How many websites did you visit today that required a password? Probably quite a few.
Do you need a password to access data or email at work? You likely do.
In fact, you may have even needed a password to log on to the computer you’re reading this on right now.
Passwords are the front line of defense in protecting the data on your computer. They keep your kids from hijacking your Twitter account, and keep cybercriminals from gaining access to your bank account.
The problem is that because we need so many passwords today, many of us take the easy way out. We either use the same password for everything, or use very simple, easy-to-remember passwords.
And that’s where we can get into trouble.
The risks of weak or multiple-use passwords
“Let’s say you fall for a phishing attack on Facebook,” explained Beth Jones, senior threat researcher for the information-security firm SophosLabs North America. “They can see your email address and try that same password there.
“If you have sensitive information in your email, such as bank statements or credit-card statements, then the attacker can try that password to access bank accounts or credit-card accounts as well,” Jones said.
“They would have several key pieces of [personal] information… so in theory they could try the ‘forgot username’ on other accounts, such as Twitter, or online games,” she said. “You can see how this snowballs quickly.”
Not only should you have a unique password for each site you log into online, but, as Gunther Ollmann, vice president of research at the Atlanta-based computer-security firm Damballa, pointed out, you should also avoid recycling old passwords.
“Criminals — and unethical web masters — often try to use the passwords that have been taken from one site and use them against other sites, especially if your email address is also known to them,” Ollman explained.
“Each website or application you use should have a different password, and ideally you should not use a predictable algorithm for generating them,” he said. “For example, a bad practice is to use a password that contains the particular website’s name or address in it.”
How to create perfect passwords
So what makes a good, strong password?
“Password strength is measured by two characteristics — length and complexity,” said Josh Shaul, chief technology officer with New York-based Application Security, Inc. and author of Practical Oracle Security: Your Unauthorized Guide to Relational Database Security . “In general, the longer the password, the more difficult it is to guess and the stronger it is.”
Password complexity, he added, means avoiding passwords that can be easily guessed.
“The easiest passwords to remember are simple words, places, dates or easy-to-type text strings,” Shaul said. “Favorite sports teams, cities, names, birthdays and even strings like ‘12345‘ or ‘qwerty‘ are very commonly used. These are all weak passwords.”
Most experts agree on the basics of creating strong passwords. Here are some tips from the Identity Theft Resource Center:
- A password should contain at least eight characters (some experts say 10 or 14 characters is the minimum).
- The password should have at least three of the four following types of characters — upper-case letters (ABC), lower-case letters (abc), numerals (123), and punctuation marks or other special characters (!#$%&*_=+? ).
- If you’re using only one capital letter or special character, don’t make it the first or last character in the password.
- Avoid common names, slang words or any words in the dictionary. Computers can run through entire dictionaries in minutes.
- Don’t include any part of your name or any part of your email addresses.
- Choose an especially strong password for websites that hold especially sensitive personal information — for example, banks or online retailers that store your credit-card information.
- Don’t ever refer to anything that can be learned from your social networking profiles or an Internet search. In other words, don’t make it your favorite band or movie, your pet’s name, your nickname, your phone number or, especially, your birth date.
Here’s a good way to create a strong password. Pick a phrase you’ll remember. Take the first letter of each word and run them together into a “word.” Capitalize some letters and substitute numerals where it would make sense to.
For example, the phrase “I hate to work late” could become “iH82wkl8.”
Or tweak that formula and don’t abbreviate all the words. "This little piggy went to market" might become "tlpWENT2m."
Should you write them down?
So if we need a unique, strong password for nearly everything we do online — check multiple email accounts, use Facebook and Twitter, make comments on CNN, buy something from Amazon — how can we remember them all? Is it okay to write them down somewhere?
Several years ago, the conventional wisdom was to never write down passwords — but that was when most of us only had a few to remember.
Some experts have since changed their minds.
“With today's threat landscape being dominated by password-stealing malware, physically writing down your passwords is becoming more acceptable,” Damballa’s Ollman said.
“The probability of someone breaking into your house and stealing your written-down passwords is considerably more remote than the 1-in-3 to 1-in-4 probability that your computer will fall to a criminal’s malware,” Ollman said.
Jones of SophosLabs sticks to the old advice — don’t write them down.
“This is really not a great idea, particularly for work,” Jones said. “Physical security is just as important as online security.
“Anyone walking by could see the sticky note next to your machine and then break into your accounts (especially if you use the same password for everything),” she added. “The risk is even greater if, as a user, you log into more than one location and have your password written at all those locations.”
Web browsers often ask if they can remember your password for you. Is that safer than writing down your password?
“For some passwords, it may be okay to let the browser remember your password on your personal laptop or home PC,” said Chris Burchett, founder and chief technology officer with Addison, Texas-based information-security firm Credant.
“In general, if the information on the website that requires your password is what you consider to be public, then it may be okay to let the browser remember the password,” Burchett said. “But be careful. Never let the browser remember passwords to banking websites or other sites where private personal identity information is used or available.”
“Also be careful when using a public-kiosk computer like the ones at the airport. Never let browsers on computers you don't own store passwords,” he added. “In fact, it would be best not to log into any website requiring a password from a computer you don't own.”
Instead, the experts suggest using third-party password-management software, which stores all your passwords in one place and protects them with one very strong master password — the only one you’ll have to remember.
“Managing passwords is a challenge because there are so many online accounts requiring passwords these days,” Burchett said. “Using a password manager to securely generate, store, rotate and supply passwords on demand may be worth considering as long as you remember to make the master password strong enough.”
There are dozens of password managers, both free and inexpensive (none cost more than $30). Some of the better-known ones include Web Confidential, LastPass, KeePass and its Mac/Linux sibling KeePassX. Some run on PCs, others on smartphones, while some are browser plug-ins.
As for the password managers that come with browsers, most of them aren’t very secure. Only Opera and Mozilla Firefox use master passwords, and Firefox’s is turned off by default. ( Here’s how to turn it on. )
Now that you’ve read all this, do yourself a favor this weekend. Go through all your online accounts and use these tips to create strong, unique passwords for each one, and then use a password manager to remember them all.
It’ll take less time than you think. Next time a friend or relative has an email account hijacked or gets charged for dozens of iTunes songs he didn’t buy, you’ll be glad you did.