A confession: For years, I have used horrible, entirely insecure passwords.
Due to laziness and an extraordinarily poor memory, I have broken possibly every rule of good passwords. I have included my name, which might be easily guessed. I have used common words that could be subject to “dictionary attack.” I have used the same password to gain access to many favorite Web sites, including my e-mail, thus creating a dreaded “single point of failure.” Only when forced to would I come up with long passwords containing numbers and symbols — the kind recommended by the sort of security experts I talk to on a regular basis.
But after writing recently about a botnet that uses a password-cracking tool and persistent phishing attacks aimed at Facebook users (another wave of which felled two friends today), I have changed my ways.
Over the last couple of days, I’ve been changing my passwords at various and sundry sites to make them stronger — and promptly writing them down on a Post-It note.
I know, I know! No need to groan. That’s a huge security failure right there. But there’s been no one in my house but me the last few days, and today I’m going to select a better way to store them. More on that in a future post.
Today, I’d like to go over what makes a good, strong password, the kind you should be using to, at minimum, protect online access to your financial accounts.
1. Ideally, your passwords are six characters or longer and you can remember them. It’s a bad idea to make it memorable by using personal information — like your name, your child’s name, your pet’s name, your or your child’s birth date — or by using words in the dictionary.
2. Obviously, you should keep your passwords private. But keep in mind that you also need to be quiet about any personal tidbits you use in passwords or the security questions that some sites use to authenticate you. Identity thieves are out on the Web looking for this stuff. It’s why Facebook has become a big target lately. And just a week ago on Twitter, there was a major hullabaloo over a game in which people were creating “porn names” from their first pet’s name and first teacher’s last name that quickly morphed into a likely effort to phish pet and street names.
3. You can, however, use dictionary words and loved ones’ names more safely by using them as a foundation for a password that also incorporates random capital letters, swaps letters for numbers and includes a symbol or two. For example, the extremely poor “password” password would be much stronger as “r1Va’5paZZw8rD.”
4. It would be even better to use a phrase, song lyric or line from a poem as the base and then mix in numbers and symbols, as well as misspell words or use bad grammar. For instance, “Hey Jude, don’t make it bad” could become “d9n’Tmak%6aad.” Or you can base the password on the first letter of each word in your phrase, which would turn the lyric into “HJ,dmi6.”
For more password dos and don’ts, read Microsoft’s advice here. And feel free to use the comments section below to share your password stories — good, bad and embarrassing.