Creating and Using Strong Passwords
How safe are your passwords? If you bank online, the only thing standing between you and a financial disaster is your password (and perhaps your username). And yet many people do an astonishingly bad job of selecting secure passwords.
A big part of the problem is that secure passwords are hard to remember. When combined with the fact that most of us have dozens of online accounts (if not more), it’s tempting to just an easy to remember phrase and use that. Over and over. But that’s exactly the wrong approach.
So what makes for a secure password? For starters, it should be relatively long. All else being equal, longer passwords are harder to crack. It should also be complex, using as many different character types as possible. And it should be a random as possible, avoiding common words, names, etc.
Oh, and you should also use a different password at every site.
In general terms, you should shoot for 12-14 characters, assuming the system will allow it. Some systems don’t allow long passwords like this, which is unfortunate, so you’ll just have to do the best you can. But, all else being equal, longer passwords are harder to crack.
As far as character selection goes, the more character types you include, the more complex your password can be, and the harder it will be to crack. If you stick to numbers, you only have ten characters to choose from. Add in letters and you have 26 (case-insensitive) or 52 (case-sensitive) more options. Throw in special characters (punctuation marks) and you add yet another dimension.
You will, of course, have to stick to what is allowed, but most modern systems now allow numbers, letters, and special characters. Of course, some seemingly security-conscious websites (*cough* TreasuryDirect *cough*) use case-insensitive passwords when case-sensitivity would offer a good bit more security. But, oh well… There’s only so much you can do.
Randomness. Ah yes, randomness. In general terms, you should avoid using dictionary words, names, birthdates, etc. That being said, you can use dictionary words as long as you string them together in a random combination. But you’re probably better off using a long, completely random, and complex password. So long as you can remember it, of course.
And there’s the rub. It’s hard to remember a long, complex password — much less remember a different one for every site. That’s why I recommend using an encrypted password keeper such as 1Password, LastPass, or KeePass.
I personally use 1Password — no affiliation, I just love it. I also use the iPhone app so I have my passwords with me (but secure) at all times. Yes, you still have to remember a password, but just one.
And finally… Why should you use a different password at every site? Simple. Because if one account gets compromised, you don’t want people to be able to hit your other accounts.
Consider the case of Gawker Media. Gawker owns popular websites like Gizmodo and Lifehacker, and their password database was compromised about a year ago. And in that one event, tons of passwords (and their associated usernames) were dumped into public view.
Imagine if you had been using the same username and password for Gawker Media sites as you use for your online bank, credit card account, etc. You’d be facing a potential disaster.
Well, guess what? It’s not that uncommon for sites to get hacked and for username/password databases to get stolen and cracked. If that happens, your account may be compromised, but as long as you’re using different login credentials at different sites, the damage will be limited.
As an interesting aside, an analysis of the Gawker password database revealed an amazing lack of creativity, with shockingly frequent usage of such cryptographic masterpieces as 123456, password, 12345678, qwerty, abc123, 111111, monkey, 12345, letmein, and so on.
Note: To be completely honest, I’ve been known to use the same (relatively) easy to remember password at a number of non-critical sites around the web. But I never use this password (or the associated username) for any “mission critical” accounts.
Disclaimer: Discover is a paid advertiser of this site.
Reasonable efforts are made to maintain accurate information. See the Discover online credit card application for full terms and conditions on offers and rewards.
Modified on November 21st, 2011 - 19 Comments
Filed under: Identity Theft, Online
About the author: Nickel is the founder and editor-in-chief of this site. He's a thirty-something family man who has been writing about personal finance since 2005, and guess what? He's on Twitter!
Related articles...
» Creating a Home Inventory for Insurance Purposes» Money Poll #2: Coupons
» Weekly Roundup – 11/24/06
» How to Protect Yourself Against Identity Theft
» Happy New Year!
» Registering an LLC
» Don’t Get Hacked
» Do You Have a Death Dossier?
Was this article useful? Please sign up to receive our content via e-mail:
19 Responses to “Creating and Using Strong Passwords”
Leave a Reply
Top Cards by Category
Earn 100 Reward Dollars after you make $1,000 in purchases in the first three months of Cardmembership.
Earn 25K Membership Rewards(R) points after you spend $2,000 during your first three months of Card membership.
Consumer friendly credit card with a great low rate of 7.25% and save on interest charges. No balance transfer fees and no annual fee.
The new Discover it card is out to change the way people think about credit cards. No annual fee. No overlimit fee. No foreign transaction fee & no pay-by-phone fee. No late fee on your first late payment. And Discover won't increase your APR for paying late.*
The new Discover it card is out to change the way people think about credit cards. No annual fee. No overlimit fee. No foreign transaction fee & no pay-by-phone fee. No late fee on your first late payment. And Discover won't increase your APR for paying late.*
Consumer friendly credit card with a great low rate of 7.25% and save on interest charges. No balance transfer fees and no annual fee.
Limited Time Offer: Get 25,000 Membership Rewards(R) points after you spend $5,000 in the first three months of Card membership. Enroll and select a qualifying airline to receive up to $200 annually in statement credits for incidental fees, such as checked bags and in-flight refreshments, charged by the airline.
The new Discover it card is out to change the way people think about credit cards. No annual fee. No overlimit fee. No foreign transaction fee & no pay-by-phone fee. No late fee on your first late payment. And Discover won't increase your APR for paying late.*
- How to Become a Millionaire
- How to Get Out of Debt
- The Best Dollars I've Ever Spent
- How Our Estate Plan is Structured
- How We Paid Our Mortgage In Less than 10 Years
- Money Making Ideas
- How to Manage Your Asset Allocation with Multiple Accounts
- Consumption Smoothing - Save While the Saving's Good
- How to Save on Groceries
- How Much Life Insurance Do You Need?
- Eleven Great Books About Money
- Dave Ramsey is Bad at Math
- Dish Network Customer Service SUCKS
- $8,000 Homebuyer Tax Credit
- Pay Off Mortgage Early or Invest?
- How to Claim the First-Time Homebuyer Tax Credit
- Termite Control: Sentricon vs. Termidor
- How Much Should You Pay a Babysitter?
- Ethanol Blended Gas = Lower Mileage?
- Reduced Credit Limits? Share Your Experience
- $15,000 Homebuyer Tax Credit
- Will Mac OS X Lion Kill Quicken 2007?
- Buying Furniture off the Back of a Truck
How to save money on insurance
- How I cut my spending in half to take a job I loved
- Working longer: Fallback or fallacy?
- More money, more happiness: Do you think money can buy happiness?
- Overdraft fees soared to $32 billion in 2012
- How do you combat prom inflation?
- How should you choose a bank? Look in the mirror.
- The cost of clean water
- College debt 101
- Is it possible to live debt free?
- How to prepare for a home appraisal
November 16th, 2011 at 9:15 am
No password post should be made without at least a passing reference to XKCD password comic:
http://xkcd.com/936/
It explains nicely how to generate a strong password.
November 16th, 2011 at 10:15 am
If you go back and read closely, you will see that I did make a passing reference to that very comic.
Hint: It’s in the paragraph that starts with “Randomness. Ah yes, randomness.”
But even if an individual password is both secure and memorable, the challenge is keeping track of dozens of them. Yes, you can come up with a password system (e.g., a core password with variables on the front and back end indicating which site you’re at) but I find it easier to just use a password keepet.
November 16th, 2011 at 11:40 am
Since most systems have password length limitations, or _require_ the use of numbers, special characters, and capitalization — I don’t even try to remember passwords anymore.
I use the open source KeePass:
http://keepass.info
which has variants for Windows, Linux, MacOS, PocketPC, Windows Mobile, Iphone/Ipad, Android, Blackberry, Palm, etc, etc.
Put all your passwords in the encrypted database (you need to remember one password to unlock the DB) — then just email the DB file to yourself. Whenever you update the DB (with a new password), re-email it.
Also, if you die, might be good to tell the wife where the password can be found to unlock the password database so they have access to all the other accounts/passwords.
Simple, eh?
November 16th, 2011 at 12:50 pm
I recently began changing my passwords to every site that I login to. I was given a great method by a friend that has helped me remember each password even though they are different for each site.
I also want to keep a physical record for my family incase something happens to me. That way they can access everything online, I’m still figuring out how to do this. Maybe that keypass would be good.
November 16th, 2011 at 1:00 pm
Don’t pay $50 for 1Password when there are so many good, free alternatives. I’ve used Password Safe for years. I loved BG’s advice about giving someone close to you the password to your encrypted database if you should die! Not enough people confront the fact that we ALL will die and not having access to your various passwords creates a real hardship for those left behind.
November 16th, 2011 at 1:31 pm
(deleted cartoon link…)
November 16th, 2011 at 4:56 pm
I found the following combination works wonders for me and my wife.
1. Excel. You can put anything you want, in any format you want, on as many tabs as you want, and heavily encrypt it with a strong (16+ character) password. Can have passwords, account numbers, challenge phrases, etc. You can also use it as an address book, anything you want.
2. Pismo File Mount. Encrypts a folder and turns it into a PFO file. Right-click the file, type the password (another 16+ character one) and it mounts as a folder with the same name in the same location. Put everything in there — the master Excel password list, contact lists, all tax filings, budgets, forecasts, etc.
Safe and sound, and gives you ONE file to backup for safe keeping, with all your sensitive data inside it.
I looked quite a bit and have yet to find something that works as well and is as user-friendly as Pismo.
November 16th, 2011 at 5:42 pm
Dave: Does Excel truly encrypt your file, or does it just password protect it? There’s a difference, and I’m honestly not sure what it’s capable of.
November 16th, 2011 at 6:18 pm
I use Keepass to store all my passwords on my hard drive, as well as a USB backup. It’s really the only way to have unique strong passwords for each site.
November 16th, 2011 at 6:50 pm
Nickel:
Yep. 128-bit AES, rated good for US Gov’t SECRET level classified information.
http://thenewpaperclip.com/200.....007-files/
From this source, you can upgrade that to 256 bit via a registry change:
http://blogs.technet.com/b/gra.....n-xml.aspx
Encrypting a spreadsheet and putting it into an (encrypted) Pismo PFO folder/file I think is pretty robust, and easier to deal with than a ZIP file. Plus the PFO folder/file when mounted is just a regular Windows folder, so you can have all your personal/financial stuff in there, all in one place.
Just do NOT forget those passwords!
November 17th, 2011 at 7:49 am
Strong passwords are important, but one factor that mitigates the risk of having a weak password is the practice of most banks to require customers to answer personalized questions before they can even enter a password if they log in from a computer the bank doesn’t recognize. Obviously, I still agree with the advice above, but I like that most banks have this additional security feature.
November 17th, 2011 at 9:10 am
@ Nickle…..oh my. I missed that XKCD hyperlink!
Very nice and my apologies.(back to lurking)
November 17th, 2011 at 10:30 am
Ken:
Unfortunately many banks and other companies have a limited, pre-defined list of questions that is usually based on information others may know about you. It would be much better to let YOU write down the questions and the answers to your custom questions.
Bruce Schneier reported on a study done a couple years ago on this exact issue. A shocking number of “friends” could guess the answers, and 20% of people forgot their own answers shortly after they set up the accounts.
http://www.schneier.com/blog/a.....stion.html
November 17th, 2011 at 10:32 am
@Dave, how are you using Pismo to do this? Are you using the Private Folder function? (http://www.pismotechnic.com/pfo/)
Thanks for the tip!
November 17th, 2011 at 10:32 am
I’ve used a lot of solutions as well, starting with a few “standard” passwords that I then add a modifier based on the website. Then I graduated to using a password hasher, which means I hashed my standard password against the domain name to get a seemingly random but reproducible password. Now, I’m a fan of LastPass, which gives me an actual random password and which provides an easy way for me to track more sensitive information other than just my passwords in one secure vault.
November 17th, 2011 at 10:38 am
Jonathan:
Yes, that is exactly how I have it set up. It works very well for me.
Of course, I would prefer an open source and community supported piece of software, but I didn’t find one that worked as well, as simply, and as seamlessly as this one.
November 17th, 2011 at 8:34 pm
Dave,
Thanks for the link. It’s interesting, but I think it overstates the risk. For one thing, the article says 13% of the answers could be guessed within 5 attempts. I question whether most bank sites would let you guess incorrectly several times in a row before telling you your account is locked and you have to call customer service.
Secondly, I’m not really worried about friends hacking into my bank account. I’m worried about some Russian mafia guy in the Ukraine or a dude in Nigeria. Those guys are going to have a tougher time getting my secret questions right. Either way, my friends and the guy in the Ukraine would have to not only guess the name of my first grade teacher for example, but they’d also have to guess my password. I don’t see that happening.
Again, I’m not questioning the need for a strong password. The advice here is sound.
November 18th, 2011 at 2:32 pm
It is a huge pet peeve of mine that sites don’t have consistent requirements for passwords, which makes it impossible to have a viable system for generating strong passwords (ones that are unique to each site, but you can remember when you need to).
I try to have a long password but some sites limit characters; some don’t allow special characters while some require them; Some don’t even allow Numbers in the beginning or end of a password. Crazy!
August 1st, 2012 at 5:43 pm
Curious how people handle web logins stored in one of these programs: do you copy the password from the program into the web site password input, or do you use a program that integrates into your browser?
Planning to move to this type of setup/program and trying to get my ducks in a row. Thanks for any tips!