‘Perfect password’ tips
This question was answered on July 1, 2011. Much of the information contained herein may have changed since posting.
I understand why you say that I should use complex passwords that are different for each of my accounts, but how can I possibly remember them all? – Jerry
As we continue to see high-profile hacks of government and corporate networks & e-mail accounts, the awareness of password security continues to grow for everyone (a small silver lining).
The average Internet user shouldn’t worry about being the target of these sophisticated hacking groups unless you are an employee of a government agency that deals in Internet security, law enforcement or a large corporation, especially those dealing in Internet security.
What the average user does need to be concerned about are what I refer to as “random acts of hacking,” which occur when an easy to exploit target is randomly discovered by both wannabe and sophisticated hackers.
Before I talk about password management utilities, let’s further discuss password security tips that may help you decrease your chances of being exploited by a random act of hacking but still be something you can remember.
NOTE: All these security tips become irrelevant if you fall for a trick that allows a keylogger or other malware into your computer, so be sure you keep current with updates to your security software and operating system and be careful what you click on or install.
There is much published about password “strength,” but when it comes to an easy way to create a secure password, simply making it longer will go a long way.
You’ve heard it a million times: the best passwords use characters (upper and lower case), numbers, special characters, avoids common words and is at least nine characters long.
Adding upper case and a few special symbols can help (Ex: P4ss_w0Rd!) but short passwords based on a real word would be easier to break because the hacker’s tools already check for these.
Try to use abbreviations, the first character of each word of a saying (2bOn2B), initials (but never your own), obscure foreign words and avoid common words that you would have a connection with.
All of those complicated rules can be bypassed if you focus on the length of the password as your primary concern.
One of the best suggestions that I have seen for creating memorable passwords that are inherently secure because of their length is from Mark Burnett, author of Perfect Passwords.
He’s also an advocate of length over complexity and makes suggestions of formatting them with things we tend to use in our daily digital lives such as:
www.craving-tacos.mx (20 characters with 3 special characters)
whitefish44.JPG (15 characters with 1 special character, 2 numbers & 3 upper case)
C:\program files\green (22 characters, 3 special characters, 1 upper case & 1 space)
1-800-orange piano (18 characters, 4 numbers, 2 special characters & 1 space)
Since “brute force” attacks that try to guess your passwords are among the most common, the additional characters will require an attacker to spend more time and processing power to break them than a smaller, but more complex password.
Steve Gibson at Gibson Research has created a simple password calculator to help you understand the value of increasing the size of the password as well.
For example, his calculator predicts that today’s highest level brute force attacks (like those that target high-profile entities) could break the 10 character “P4ss_w0Rd!” in 1 week, but the 15 character “whitefish44.JPG” would take 1.49 million centuries to guess.
As for password management utilities, there are many to choose from, but here are some that have been around for a while:
Roboform – Helps you fill out online web forms (Windows or Mac) and also offers apps for iPhone and Android users to sync with your desktop.
LastPass – Similar features as Roboform, but storage is on their centralized servers
KeePass – Free open-source program that focuses on password storage but can be modified to be a form filler.
All three of these programs can be a little complicated for non-technical users, so install the trial version and use it before spending any money.