How safe are your passwords? If you bank online, the only thing standing between you and a financial disaster is your password (and perhaps your username). And yet many people do an astonishingly bad job of selecting secure passwords.
A big part of the problem is that secure passwords are hard to remember. When combined with the fact that most of us have dozens of online accounts (if not more), it’s tempting to just an easy to remember phrase and use that. Over and over. But that’s exactly the wrong approach.
So what makes for a secure password? For starters, it should be relatively long. All else being equal, longer passwords are harder to crack. It should also be complex, using as many different character types as possible. And it should be a random as possible, avoiding common words, names, etc.
Oh, and you should also use a different password at every site.
In general terms, you should shoot for 12-14 characters, assuming the system will allow it. Some systems don’t allow long passwords like this, which is unfortunate, so you’ll just have to do the best you can. But, all else being equal, longer passwords are harder to crack.
As far as character selection goes, the more character types you include, the more complex your password can be, and the harder it will be to crack. If you stick to numbers, you only have ten characters to choose from. Add in letters and you have 26 (case-insensitive) or 52 (case-sensitive) more options. Throw in special characters (punctuation marks) and you add yet another dimension.
You will, of course, have to stick to what is allowed, but most modern systems now allow numbers, letters, and special characters. Of course, some seemingly security-conscious websites (*cough* TreasuryDirect *cough*) use case-insensitive passwords when case-sensitivity would offer a good bit more security. But, oh well… There’s only so much you can do.
Randomness. Ah yes, randomness. In general terms, you should avoid using dictionary words, names, birthdates, etc. That being said, you can use dictionary words as long as you string them together in a random combination. But you’re probably better off using a long, completely random, and complex password. So long as you can remember it, of course.
And there’s the rub. It’s hard to remember a long, complex password — much less remember a different one for every site. That’s why I recommend using an encrypted password keeper such as 1Password, LastPass, or KeePass.
I personally use 1Password — no affiliation, I just love it. I also use the iPhone app so I have my passwords with me (but secure) at all times. Yes, you still have to remember a password, but just one.
And finally… Why should you use a different password at every site? Simple. Because if one account gets compromised, you don’t want people to be able to hit your other accounts.
Consider the case of Gawker Media. Gawker owns popular websites like Gizmodo and Lifehacker, and their password database was compromised about a year ago. And in that one event, tons of passwords (and their associated usernames) were dumped into public view.
Imagine if you had been using the same username and password for Gawker Media sites as you use for your online bank, credit card account, etc. You’d be facing a potential disaster.
Well, guess what? It’s not that uncommon for sites to get hacked and for username/password databases to get stolen and cracked. If that happens, your account may be compromised, but as long as you’re using different login credentials at different sites, the damage will be limited.
As an interesting aside, an analysis of the Gawker password database revealed an amazing lack of creativity, with shockingly frequent usage of such cryptographic masterpieces as 123456, password, 12345678, qwerty, abc123, 111111, monkey, 12345, letmein, and so on.
Note: To be completely honest, I’ve been known to use the same (relatively) easy to remember password at a number of non-critical sites around the web. But I never use this password (or the associated username) for any “mission critical” accounts.
I am really impressed with your writing skills as well as with the layout on your blog.
Is this a paid theme or did you customize it yourself?
Either way keep up the nice quality writing, it is rare to see a nice blog like this one these
days.
Curious how people handle web logins stored in one of these programs: do you copy the password from the program into the web site password input, or do you use a program that integrates into your browser?
Planning to move to this type of setup/program and trying to get my ducks in a row. Thanks for any tips!
It is a huge pet peeve of mine that sites don’t have consistent requirements for passwords, which makes it impossible to have a viable system for generating strong passwords (ones that are unique to each site, but you can remember when you need to).
I try to have a long password but some sites limit characters; some don’t allow special characters while some require them; Some don’t even allow Numbers in the beginning or end of a password. Crazy!
Dave,
Thanks for the link. It’s interesting, but I think it overstates the risk. For one thing, the article says 13% of the answers could be guessed within 5 attempts. I question whether most bank sites would let you guess incorrectly several times in a row before telling you your account is locked and you have to call customer service.
Secondly, I’m not really worried about friends hacking into my bank account. I’m worried about some Russian mafia guy in the Ukraine or a dude in Nigeria. Those guys are going to have a tougher time getting my secret questions right. Either way, my friends and the guy in the Ukraine would have to not only guess the name of my first grade teacher for example, but they’d also have to guess my password. I don’t see that happening.
Again, I’m not questioning the need for a strong password. The advice here is sound.
Jonathan:
Yes, that is exactly how I have it set up. It works very well for me.
Of course, I would prefer an open source and community supported piece of software, but I didn’t find one that worked as well, as simply, and as seamlessly as this one.
I’ve used a lot of solutions as well, starting with a few “standard” passwords that I then add a modifier based on the website. Then I graduated to using a password hasher, which means I hashed my standard password against the domain name to get a seemingly random but reproducible password. Now, I’m a fan of LastPass, which gives me an actual random password and which provides an easy way for me to track more sensitive information other than just my passwords in one secure vault.
@Dave, how are you using Pismo to do this? Are you using the Private Folder function? (http://www.pismotechnic.com/pfo/)
Thanks for the tip!
Ken:
Unfortunately many banks and other companies have a limited, pre-defined list of questions that is usually based on information others may know about you. It would be much better to let YOU write down the questions and the answers to your custom questions.
Bruce Schneier reported on a study done a couple years ago on this exact issue. A shocking number of “friends” could guess the answers, and 20% of people forgot their own answers shortly after they set up the accounts.
http://www.schneier.com/blog/archives/2009/05/secret_question.html
@ Nickle…..oh my. I missed that XKCD hyperlink!
Very nice and my apologies.(back to lurking)
Strong passwords are important, but one factor that mitigates the risk of having a weak password is the practice of most banks to require customers to answer personalized questions before they can even enter a password if they log in from a computer the bank doesn’t recognize. Obviously, I still agree with the advice above, but I like that most banks have this additional security feature.
Nickel:
Yep. 128-bit AES, rated good for US Gov’t SECRET level classified information.
http://thenewpaperclip.com/2008/09/29/how-to-encrypt-your-word-excel-and-powerpoint-2007-files/
From this source, you can upgrade that to 256 bit via a registry change:
http://blogs.technet.com/b/gray_knowlton/archive/2008/09/02/document-encryption-in-office-2007-with-open-xml.aspx
Encrypting a spreadsheet and putting it into an (encrypted) Pismo PFO folder/file I think is pretty robust, and easier to deal with than a ZIP file. Plus the PFO folder/file when mounted is just a regular Windows folder, so you can have all your personal/financial stuff in there, all in one place.
Just do NOT forget those passwords!
I use Keepass to store all my passwords on my hard drive, as well as a USB backup. It’s really the only way to have unique strong passwords for each site.
Dave: Does Excel truly encrypt your file, or does it just password protect it? There’s a difference, and I’m honestly not sure what it’s capable of.
I found the following combination works wonders for me and my wife.
1. Excel. You can put anything you want, in any format you want, on as many tabs as you want, and heavily encrypt it with a strong (16+ character) password. Can have passwords, account numbers, challenge phrases, etc. You can also use it as an address book, anything you want.
2. Pismo File Mount. Encrypts a folder and turns it into a PFO file. Right-click the file, type the password (another 16+ character one) and it mounts as a folder with the same name in the same location. Put everything in there — the master Excel password list, contact lists, all tax filings, budgets, forecasts, etc.
Safe and sound, and gives you ONE file to backup for safe keeping, with all your sensitive data inside it.
I looked quite a bit and have yet to find something that works as well and is as user-friendly as Pismo.
(deleted cartoon link…)
Don’t pay $50 for 1Password when there are so many good, free alternatives. I’ve used Password Safe for years. I loved BG’s advice about giving someone close to you the password to your encrypted database if you should die! Not enough people confront the fact that we ALL will die and not having access to your various passwords creates a real hardship for those left behind.
I recently began changing my passwords to every site that I login to. I was given a great method by a friend that has helped me remember each password even though they are different for each site.
I also want to keep a physical record for my family incase something happens to me. That way they can access everything online, I’m still figuring out how to do this. Maybe that keypass would be good.
Since most systems have password length limitations, or _require_ the use of numbers, special characters, and capitalization — I don’t even try to remember passwords anymore.
I use the open source KeePass:
http://keepass.info
which has variants for Windows, Linux, MacOS, PocketPC, Windows Mobile, Iphone/Ipad, Android, Blackberry, Palm, etc, etc.
Put all your passwords in the encrypted database (you need to remember one password to unlock the DB) — then just email the DB file to yourself. Whenever you update the DB (with a new password), re-email it.
Also, if you die, might be good to tell the wife where the password can be found to unlock the password database so they have access to all the other accounts/passwords.
Simple, eh?
If you go back and read closely, you will see that I did make a passing reference to that very comic. 🙂
Hint: It’s in the paragraph that starts with “Randomness. Ah yes, randomness.”
But even if an individual password is both secure and memorable, the challenge is keeping track of dozens of them. Yes, you can come up with a password system (e.g., a core password with variables on the front and back end indicating which site you’re at) but I find it easier to just use a password keepet.
No password post should be made without at least a passing reference to XKCD password comic:
http://xkcd.com/936/
It explains nicely how to generate a strong password.