This is the second story in a multipart SecurityNewsDaily special report on the future of digital security.
Often, when you're asked to create a password for yet another online account, there's a rating scale right on the registration page that tells you how strong your prospective password is.
In most instances, you'll be prodded to come up a good mix of numbers, punctuation marks and upper- and lowercase case letters. Make that password longer, and you'll make it even stronger.
Oh, and don't forget, your new password has to be unique. It can't match any other password that you use anywhere else. It's best that it not be based on a word found in the dictionary.
Furthermore, on accounts you use frequently, such as webmail or Facebook, it's a good idea to change those unique passwords every few months.
This is all good advice, but let's be honest. It's hard enough to remember a few easy passwords. How the heck is anyone supposed to remember dozens of difficult passwords?
The hard truth
Before we get too frustrated over the password rules, it might be good to remember exactly why we need good, strong, unique passwords. They're our frontline in the cybersecurity battle, and the one bit of security that an average user gets to control.
"Passwords are only as secure as a user makes them," said Bill Carey, vice president of marketing and business development at Siber Systems in Fairfax, Va. "Creating an easy-to-guess password completely defeats the purpose of creating a password at all."
On the positive side, Carey said that maybe not every password has to be unique.
"Realistically speaking, I would say that if you're visiting sites that you don't really care if another user accesses with your password, then you can use that same password on a few of the same types of sites," he said.
"An example would be a news site. You don't really store any personal information when you log into a news site, so feel free to use the same password on other news sites," Carey said. "Don't get me wrong — this is not the most secure recommendation. I'm giving practical advice."
Carey quickly pointed out that when you're visiting sites with a heightened security expectation, particularly financial, retailing or banking sites — really, any site that handles your money — it's very important to have a unique and strong password for each account that you create.
A little too convenient
But even if you're using unique passwords for only financially sensitive sites, that's still a lot of passwords to remember. Surely writing them down and keeping the passwords in a safe place would be all right — wouldn't it?
"The short answer to this is no," said Steve Durbin, global vice president of the Information Security Forum, a trade association based in London. "The longer answer is 'Never!'
"Consumers today should avoid writing down their passwords at all costs!" Durbin said. "Why? Well, naturally your password will be more secure if you don't write it down."
Lots of people let websites remember their passwords, and some Web browsers provide a prompt when they land on a login page, asking permission to save the password for you.
But tempting as it is to click "yes" to either offer, experts advise against letting websites or browsers store your passwords.
"If your computer gets hacked or stolen, all accounts and personal information will also be at risk," said BariAbdul, vice president of consumer sales for Check Point Software Technologies in Redwood City, Calif."It is good practice not to leave an online trail and [to] log out of all accounts —each of which should have a different user name and password —when you're done."
Who's the real you?
Many sites have an option labeled "Forgot Your Password?" At first glance, that looks like a useful tool. Often, you just have to click on a link and the site tells you the forgotten password after you answer a few security questions about yourself that you'd previously provided.
However, as Katie Weaver-Johnson with Lincoln, Neb.'s Awareity pointed out, this is an easy way for hackers to get into your accounts.
Too often, the answers to those "identity verification" questions have been posted on public websites such as blogs and Facebook. In fact, one of the most common questions — "What's your mother's maiden name?" — has probably already been answered by your own mother on her Facebook page. A smart criminal will use the Internet to get past an identity-verification test.
"If you provide information and answers to personal questions for a password reset system, don't use information that can be easily discovered on your Facebook page or other social-networking sites," Weaver-Johnson suggested. "You may want to consider creating 'false' answers that only you will remember."
Herding passwords
So are there any safe ways to store all that password information? Carey recommends using a password manager, an application that securely stores and retrieves your password information. In most cases, you need only remember one "master" password to make changes or additions.
"For example, our password manager is called RoboForm," he said. "It memorizes and securely stores each user name and password the first time that you log in to a site.
"To log into that site, simply click on the login stored in RoboForm," Carey said. "The software will go to the site, enter your username and password and click the submit button for you — all in one click."
The "cloud" — the vast network of servers and processors on the Internet — is also becoming an increasingly popular area to store passwords so that they can be accessed from multiple devices.
But before you turn to a password-management service based in the cloud or on your PC, it's best to review the quality of the service, said Tim Armstrong, malware researcher at Kaspersky Lab in Woburn, Mass. He pointed out that you've got to ensure against data leakage or insecure database practices.
"Users must be extra careful in choosing a provider," Armstrong said. "Make sure they're a valid and reputable vendor."
Still too much to remember?
If you're someone who does need to write down his or her passwords, Durbin provided some tips that "should allow you to create a password that requires you to remember only a few simple things."
— Instead of writing down the password, he suggested, write down a hint that will help you to remember the password, but which would be meaningless to others.
— Write down only what you need to. For instance, if you use a word and then convert some of the letters to numbers — such as "5" for "s" and "0" for "o" — write down the word you start with if you think you can remember the numbers.
— Do not write down the user account or application that the password is associated with.
— Keep the piece of paper on which you're written down your passwords as secure as you would a credit card. Store it in your wallet or purse, or keep it in a locked drawer.
— Once you no longer need that piece of paper to remind you of your password, dispose of the paper by shredding it.
Now that we know what to do, and what not to do, when it comes to keeping track of our growing number of passwords, how can we make sure we're creating hard-to-guess passwords for the future?
Don DeBolt, director of threat research at Total Defense in Islandia, N.Y., had some suggestions:
— Think of a phrase, a quotation or a snippet of a song that you know by heart. Select the first character of each word to create a password. For example, "In the middle of a difficulty lies opportunity," would translate to "Itmoadlo."
— Passwords are often case sensitive. In the above example, we've used a capital "I," just as in the start of the sentence.
— Vowels can be replaced with numbers to add entropy. So "Itmoadlo" would become "1tm0adl0."
— Note the use of the period in the password. Punctuation marks are a good way to add entropy to your passwords, as well as a little length.