Your password stinks

Okay, your password might not stink. But it probably stinks, since most people have rotten, foul, shouldn’t-ever-be-used passwords.

Passwords aren’t fun, but until SQRL is ready you’ll need to use them. There are some super-basic rules about creating passwords that you really shouldn’t break.

Make your password unique

This is the hardest one to do, although it’s easy to understand. Don’t use the same password for more than one service.

Why not?

Suppose you have a Facebook account and an account with another service, SociallyInsecure.ca (I just made that up, and the domain isn’t registered, so feel free to grab it). SociallyInsecure.ca has a security breach (imagine) and your email address and password are now in the hands of nefarious cybernasties.

What do the cybervillains do? They head immediately over to Facebook.com to see if your email address and password from SociallyInsecure.ca will log them into your Facebook account.

Now the bad guys can read your stuff and impersonate you.

And since you used the same password for your email, they get access to all your other services too, by using the “forgot my password” links.

You could have prevented this by using a different password for each service.

Change any password someone else gave you

Often your initial password is given to you by a person or server. Change it. Otherwise, it’s possible someone knows it, or it’s printed out on a master password list somewhere. Don’t tempt anyone to use it.

Don’t use a word for a password

Those are easy to guess, and the cybercrooks try them first. Capitalizing the first letter isn’t much of a barrier either. Don’t use a word, especially monkey.

Don’t use something people will guess

Don’t use “amazon” for your Amazon.com password. Don’t use the names of your spouse or kids or dog or workplace or anything about you or the site you’re visiting.

Use a long password

Like, really long. Try more than the 8-character minimum that most services require. Try 10 characters, or 12. It takes a second longer to type it in, but it takes centuries longer for the cyberjerks to figure out.

Use multiple character types

Easy passwords use all lowercase letters, or maybe they start with an uppercase letter. Some services require a capital letter and a number, so people use things like Monkey1. Mix it up a little more than that, and include “special characters” like punctuation.

What’s a good password?

I can’t tell you a specific good password, because then it won’t be good. But here’s the sort of thing you’re looking for:

u1is4$kK5H

Urgh…

That’s a good type of password, because

  • it’s not a word
  • it’s not guessable based on what you know about me or where I’m going
  • it has lowercase and uppercase letters, digits, and symbols
  • it’s long (10 characters)

I can’t remember one of those for every service I use

You might not be able to remember dozens of those passwords (and so you’re tempted to write them down – don’t do it!), but you can remember one. So memorize it, then set up a password system for yourself using the password you memorized as a base password.

For example, maybe you modify that password based on the site you’re going to. Suppose you want a password for Amazon.com. Mix something from Amazon with something from your base password:

Amazon

u1mais4$kK5H

I took the second and third letters of Amazon (m and a) and inserted them after the first two characters of the base password.

How about for Facebook?

Facebook

u1acis4$kK5H

If you can remember the base password, you get a (nearly) unique password for each site without having to write it down.

Don’t use this exact algorithm. Come up with your own that you can remember and that you’re comfortable with.

But stop writing stinky passwords on a sticky note on your laptop.

Advertisements

2 thoughts on “Your password stinks

  1. I use a password manager.

    Specifically, I use LastPass and pay the $12/year for premium so I can use the mobile apps, and I think it’s worth it. It also helps me fill in form information super-fast. I highly recommend it, but above all else I highly recommend *any* password manager. If one is leery about a service managing your passwords, there are open-source solutions to roll your own, like KeePass.

    Password managers seem like a good stopgap solution until we don’t need passwords any more. We *shouldn’t* have to remember our passwords, and if one’s passwords are strong enough, one is going to have a hard time remembering them. Your suggestion for a base password + algorithm is a good one. But I’m lazy. I’d rather let a machine manage this for me.

    Not only will a good password manager store your passwords, but they often help you generate strong passwords too.

    That’s why I recommend password managers to my friends when they complain that they can’t use site-unique passwords because “I can’t remember all those passwords.” Recently one of my friends got an iPhone as her first smartphone. I encouraged her to start using a password manager, and she discovered that she can set one up through Apple that works across her iPhone and her Mac. And she’s being sensible, using it for a few accounts to test the waters and see if it’s right for her.

    Also, enable two-step authentication whenever possible. Here’s a good (US-centric) website that lists the types of two-step authentication available with many major websites: https://twofactorauth.org/ If your password *is* compromised for any reason, this makes it that much harder for someone to gain access to your account.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s