Image: © iStockphoto/PaulPaladin
More In This Article
-
Overview
Password Prevented
-
The Best Science Writing Online 2012
Showcasing more than fifty of the most provocative, original, and significant online essays from 2011, The Best Science Writing Online 2012 will change the way...
Read More »
If you want to be absolutely secure, you should make up a different password for every single Web site you visit. Each password should have at least 16 characters, and it should contain a scramble of letters, numbers, and punctuation; it should contain no recognizable words. You should change all of these passwords every couple of weeks. And you should not write any of them down anywhere.
That, at least, is what security experts advise. Unfortunately, they leave out the part about the 15 minutes you’d have to spend with flash cards before bed each night, trying to remember all those utterly impractical passwords.
There are, fortunately, more sensible ways to incorporate passwords into your life. You won’t be as secure as the security experts would like, but you’ll find a much better balance between protection and convenience.
• The “security through brevity” technique. My teenage son’s smartphone password is only a single character. It’s fast and easy to type. But a random evildoer picking up his phone doesn’t know that; he just sees “Enter password” and gives up—so, in its way, it’s just as secure as a long password. (Of course, I may have just blown it by publishing his little secret.)
• Password keepers. The world is full of utility programs for your Mac, PC or app phone that memorize all your Web passwords for you. They’re called things like RoboForm, Account Logon, and (for the Mac) 1Password. Each asks you for a master password that unlocks all the others; after that, you get to surf the Web freely, admiring how the software not only remembers your passwords and contact information, but fills in the Web forms for you automatically.
• The “disguised English word” technique. Having your passwords guessed by ne’er-do-wells online doesn’t happen often, but you do hear about such cases. The bad guys start by using “dictionary attacks”— software that tries every word in the dictionary, just in case you were dumb enough to make your password something like “password” or your first name. (These special dictionaries also contain common names, places, number combinations and phrases such as “ilovemycat.”)
That’s why conventional wisdom suggests disguising your password by changing a letter or two into numbers or symbols. Instead of “supergirl,” choose “supergir!” or “supergir1,” for example. That way, you’ve thwarted the dictionary attacks without decreasing the memorizability.
• The multi-word approach. Another good password technique is to run words together, like “picklenose” or “toothygrin.” Pretty easy to remember, but tough for a dictionary attack to guess.
See what we're tweeting about
14 Comments
Add CommentAnother idea is to use the initial letters of a memorable phrase, such as a line from a song, a favorite movie quote, a proverb or a Bible verse. For example, using the phrase, "Yankee Doodle went to town,
Reply | Report Abuse | Link to thisriding on a pony" the password would be "ydwttroap". This can be combined with other ideas, such as substituting punctuation or digits for letters. You can also include features such as capitalization and commas from the original phrase ("YDwtt,roap").
I like a pair of foreign language words, 2 different languages, with a digit or two in between.
Reply | Report Abuse | Link to thissamples
schnitzel4desayuno
vacas,2scheiss
yo/mensch!
Encouraging users to select one letter (or similarly brief) passwords is a pretty terrible idea. Not that very many sites even allow you to select such short passwords.
Reply | Report Abuse | Link to thisas shown in this xkcd http://xkcd.com/936/ another easy to remember password generation trick is to pick a random collection of words and string them together: hardleathercatpants for example
Reply | Report Abuse | Link to thisto modify an existing real word based password to make it harder to dictionary attack, character shift it based on the keyboard; for example "password" character shifted one key to the left would be [sddeptf
For all you clever Linux newbies out there, you might want to try a program called pwgen and explore some of the options it offers. Generate a page or three of possible passwords you might like and keep the master file in an encrypted file system that you dismount after every use. Just in case you lose your original. Strive to use at least 25 characters and engage some of the options pwgen offers. And yes, these days if it is a commercial interest, this is absolutely the minimum security that should be used.
Reply | Report Abuse | Link to thisThe "disguised English word" technique is useless against dictionary attacks. Any hacker worth his salt will already have "passw0rd" and "supergir!" in his dictionary because the technique is limited in scope and very commonly used. You're gaining seconds at best.
Reply | Report Abuse | Link to thisThe multi-word approach is much better, but you need more than two words to make it truly secure.
Please consult a real security expert before writing such irresponsible rubbish.
The approach I prefer is a geometrical one, consisting of random characters memorised not because they mean something, but because of the key press pattern they create. Of course, for added security, you can just add some non-latin characters, if you have installed interantional keyboards (and the site permits it).
Reply | Report Abuse | Link to thisIf you use a strong password, there is no point in changing it on a regular basis.
Reply | Report Abuse | Link to thisHere's a suggestion:
Reply | Report Abuse | Link to this1. Create a strong but short password. E.g. '$ab4'
2. For each site that you need a password for select a meaningful, short word:
* cnn.com - news
* amazon.com - amazon
3. Concatenate the two: '$ab4' + news = $ab4news
This way every site gets a unique password but all you have to remember is your short, strong prefix or suffix. Usually I can remember the meaningful word for every website even if I haven't been there in months. Note though that if you are personally being attacked by a hacker, if they break one they may be able to recognize that you have a pattern so it isn't perfect.
Rainbow tables can use foreign dictionaries now too, and variations of spellings. Foreign words can be cracked in about 3 minutes. To test your installation, you might want to download a program called "Ophcrack" and boot from the disk you make. Then it will become more apparent why using the (free) program "pwgen" and at least 25 mixed char. passwords is a pretty darned good idea. IT will always be able to help if you lose it anyway.
Reply | Report Abuse | Link to thisAt a minimum have 2 unique and strong passwords. Use one for most of the sites you visit. Use the other for only a select few of the most sensitive sites - like bank and brokerage accounts. This way if one gets stolen from one of the more common and less secure sites it can't be used to access your assets.
Reply | Report Abuse | Link to thisSome excellent ideas here. I like to use a file with hints about my user names and passwords that few or none would understand. Old postal codes/streets of residence, villages near my birthplace, obscure martial arts terms or characters from scifi, usually modified. Good luck trying to guess my password from "Former street name and address of apartment in Ottawa, numberized".
Reply | Report Abuse | Link to thisUnfortunately for Burn Doubt's dismissal of changing strong passwords regularly, we do need to worry about the risk of someone intercepting our keystrokes when we enter our password, whether by simply watching us type or by using software that intercepts the keystrokes before the password is encrypted and sent.
Reply | Report Abuse | Link to thisI was impressed by the comedian on BBC Radio 4 who, when asked for a password with at least eight characters, chose 'Snow White and the Seven Dwarfs'...
Reply | Report Abuse | Link to this