If you want to be absolutely secure, you should make up a different password for every single Web site you visit. Each password should have at least 16 characters, and it should contain a scramble of letters, numbers, and punctuation; it should contain no recognizable words. You should change all of these passwords every couple of weeks. And you should not write any of them down anywhere.
That, at least, is what security experts advise. Unfortunately, they leave out the part about the 15 minutes you’d have to spend with flash cards before bed each night, trying to remember all those utterly impractical passwords.
There are, fortunately, more sensible ways to incorporate passwords into your life. You won’t be as secure as the security experts would like, but you’ll find a much better balance between protection and convenience.
• The “security through brevity” technique. My teenage son’s smartphone password is only a single character. It’s fast and easy to type. But a random evildoer picking up his phone doesn’t know that; he just sees “Enter password” and gives up—so, in its way, it’s just as secure as a long password. (Of course, I may have just blown it by publishing his little secret.)
• Password keepers. The world is full of utility programs for your Mac, PC or app phone that memorize all your Web passwords for you. They’re called things like RoboForm, Account Logon, and (for the Mac) 1Password. Each asks you for a master password that unlocks all the others; after that, you get to surf the Web freely, admiring how the software not only remembers your passwords and contact information, but fills in the Web forms for you automatically.
• The “disguised English word” technique. Having your passwords guessed by ne’er-do-wells online doesn’t happen often, but you do hear about such cases. The bad guys start by using “dictionary attacks”— software that tries every word in the dictionary, just in case you were dumb enough to make your password something like “password” or your first name. (These special dictionaries also contain common names, places, number combinations and phrases such as “ilovemycat.”)
That’s why conventional wisdom suggests disguising your password by changing a letter or two into numbers or symbols. Instead of “supergirl,” choose “supergir!” or “supergir1,” for example. That way, you’ve thwarted the dictionary attacks without decreasing the memorizability.
• The multi-word approach. Another good password technique is to run words together, like “picklenose” or “toothygrin.” Pretty easy to remember, but tough for a dictionary attack to guess.