OMG Passwords are Killing Me!

The purpose of passwords is to protect your information. We all know a bit about passwords, and sometimes what we know becomes dated.  Here’s some information if you want to get in better shape. If a password is easy to remember, chances are it’s easy to guess. All passwords are crackable. It’s just a matter of time. Strong passwords would take centuries to crack with 2016 technology.

Basics about passwords:

  • Make them long, like 12-16 characters
  • Do not follow common patterns like alphabetic or numeric order
  • Do not follow keyboard patterns like consecutive keys “asdfg” or “uiop”
  • Don’t use names (human or pet) or words found in the dictionary
  • Don’t use numbers associated with you or those in your life, like your birthday, your house number, or any other set of numbers that might be easily guessed
  • Don’t substitute @ for a, 0 for O, 3 for E, 4 for A, etc. These are worthless in creating a stronger defense
  • Do add numbers, special characters and miXed cAse characters
  • Don’t reuse passwords
  • Don’t use numbers or special characters only at the beginning or end of a password

Impossible, right? Well if you are not perfect, here are some tips and links.  Some of your information is more valuable than others, and I’d like to suggest that some passwords are more important than others. Think of the places you use them as falling into three buckets: Critical, Important, and Simple.

Critical Passwords

Anywhere you would use a critical password could have significant consequences if the password is hacked. Passwords associated with your finances or deeply personal information should use critical passwords.

Critical passwords are:

  • Unique: They get used only in one place
  • Particularly Long: The longer the password, the harder it is to crack

Keeping critical passwords unique is important so there’s not a cascade of breaches. If one is hacked, but absolutely unique, it can’t be used to compromise other important sites.

Unfortunately, critical passwords are likely to be passwords you use frequently, so there’s a temptation to cheat. You might reuse a critical password, use a common mnemonic, or develop a pattern in the password that’s easy to compromise.  See below for tips on dealing with this.

Important Passwords

Use important passwords in places where a moderate amount of security is advisable. These can have a pattern of your choosing (that’s not too obvious) that changes per site. Mnemonics can help, but don’t make it guessable.

Simple Passwords

Use simple passwords where the consequence of a breach are fairly insubstantial. If your primary online reputation is not at stake, or you have no stored credit card information, use a simpler password. This is the one place you might allow yourself to repeat passwords. Always consider that once someone has the repeated password, what would be the consequences if they use it everywhere else.

I also advise that it’s OK to have a shorter password/PIN when logging into your computer. Don’t have one? You should, especially laptops.

Tools

The biggest tip is that you can not keep passwords in your head. What many people lack are the right tools to keep track of all these passwords. Here are two basic tools.

Pen and Paper

I know lots of people who have scraps of papers and scribblings in notebooks. They seem like a good idea, but how does the system work when you have to reset your password, or when you write it down, but don’t tie that note to a particular account?

There’s some thought that an ordered notebook (yes, paper) in an inconspicuous spot is a good system. It’s only in one spot and may be difficult for a thief to find. Of course, there are downsides to having it only in one spot, primarily that only a single copy exists. And what if the notebook is not with you?

Password Manager

The solution I like the best is a password program. I like 1Password, which I have on my iPhone, iPad, Windows computer, and OSX computers. The program is designed to sync across devices, overcoming the limitation of the paper notebook.

Other programs include LastPass, KeePass and Dashlane. When making a decision on what’s right for you, make sure they are cross-compatible with all your electronics.

Most password program managers will help you generate strong passwords.

Strategy

Random

The best strategy is to let a program create a seemingly random password for you, something that might look like: 0QnjqXJqgP3KNwgh. This password is 16 characters and has upper and lower-case letters as well as numbers. It’s lacking special characters, but still rated as Excellent. The only real way to use such effective passwords is to record them in some way. See above.

Passphrase

For a period, passphrases were considered an improvement because of their length. Stringing together 4 or 5 three or more letter words would be easier to remember and long. Current thinking is that it’s too difficult to choose five random words, and if they are all in the dictionary, that doesn’t help. Add punctuation to help remember and to add complexity.

Here’s a well-circulated cartoon from xkdc: Password Strength. Again, this is a better strategy, but not the best. If you go this route, add some special characters that are not common substitutions.

Personal Mnemonic

One way to get a unique password is to  use the first letters from a phrase, sentence, song lyric, or poem that you know or love. Perhaps it is an affirmation. All the other rules should apply though. ILTom (for I Love Tom) is easily guessable, too short, doesn’t have any numbers or special characters, etc. If a whole word is embedded, it can add length while not significantly reducing increasing risk.

Examples

InnP,dImdphaa
(I need no permission, did I mention Don’t pay him any attention) That’s 13 characters and has one symbol and three capital letters.

O,iatcwamwfaw!Iwnstabantpof!
(Oh, if a tree could wander and move with foot and wings! It would not suffer the axe blows and not the pain of saws!) That’s long and cumbersome, but serves an example.

Mpllowfgt
(My plants love lots of water for growing tall) This password is too short to be really good without modification. However, it could be a good base to make something better: Mpllow4gt, Mpllowater4gt, MpLlotsow4^t, etc.

Review Common Passwords

Reviewing a list of the most common passwords can provide examples of what not to do. When analysts get ahold of lists, they produce some amazing lists. Sometimes these get summarized in short articles. The articles also provide tips like the ones here.
Pay attention and don’t be embarrassed if you thought you had the best system. Use these lists and articles to improve your passwords.

Links