When it comes to passwords, we need to really consider how computers work.
The fact is, we don’t ‘think’ at their speed, and for that reason, we don’t see our passwords for how insecure they are. A computer can routinely do hundreds of thousands of checks a seconds – even millions – so what we think of as an obscure word in the dictionary need only take a small fraction of a second to find. This kind of ‘brute force’ technique (where the computer tries everything and anything in an attempt to guess a password) is easy to program, and very common. And computers are only getting faster.
To conquer this, here’s some tips for choosing a better password:
- Avoid the obvious. Any personal information (either about you or someone close to you) is too easy to guess. Seen Wargames? That searching for information to get the password (which was the name of the programmer’s dead son) is called Social Engineering, and it’s very easy, since humans are in many cases unreasonably trusting.
- Use different ones for different places. As scares like Heartbleed tell us, once a hacker has a password, they will try it for other services. Is your PayPal password the same one for eBay? And the same one for an insecure site like [—–] that was cracked? Then they get three sites for the price of one.
- Keep a copy of them. No, not on a slip of paper near your desk. Consider a password manager. For example, Firefox’s Password Manager can require a password to allow it to automatically fill in passwords when visiting sites. Using a secure password for this one means you don’t need to remember others. Programs like Truecrypt or KeePass can also help with this.
Great – it’s time to change – now which kind? Here’s some popular password techniques:
- Random. Many sites will generate a random password of letters, digits, even punctuation – in fact, here’s one you can use as a starting point for your random password:
Being random, these passwords are harder to remember, but they offer the best odds: Since a human can't guess them, the computer must do a brute force search, which can quickly become difficult. For example, a password of upper or lower case character and digits has 26+26+10=62 possible characters for each position, so a 4 character password can be any of 62x62x62x62 or 14,776,336 possibilities, and a 12 character password is 3,226,266,762,397,899,821,056!
- Word jumbles. Place some random words together; easier to remember, but still hard to guess. If you add a few digits or punctuation, you increase the odds. Here's an example generator.
- Letter phrases. Take a famous phrase (ideally, famous only to you) and grab the first letter of it. "It was the best of times, it was the worst of times" becomes "iwtbotiwtwot". Or use the second letter of each word ("tahefitahofi"), an obscure passage, or even a different break in the passage ("It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity", or "iwtbotiwtwotiwtaowiwtaofiwteobiwteoi", for example). But don't use that alone: Try making a few letters uppercase, add some random digits or punctuation symbols in there, or whatever you can easily remember.
A word about online generators: Never use the output they provide unchanged. Always tweak it a bit, even if it means adding a digit or rearranging values. That way, if there is any problem with the generator, you aren't using a potentially flawed generator directly. This may seem far fetched, but a few years ago the MD5 algorithm, which was used as the basis for security on WordPress, was found to have issues that severely reduced the security of any passwords generated. You have been warned.
Nonetheless, however you get your password, remember that it is a key to your access, and treat it as such. Protect it like you do your house keys, and you're likely to find your online 'keys' will stay just as safe and sound.