Okay, your password might not stink. But it probably stinks, since most people have rotten, foul, shouldn’t-ever-be-used passwords.
Passwords aren’t fun, but until SQRL is ready you’ll need to use them. There are some super-basic rules about creating passwords that you really shouldn’t break.
Make your password unique
This is the hardest one to do, although it’s easy to understand. Don’t use the same password for more than one service.
Suppose you have a Facebook account and an account with another service, SociallyInsecure.ca (I just made that up, and the domain isn’t registered, so feel free to grab it). SociallyInsecure.ca has a security breach (imagine) and your email address and password are now in the hands of nefarious cybernasties.
What do the cybervillains do? They head immediately over to Facebook.com to see if your email address and password from SociallyInsecure.ca will log them into your Facebook account.
Now the bad guys can read your stuff and impersonate you.
And since you used the same password for your email, they get access to all your other services too, by using the “forgot my password” links.
You could have prevented this by using a different password for each service.
Change any password someone else gave you
Often your initial password is given to you by a person or server. Change it. Otherwise, it’s possible someone knows it, or it’s printed out on a master password list somewhere. Don’t tempt anyone to use it.
Don’t use a word for a password
Those are easy to guess, and the cybercrooks try them first. Capitalizing the first letter isn’t much of a barrier either. Don’t use a word, especially monkey.
Don’t use something people will guess
Don’t use “amazon” for your Amazon.com password. Don’t use the names of your spouse or kids or dog or workplace or anything about you or the site you’re visiting.
Use a long password
Like, really long. Try more than the 8-character minimum that most services require. Try 10 characters, or 12. It takes a second longer to type it in, but it takes centuries longer for the cyberjerks to figure out.
Use multiple character types
Easy passwords use all lowercase letters, or maybe they start with an uppercase letter. Some services require a capital letter and a number, so people use things like Monkey1. Mix it up a little more than that, and include “special characters” like punctuation.
What’s a good password?
I can’t tell you a specific good password, because then it won’t be good. But here’s the sort of thing you’re looking for:
That’s a good type of password, because
- it’s not a word
- it’s not guessable based on what you know about me or where I’m going
- it has lowercase and uppercase letters, digits, and symbols
- it’s long (10 characters)
I can’t remember one of those for every service I use
You might not be able to remember dozens of those passwords (and so you’re tempted to write them down – don’t do it!), but you can remember one. So memorize it, then set up a password system for yourself using the password you memorized as a base password.
For example, maybe you modify that password based on the site you’re going to. Suppose you want a password for Amazon.com. Mix something from Amazon with something from your base password:
I took the second and third letters of Amazon (m and a) and inserted them after the first two characters of the base password.
How about for Facebook?
If you can remember the base password, you get a (nearly) unique password for each site without having to write it down.
Don’t use this exact algorithm. Come up with your own that you can remember and that you’re comfortable with.
But stop writing stinky passwords on a sticky note on your laptop.