From The Urbach Letter –
The Password Game
It's a high-stakes game we play. Win and you get to keep your money, your privacy, and your sanity. Lose, and you can lose big. But the deck is stacked against you. Coming up with good passwords and remembering them is hard. That's why so many folks take the easy way. Kid and pet names, birth dates, nicknames, "password," and other easily guessable choices leave you open to easy hacking, followed by potentially grave consequences. And remember, it's not only your choice of password that puts you at risk, it's also the way you manage your "secret."
If you are guilty of any of the above password infractions (and I KNOW YOU ARE), then it's time to up your game. This ain't 1995 anymore. You didn't bank online back then, enter your credit card and personal info in dozens/hundreds of places, or in general, have this much of your life accessible to legions of evildoers worldwide. The bad guys have easy access to very sophisticated password cracking software and desktop computers fast enough to run through millions of tests and trials. Your weak password will likely not withstand a determined attack, exposing you to all kinds of potential nastiness. (Believe me, you don't want to find out how nasty.)
Now, at least you know which passwords are particularly bad. C'mon, you're better than this. Fortunately, it's not that difficult to win the password game.
Here's what you need to do:
1. "Harden" ALL your passwords. (There is a definite "weakest link in the chain" risk, especially if you ignore the next recommendation in this list.)
2. Make up a unique password for every site that requires one.
3. Use one or more of the following strategies:
4. Don't just capitalize the first letter of your password. That's too common. Likewise, don't just add a 1 or 2 at the end of your password. Everybody does that when they find out their password "must include at least one number..."
Next, test your password by entering it in a strength checker:
There are other checkers available but I trust this one from Microsoft (it doesn't store or transmit any information).
In passwords, as in certain other things, longer is better. A six letter password, no matter how random and cryptic, is essentially defenseless against a "brute force" attack. In his excellent 2007 article How I'd Hack Your Weak Passwords, security expert John Pozadzides goes into a lot of detail on why all this matters and presents an interesting table that's worth a quick review:
If your six letter password was all lowercase, it would take just over five minutes to try every possible combination of those 26 characters and crack it. However, if you expand your repertoire of characters to include uppercase and upper row keyboard symbols ($%#^& etc.), you'll make life much harder for the bad guys. For the same six-long password that's now made up of all available characters, the crack time jumps from 5 minutes to over eight and a half days. Add one more character and you're good for 2.2 years. One more and you're up to 2 centuries.
Feeling safe with your eight character mixed case password now? Well you shouldn't.
That table was based on a single desktop computer, circa 2007. Five years later, the average computer is more than twice as fast, so cut all these numbers at least in half. Worse, computational "farms" can be cheaply rented and give almost anybody access to 1000X supercomputer power. Also, the above table excludes ANY word found in the dictionary. If you're using one of those, the cracking is almost instantaneous, no matter the length.
Now I'll share with you my personal password strategy (but not my passwords).
I personally find random passwords with lots of symbols and oddly positioned caps very difficult to remember and type quickly. #9P1pyRDf$%4 will keep me safe for a long, long time, but is downright painful to memorize. That's why I use a commercial password manager called RoboForm. Other people prefer similar managers like LastPass or KeePass. They all work similarly. When you need a password, RoboForm will generate one for you.
You can make the password as long and gnarly as you want, without wondering how you'll ever remember it. That's because RoboForm will remember it for you. Unlike the very insecure method your "helpful" Firefox browser uses when it offers to remember your passwords (turn that off!), RoboForm encodes everything with "military-grade AES 256 encryption." You can unlock all your highly secure, distinct logins and passwords at once with one master password. RoboForm will also store your credit card information, secret notes, bookmarks and personal identity profile(s) with the same "uncrackable" level of security protection. If you do any amount of online shopping or form-filling, it's wonderful to have all your info filled in with one click of the mouse. It does even more but you can read the rest of the details here: Roboform Features.
There's one gotcha to this strategy:
How do you create and remember your master password?
Well, I've got some good solutions for that too. Actually, I had them back in November, 2005 when I prepared a video article called "The Unbreakable Lock." That info is still valid and a link to it is right here:
I highly recommend the Diceware Method explained in the video (fast forward to 6:10 if you're an impatient type of person).
After the spate of highly publicized security breaches recently (Zappos for one), I'm sure you've come across other articles exhorting you to toughen up your online security by using better passwords. Maybe you've seen some similar tips about hardening your passwords and thought to yourself, "Yeah, I ought to stop using my dog's name," but never actually carried through because it's just such a pain. The info in this article will enable you to create and remember strong passwords that'll keep you safe.
(c) Copyright 2002-2012 Victor Urbach
This article may be reprinted with permission and attribution