China’s been up to some shenanigans this week, no? Actually, China’s up to shenanigans every week but it doesn’t usually make the news. Regardless, it’s a good time to review your internet security practices! Kind of like when the neighbor’s house burns down and you go through your apartment checking all your smoke alarms and fire extinguishers for the first time in two years.
So today, let’s talk about passwords. We all have them! Probably far more than we’d like to have. They’re also just about the only thing standing between us and A Great Big Bad Day. Getting your online accounts hacked sucks. Just ask Anthony Weiner.
One way you can avoid your own personal Weinergate is by using strong passwords and changing your passwords frequently. We all know this and we know how to do it – or at least for the purposes of this article, I’m going to assume you know these things – and even if you don’t, there is no shortage of information online about how to create strong passwords and how often you should change them.
Strangely though, people keep getting their online accounts compromised despite the abundance of guidance available. This is because no one actually does what those articles suggest because those articles provide unrealistic advice. Is it good advice? Yes! But it’s too much work to do things right, so most of us do nothing instead.
My goal today is to give you some easy, concrete ways to make your passwords stronger, harder to guess, harder to hack, and most importantly easier to remember, so that you’ll be more willing to change them more frequently.
One word of warning: This is not an article giving you the text book “right way” to manage your passwords. Like I said, that info is easily found with a simple Google search. My goal here is to give you some tips that you might actually use and, while it might not be a best practice, hopefully it’s an improvement over what you’re already (not) doing.
Skeleton Key Passwords Are Ok, But Diversify a Bit
Many of us have one password that we use over and over again across many web sites and online accounts. This is commonly referred to as a skeleton key password. The advantage of a skeleton key password is that it’s easy to remember, and you only have one password to access everything. The disadvantage is that once someone figures that password out, they have the keys to the proverbial kingdom. Even if they don’t necessarily compromise other accounts that use that same password, you end up having to reset your password on dozens and dozens of other websites. Not a fun way to spend an evening.
You really should be using a unique, complicated password for every online account you have. But the reality is, most of us just don’t have the energy or the memory to remember complicated, unique passwords for every site, and so we end up using a skeleton key password out of equal parts laziness and necessity.
My advice is to take a minute and think about the sites you frequent. Are there any themes that pop up? Sure there are. You visit personal financial sites. You visit shopping sites. You visit just-for-fun sites. You have sites that you visit once (that require a username/password) but you never go back to again. You have your email accounts and other communication related sites. You have your social networking sites like Facebook, Tumblr and other online identity sites like your personal blog.
Create a handful of categories that make sense to you, and then create a skeleton key password for each category of website. In this example, all your online shopping accounts would have the same password. All your email accounts, Twitter, Google Voice, and so on would have the same password. Lastly, you’d have a password for sites you don’t care about. Create a single skeleton key password for each theme; then you only have to remember which password goes with which genre of website.
What does this do? It helps to reduce the risk you have to accept by limiting the number of accounts a potential hacker would gain access to by compromising a password. At the same time, it keeps the number of passwords you need to remember at a manageable level.
The only caveat I would make to this is for your banking and financial sites. Each of those should really have their own, unique, strong passwords. The downside of those sites being compromised far outweighs the convenience of using a common password.
Making Complicated Passwords Doesn’t Have To Be Complicated
You may have read before that you should use complicated passwords, especially on your banking accounts. Why? It’s not just to make them hard to guess.
One method hackers use to figure out passwords is called a brute force attack. With a brute force attack the hacker has a software tool that attempts password after password after password, hundreds per second, until finally it randomly hits on the correct one and gains access. There are a few different kinds of brute force attacks, but at the end of the day they all amount to the same thing: they keep trying until they find the right answer.
Here’s the thing – the shorter and less complicated you make your passwords, the easier it is for a brute force program to work. Remember that in a brute force attack the hacker is trying every single possible combination of characters, one at a time, until they hit on the right one. The more possible options you include in your password, the more options the hacker has to try, and the longer the brute force attack takes. If your password is sufficiently complicated (it doesn’t take a lot), brute force attacks become impractical because they just plain take too much time.
Our goal today, though, is to make usable, memorable passwords that are also secure. 6yT5#$kI*jUyt^% is a fantastic password, except for the fact that no normal person is ever going to use it, which makes it worthless. Add to that the fact that you may be forced to change your password frequently by the website or system administrators, and it’s no wonder we use simple, short, easy to remember passwords.
Here’s what I suggest for making strong passwords that you can remember:
First, pick a theme that you can remember. Maybe you use “names of family members”, or “U.S. state capitals”, or “titles of Friends episodes”. Whatever. In our example, let’s go with names of family members. Our password starts out as auntberthamay. The reason we started with a memorable theme comes up later, so stick with me.
Next, add some numbers. Now you have auntberthamay23. Why 23? Who knows? 23 is meaningful to you for some reason. Maybe Aunt Bertha May had 23 cats. Whatever. The more numbers the better, but choose something that makes sense for you.
Next, add some special characters (a special character is any of the symbols you get when you hold the shift key and type a number). Now you have auntberthamay23@#. Notice that @ is the same key as the number 2, and # is also the number 3. You’re keying 23, then holding down the shift key and entering 23 again. Easy to remember, isn’t it?
Next, make a mix of capital and lowercase letters. In our example, we’ll capitalize the first letter of each “word” in our password. Now you have AuntBerthaMay23@#. Maybe you’d go with AUntBErthaMAy23@#. That would be great! Just pick a pattern that you’ll remember, and apply it consistently.
Lastly, you can substitute numbers for letters in a way that makes sense to you. However, be aware that most password crackers know that people substitute 3 for E (and other easy changes) so choose a non-obvious substitution. Maybe I’ll decide to substitute the number 7 for the letter T. In our example, we might end up with Aun7B4rth!M!y23!#.
That’s a pretty kick ass password! But what happens when the computer nazi at your workplace makes you change your newly crafted and very complicated password again in 3 months? You use the same rules, and just change the characters. Here’s where our starting theme comes in. We just change the baseline to another name of a family member. So we go from aunthberthamay to unclebillybob. Once we put it through the same process we used for our original password, we get Uncl3B!llyBob23@#.
This is a great way to create long, complicated, very secure passwords that are easy to remember and easy to change when needed without requiring a lot of mental energy. We’ve got better things to do than memorize passwords all day, amirite?!?
Lastly, Write Your Passwords Down
Yes, I said it. You should keep a log of your usernames and passwords. All of them. All the advice articles will tell you to never write your password down, and this makes sense. If someone finds your list of passwords, they get access to all your accounts. But we’re focused on usable, real world security today, and I know we have orders of magnitude more usernames and passwords than we could ever remember. Until we get a Johnny Mnemonic-like port installed in the base of our skulls for directly interfacing with our computers, we have to write our passwords down.
The key here is to keep that password list safe. Don’t put it on a piece of paper under your keyboard at work. Don’t keep your password list in your wallet or purse. Don’t keep your master list in an unencrypted text file on your computer desktop or My Documents folder. There are all kinds of small, free programs available online that let you keep track of your passwords and then encrypt the file. Use them. Personally, I use AnyPassword Pro. I’m sure the commenters will have lots of great suggestions as well.
A Note from the Crasstalk Security Department: Strong passwords are an absolute must but they will not protect you from the many ways that nefarious elements try to get you to voluntarily hand over your password. You should stay vigilant about the sites you visit, the software you install, not accepting free USB thumb drives and scanning your computer on a regular basis.