo.com email account. The passwords would be exc73xyz, abo73xyz, and yah73xyz for these three sites. You can guess my formula (but don't use it) from these examples. If a hacker did get one of these passwords, they could easily figure out all your other "sensitive" passwords, but you don't have that much at risk except inconvenience.

Use a different, strong password for each and every situation where you are "paranoid" about compromise. Online banking, mutual fund accounts and broker accounts are examples of sites that you should put in the paranoid category.

Strong Passwords

• Don't reuse sensitive or critical passwords. Generate a new one for each account or website that needs a strong password.
• Don't use a word or number which can be identified with you, such as your phone number, your dog's name, your license plate, or the names of family members. These are the kinds of password elements that thieves and hackers try first.
• Don't use single words, for example elephant. Hackers can easily try all the words in the dictionary with their computer.
• Don't use number's in simple phrases, for example, 2myvisa or password4me. These are also easy to guess because they're so commonly used.
• Use a random combination of letters and numbers, for example, ry83xt9q. Use at least eight characters if that many are allowed. A password manager (see below) is a good way to "remember" passwords like this.
• Use upper and lower case letters if allowed, for example, rY83St9Q. That makes the password twice as strong. And if you can include symbols, rY83$t9# is even stronger.
• If a long password is allowed -- many times they are not -- you can use a "passphrase". For example, "ArizonaYankeesNewYorkDiamondbacks" or "TwentySevenDucks27andThree3Geese" might be easy ones to remember.
• Don't write the password down and leave it where it can easily be found.

Perfect Passwords :-)

• Steve Gibson's password page.
• Fred Langa's advice.
• Password Safe generates very secure passwords.

Remembering passwords

I have two strong passwords that I don't keep on my computer and don't write down either. (I'd need them if the house burned down anyway, so it's better to rely on memory.) These passwords let me in to Password Safe (see below) to get my critically sensitive Passwords. I use them frequently enough to remember them, so memory works for me (in this case).

I use Firefox as my browser. Firefox stores passwords and form data. When you return to a particular website, Firefox fills in your user ID and password (or other form data) automatically. Don't let Firefox -- there is always a choice -- store your critical passwords. That's one of the first places a hacker would look.

Don't rely on your browser as the only place you keep your passwords. It's too easy for them to be erased.

The most secure program that I know of for storing passwords is Password Safe. This free program will also generate strong random passwords to use. (I have confidence that Password Safe will keep my passwords secure because it was developed by people who are top experts in security and encryption.

I use Dropit for less critical passwords. It makes passwords available with just a click. There are many other programs out there like Dropit. I'd be careful about which one I selected though. Some of them are spyware in disguise. Especially the ones that promote themselves heavily.

Many people swear by Roboform. It's a Password Manager, Form Filler and Password Generator. They have free and "pro" versions.

Last modified 07/03/08