Passwords – What Everyone and Your Mother Needs to Know About Passwords
Passwords were once something most people only heard used in maybe movies, nearly a kind of science fiction.
Not only that, but what defines an acceptable password has changed drastically in the few years since we started to use them.
What you need to know about choosing passwords (and tell your mother too):
Use as long a password as possible.
[mc src="http://www.youtube.com/watch?v=dchqWxsU9XI" type="youtube"]The Ultimate Guide To Passwords[/mc]
Ideally, your password is at least 25 characters. Go as long as you realistically can. The longer it is, the harder to crack. If a maximum character limit is given use all or nearly all the characters you can. It is a good sign a website has poor security if you can only use a short password (8-9 characters). You may want to rethink what information you may be giving that site.
Use random characters.
Use uppercase and lowercase letters with numbers and punctuation characters.
In some cases you can use non-keyboard characters.
In Windows you can hold the “ALT” button down, type “0” and a short number code (like alt+0123) and get characters that do not show on your keyboard. You can find these characters and the alt+0xxx to type for them by using the Character Map program in Windows.
This method comes with the warning that it may not work on a different computer. Also, I am not sure what effect font changes on your computer would have to your password. It does make it nearly impossible to crack a password that uses these characters. I do know people that use them.
Like I said, be cautious with this technique. It is kind of advanced. Using punctuation characters is somewhat just as effective. You can probably type in a password with punctuation on a phone where a non-keyboard character is not possible.
Every password you have needs to be unique to that account.
Don’t try to use a password for more than one account even if they don’t seem like important accounts. Hackers will find out what accounts share passwords and use that to increase their level of attack. The idea of having a few passwords shared between different levels of accounts is one of those ideas from just a few years ago that is a very bad thing to do nowadays.
At one time, you could use this idea. Have one password for your computer. Have another password for your credit card accounts and bank account. Then have another for your email and other “less important” accounts.
If you did this now, it is very likely one of those “less important” accounts would be compromised. It could be by phishing. It could be by malware on a site. An attacker might even just brute force crack the password (have software run a dictionary attack trying to log in to a site as you). Once that password is known, the attacker will quickly find your other accounts with that password.
The attacker would then eventually find your email password (if that is not the account they cracked in the first place). Once your email is cracked, they could request new passwords for your credit card and bank accounts. If they do it right, you won’t even notice. Don’t share passwords with different accounts.
Do not use similar passwords that are variation of a theme.
Don’t try common (or uncommon even) misspellings of words.
Do not use personal information that others would know about you.
There are also a bunch of well known passwords that you need to avoid any form you might thing of using them in.
Things like: Pass, Password, Love and others. Even variations of these popular words are bad. Many times lists of passwords have been stolen and published on the Internet. It is amazing how many people that should know better, all actually use the same passwords on these lists even on the same site.
One of the first “hacker” movies was “War Games” where the boy guessed the password was “God.” It is always at the top of a list of passwords because it is still used too often.
Remember to fix those “secret questions” too.
It doesn’t do much good to use a password the government would have a hard time cracking if a hacker can simply request a new password by guessing the answer to a password reset question. Your answers should not make sense for the question asked.
Answer the question of what city were you born in with a type of car or something like that. Something random and not easily guessed. It does not have to be another random password type of thing (although that might be a good idea).
Just do not use something someone who follows you on Facebook or some other social network might be able to guess. It is very possible that the whole world now can find out your mother’s maiden name and the city you were born in. Also, a hundred of your friends just wished you happy birthday – also in front of the whole world.
Some examples of good and bad passwords:
Take a password like this ***.
Three characters. If they are all lowercase letters, I suspect nearly anyone reading this could make a couple decent guesses and get it right. Give it a try.
It was “cat”.
A password like ************************* is a different story.
It’s going to take a lot of computing power a long expensive super computer time to crack it. It uses random, numbers, letters, and punctuation.
It is “8to5tnz*cH$V[qAC#Tb+ASQC;” No one is going to guess that. I can’t even remember it (they’ll never get it out of me no matter how much they torture me – I’m not sure how good that idea is yet). I use passwords like this on my accounts now. They are also all different. I’ll get to how to keep track of these in a bit.
Some other ideas for passwords.
Use a sentence.
Use a sentence from your favorite book or poem. A quote from a favorite movie. A Bible verse.
In this case, we trade complexity for length. The longer the sentence the better. Add in some random punctuation, capitalization, and numbers and it will be nearly as strong as a complete random set of characters that long and it is easy to remember. Something like “I@have!aBADfeeling9about7this” is not too hard to remember and would be difficult to crack. Even if the hacker knew you took the quote from Star Wars.
Use the first or last letter of each word from a couple sentences.
You may be limited in the length of password you can use. In that case, pick a sentence or two you can remember. Use the first (or last) letter of each word. Again, add a bit of punctuation, numbers, and caps where they don’t belong. This gives you a nearly random series of characters and an easy way to remember them.
Just don’t use something like “j3:16FGsltw”. Random? Maybe. But you might not need to be a Bible reader to figure it out. If I were to know you are a Bible reader, I might try a few variations on the theme. It is still better then most passwords people use. I just wouldn’t choose the first sentence of a reference everyone sees at a basketball game for a password, even if you are just using the first letter of the words.
I admit there are times all this just seems to much of a hassle.
OK, now you have a bunch of really good passwords, how do you remember them all for different accounts?
Simple. Write them down.
Yes, I know every article ever written on passwords says don’t write them down. Before, I go any further, that recommendation comes with it’s own list of rules that must be followed if you are going to write passwords down. It also does not work in many situations. I’ll give you a better solution that works in nearly all situations in a moment.
First, a few cases you should most likely not write down your password.
You probably should not write down passwords at work. You simply cannot store them safely even with a key. Someone can come in at night and find your list of passwords.
You also can’t safely take a written list of passwords with you traveling (with your laptop).
If your going to write down your passwords, you need to store them safely away from your computer. They should not be in a place that would lead someone to think they are your password list. If someone should steal your computer, you don’t want them to be able to find your passwords at the same time.
The reason I recommend writing down passwords is I feel it is better to have good passwords written down and kept somewhere safe, than have bad passwords. Bad passwords are just too dangerous nowadays.
A better choice is a password manager program.
A good password program can make life much easier and is an extremely secure method to store them. Unlike writing passwords on paper, even if someone finds the program containing your passwords, it may be nearly impossible to be able to use the passwords.
Using a password managing program makes handling lots of complicated passwords simple. All you need to remember is the password to log on to your computer and the password to open the password program.
I use a password program called KeePass.
KeePass is an open source program. That means that the code can be checked by anyone to see if there are security problems with it. KeePass is completely free to use. It uses very high encryption to keep the password it hold safe.
I can copy the encrypted file with all the passwords to several places (external hard drives and flash drives) to keep a safe copy in case the computer should crash. Should I discover that file has been stolen, I’ll have time to change all those passwords before anyone would have a chance to break the encryption (including most governments).
Another advantage of KeePass is that it is usable on nearly any computer. There is a version for neally all computer operating systems. That means Windows, Apple, Linux, and Unix can all use it.
It is also available for many different smartphone systems. You can get it for both Android and iPhone. I even have it on my Blackberry. Portable Apps has a version that allows you to take your passwords with you and use KeePass on any computer you can use a USB drive in.
There are other options for password programs too.
There are many other password managing programs. There are both paid and freeware programs available. Roboform for Windows comes in both free and paid versions and has some very nice features. 1Password for Mac is a paid program that has been listed by Lifehacker.
There are online password services like LastPass. In the case of an online password manager, the passwords are (if the service is good) encrypted before they are stored remotely online. Not every service does this right. Also, if there is some problem with your Internet (or the service’s Internet) you won’t be able to retrieve your passwords.
LastPass (one of the most popular online password managers) once had a case where they were forced to change users login passwords (they had a possible security breach). This caused a lot of trouble for people unable to use their account till all was cleared up. This is a possibility with any online service.
Whatever password manager you use, you need to be careful which one and where you get it from. Make sure you stick with well known programs or services. If you download a program, make sure you are downloading it from a trusted source. It would be a safe bet there are infected versions of most software that will infect your computer with malware instead of giving you a secure way to save your passwords.
Choose a trustworthy password manager.
I have written this post as the Ultimate Guide To Passwords.
I will make additions and changes to this post whenever I see a need to improve it. I am also willing to take recommendations if you think I have missed something. For major changes, I’ll make a new post on this site pointing here. If you subscribe to my email newsletter, you’ll get an email when I make a new post to this site.
Please share this post (and the video in it) with your friends and family using Google+ and Facebook “LIke” it as well as share it on other social media. Passwords are something that do not really get the attention they need, considering how often we all use them on a daily basis.
Please make sure you make a practice of using good passwords online and encourage those you know to do the same. It could be your information that is not secured by someone else’s poor password.