What is a password?
To verify that certain material is available only to authorized people, the vast majority of websites require a username and password to access portions of the website. As the most common form of authentication, this simple username/password combination is used to protect everything from blog sites to banking. As it is so widely used, passwords are the focal point of many attacks, including dictionary attacks and phishing.
As the number of situations that require a username and password increases, so does the importance of having good password habits.
Unfortunately, any password can be broken with enough time. However, the careful use of strong passwords may successfully prevent attackers from accessing your data and accounts. Realize that the benefits of passwords comes not only through choosing the right passwords, but by maintaining good "password habits" and avoiding vulnerabilities.
Many sites that require passwords also have certain restrictions against the use of weak passwords. These restrictions are for your benefit and are placed in order to help you create a more secure password. Passwords that are too weak may be vulnerable to dictionary attacks or hackers. Here are some common password restrictions:
- The password must be at least 9 characters long.
- The password must include at least one letter, one number, and one symbol.
- The password must not contain any recognizable words in any language.
It's also important to avoid the following:
- Words spelled backwards, common misspellings, & abbreviations
- Sequences or repeated characters. Examples: 12345678, 222222, abcdefg, or adjacent letters on the keyboard (ex. qwerty or asdf)
- Personal information such as your name, birthday, driver's license or passport number, etc.
- Simple words including names or words from a dictionary
- Substituing letters with similar numbers or symbols, for example replace 'e' with '3' or 's' with '$'.
Be wary of websites that restrict your password to no more than a certain number of characters. Secure websites store your password in a way that its length does not matter, and maximum length restrictions indicate a common flaw that could result in your password being stolen. For example, hackers stole over 1.5 million passwords from Gawker in December 2010; a secure password storage system would have prevented the hackers from being able to read those users' passwords. 1
Short List of Characters
Using symbols in your password can make your password more secure. Here is a short but incomplete list:
! - Not
@ - At
# - Number
$ - Dollar/money
& - And
Think of ideas that relate to these symbols but that do not necessarily apply directly to the symbols (i.e. a dollar sign ($) can stand for money, rich, diamonds...).
Steps to Create Secure Passwords
Here are six easy steps to remember when creating your own password:
- Think of a phrase that you will remember
- Replace certain words with matching symbols
- Replace words with numbers
- Remove unncessary vowels
- Make sure most of the letters are lower case but not all
- Remove whitespace
1. If I were a rich man - Think of a phrase
2. If I were a $ man - rich -- money -- $
3. If I were 1 $ man - a -- 1
4. f I wr 1 $ mn - Remove all vowels except "I"
5. f I wr 1 $ mn - Leave the "I" upper case
6. fIwr1$mn - Remove whitespace
1. Sticks and stones - Think of a phrase
2. Sticks & stones - and -- &
3. Sticks & st1s - stones includes one - stones -- st1s
4. Stcks & st1s - Remove vowels
5. Stcks & st1s - Leave the "S" upper case
6. Stcks&st1s - Remove whitespace
Do you think you might have a weak password? Here is a password creation activity to help you create a password that is strong yet easy for you to remember:
1. Think of a song, phrase, or quote that you like. Example: "I believe the children are our future", which is the first line of a Whitney Houston song.
2. Reduce the phrase by keeping the first letter of each word ("ibtcaof") or the first sound of each word ("ibthcrof"). Choose a scheme that seems natural for you. Including an abbreviated phrase into your password like this is advantageous because it makes the password easy for you to remember, yet difficult for attackers to guess (since it appears to be random letters, as opposed to a word in any language).An easy way to do this is to imagine how your phrase would fit on a vanity license plate.
3. Swap some letters for upper-case letters, symbols, and numbers: "Ibtc@0f" or "1bthcR0f" Doing this makes your password stronger, but don't make it so hard that you forget which symbols were used! To help you remember which letters are swapped, you might come up with a system: all vowels are turned into numbers, the first letter is capitalized since it's at the beginning, etc. You might even replace key words with the number of letters in that word, such as "6" instead of "f (for 'future')."
4. Your password should be at least eight characters long, so add some numbers or anything else for padding. Choose a sequence that makes sense to you. Let's say that you are a Les Miserables fan. Then you might add these numbers: "Ibtc@0f24601". If you secretly resonate with The Marvelettes' song Beechwood 4-5789, you might like "1bthcR0f45789".
5. This is a nice password so far, but we don't want to use the same password for everything. Instead, make variations of this password to use in different contexts: "for EBay: Ibtc@0f24601ebay", "for your laptop: Ibtc@0f24601lt", "for your email: Ibtc@0f24601em."
Now we have a password that is very strong yet easy to remember. Ideally, if these phrases and numbers are significant to you, it will be easy enough to remember without needing to write them down: think "I believe the children @re 0ur future; Jean Valjean, email," type "Ibtc@0f24601em". (Even if something does need to be written down, "Whitney Valjean" is much better than writing the password itself down!)
Avoid Password Reuse
It is very tempting to reuse the same password for every different site that you are registered for. Don't do it. Although institutions like banks and government sites do everything they can to protect your passwords, other sites do not. Imagine that a hacker managed to steal your username and password from your blog site. If you used that same combination for your online banking, he now has access to your financial information. The best practice is to have a unique, strong password for every different website. If that is too much, consider having a strong, highly protected password that is only used on secure websites, and a separate password that is used for less important online activity.
Never, Never, Never
- Never give your password to anyone that you do not know. Website authorities do not email or call you about your password!
- Never respond to an E-mail asking for personal information including a password (See Phishing).
- Never give your password information in response to an email or instant message (IM) request.
- Change your password often. By keeping your password secure, you greatly decrease the chances of your password being discovered.
- Use a different password for each account, or at least use a unique password for important accounts like your bank. Remember, even the strongest password is insecure if you use it for everything.
Some services ask you to set up security questions in case you forget your password. Upon clicking the "I forgot my password" link the site asks you these questions in order to confirm your identity before allowing you to reset your password. However, many of the questions used are about information that is either personal ("What is your mother's maiden name?") or anecdotal ("What was the color of your first car?"), which are often easily obtained.
When picking security questions/answers, consider what the website does upon correctly answering them. Does it immediately allow the user to reset the password, or does it email a link to do so? The former is the less secure of the two, because if a hacker knows the answer to the security question, he doesn't need your password at all. If this is the case, be sure to pick answers that are as difficult to guess as a good password.
In recent years, many commentators have suggested using passphrases as a more secure alternative to passwords. A passphrase is a password consisting of multiple words. While a single english word is a poor password, a phrase consisting of multiple words is much harder to crack: with every word that you add, the difficulty to crack your password increases exponentially. In addition, passphrases are often easier to remember and type than seemingly random jumbles of letters, numbers, and symbols.
However, recent advances in password cracking have allowed crackers to figure out long passphrases. In an ArsTechnica article How the Bible and YouTube are fueling the next frontier of password cracking, security researcher Yiannis Chrysanthou called passphrases "pointless." "Just like passwords, passphrases need to be easy to memorize," Chrysanthou explains, "They need to make some sort of sense to the user. That is what makes them vulnerable."
One very effective way of following all of this advice is to use a password manager. Some popular options include KeePass, LastPass, and 1Password. These and other similar products offer the following core features:
- These tools will automatically generate very strong passwords for you, making it almost impossible to guess your password.
- These tools make it easy for you to create new, strong passwords for each website or service you use. That way, if an insecure site is hacked, your password can't be used elsewhere.
- These tools store your password in a safe place. The strongest password is useless if it's scribbled on a piece of paper near your computer.
- If you want, these tools can remind you to change important passwords periodically, such as those for your email and banking sites.
If you'd rather not have to use a password manager or remember a lot of passwords, you should consider using OpenID where it is available. OpenID allows you to log in to many websites using one main account, such as your Gmail or Yahoo account. Facebook also has a similar service called Facebook Connect.
When you click to log in to a website using OpenID, you are redirected to the site of your OpenID provider, such as Gmail or Yahoo. You log in to your account there using your normal username and password, and then you are redirected back to the site you wanted to log in to originally.
There are a few reasons you should consider using OpenID (or Facebook Connect) everywhere you can:
- You don't have to create new usernames and passwords for each website or service you use.
- Major service providers like Google, Yahoo, and Facebook go to great lengths to secure your credentials. OpenID allows you to register safely for websites or services that you don't trust as much as these major service providers.
Google offers a service called 2-step verification, an example of two-factor authentication (TFA, T-FA, 2FA). When this service is enabled, your Google account requires two steps of authentication: your normal password and a special code.
You can get this special code in different ways. You can recevie a text which contains a short numeric code that is different every time, or if you have a smart phone, you can download the Google Authenticator App, which generates a new TOTP (time-based one-time password) code every 30 seconds.
Just in case you don't have your phone on you, you can print out a sheet of backup codes to keep in your wallet, or assign backup phones (maybe your parent or close friend) to receive a text containing a valid code.
The advantage of this is that anyone who wants to access your account needs to not only get your password, but your phone as well. In addition, if you receive the text without trying to log in, you will know that someone else has tried to access your account and that they know your password; you will then be able to change your password.
Authenticating mobile or desktop apps with your Google account, such as Apple Mail or Gmail, becomes a more difficult as well. They require one-time use Application-Specific Passwords (ASPs), which are obtained by signing into your Google account and changing your security settings. Application-Specific passwords ensure that the application never uses, stores, or sees your real Google account password. See Google's article for more information.
For more information on two-step verification: https://support.google.com/accounts/topic/28786?hl=en&parent=14118&ctx=topic
Warning: Don't Leave the Backdoor Unlocked
When registering for a Google or Yahoo account, a new user will often be asked to provide an alternative email address so that later, if the user forgets his new account's password, it can be reset via the alternative email. Many users then make that alternative email's backup email point to the newly created account, thereby creating a "daisy chain" situation where account A points to B, and B back to A. One major disadvantage to this setup, however, is that if a hacker gains access to either of these accounts, he has essentially gained access to all its other linked accounts, bypassing all the best passwords previously set up that had been intended to prevent front door break-ins. Although a daisy chain setup like this is convenient, it severly compromises an account's security and allows hackers to avoid having to guess their way through your passwords at all.
Where Can I Learn More?
More on Password Creation
- Video on how to Choose a Good Password
- Strong passwords: How to create and use them
- Geek to Live: Choose (and remember) great passwords
- Choosing a Good Password
- Bruce Schneier discusses choosing secure passwords and how computer programs attempt to break them.
- Funny and informational comic on the reasoning behind password generation.
- How the Bible and YouTube are fueling the next frontier of password cracking