An earlier post covered the fundamentals of safe password handling, which is quite different from advice you often see. Here are the fundamental rules:
Learn to recognize phishing. That’s the most simple and common way to steal passwords.
Make sure your smartphone locks automatically and has a good PIN or password. All apps and accounts are open if someone gets access to it.
Look out for spies when entering the password. Looking over the shoulder is a commonly used hacker technique.
Avoid the really bad passwords. Like password, 12345, qwerty, your name, and so on.
There’s a lot of talk about password quality, but that’s actually not what’s most important. The fundamentals focus on how you handle passwords and make sure they stay secret, only point four is about quality. Read this post for more about password handling.
Ok, we have the basics covered. Let’s move on to lesson two, password quality.
Recycling is in right now, but that’s not a good idea for passwords. Don’t use the same password for several accounts.
A forgotten password is useless. It need to have some kid of meaning to be easier to remember.
A password should be long and complex enough to withstand attacks by trying possible combinations.
Let’s take a closer look at these points and ask the important question why?
Why long, complex and unique passwords?
Let’s think of a scenario where you use gmail, and you have one single address, like most people. You use that address as your user ID in most services, they all expect a mail address as user name after all. And the same password on them all, that makes it easier to remember. Bob at the football club is very good with web stuff, so he built a fancy extranet portal with photos, discussion forum, event calendar and all. But one day it was discovered that he had used outdated and insecure software. A hacker got access to the site and downloaded the whole user register with user IDs, passwords and all.
Not so severe, you might think. Now the hacker can read our calendar. But that’s not all. You don’t have to be a genius to figure out that you can log in to Google with a gmail address. And look, the same password works! Ok, let’s test Facebook, Twitter, Ebay, Amazon, and so on…
Well, most cyber criminals are not quite that lucky. Phishing victims surrender their password without protection, ready to use. But user databases stolen from servers typically contain passwords protected with a so called hash-function. That’s a one-way function that makes it easy to check if an entered password is a match, but next to impossible to find out what the password is.
So that database is not usable right away. He needs to do a brute force or dictionary attack. That means that a computer tries a large number of possible passwords, until the right one is found or the hacker runs out of patience. A long complex password ensures the latter.
So the problem is not really that you reuse your mail as user ID. Most services require an e-mail address as user ID. It’s the reused password that is the problem. It means that a cracked password is a jackpot. It not only opens one service, it could open a persons whole digital life.
Ok, so passwords should be unique for every service, long and complex, and easy to remember. Oops, that sounds hard! Relax, there are ways to make this work without being an über-human with unlimited memory.
Create your own password system
Think of a longer word or a short sentence with two or three words. Choose something that isn’t obvious or easy to guess. Maybe something funny or surrealistic. But something that creates clear and concrete memory image. Mix in some capital letters, digits and special characters. Memorize how you did it. Then figure out a way to pull a couple of characters from the name of the service and append to your base password. You should now have something at least 10-12 characters long. Like this:
Password for Facebook: red_bAnana8caf
Looks funny, but it works like this. The base is a red banana, crazy enough to remember. Works well if you have a visual memory, like me. Second letter in banana becomes capital. Words separated by an underscore. The end is the first three letters from the service name reversed, separated by the digit 8.
So here we fulfill all the requirements. 14 characters long, contains lower and uppercase letters, digits and special characters. And the last part depends on the service, making passwords unique.
I think it’s reasonable easy to remember a system like this, because the base stays the same. And you have a clear system for how to form the new password when you sign up on a new system. Yes, the system may produce duplicates, but it still reduce the number of reused passwords significantly.
Two more pieces of advice. Be consequent. Use it everywhere and never deviate from it. Change the most critical systems’ passwords right away. Advice number two. There are also less significant services, where it is OK to use one common password. Like for signing up at a newspaper to be able to comment. Someone may misuse your signature there, but the sky is not falling if that password is breached. It’ s OK with a common password on those sites.