How safe are your passwords? If you bank online, the only thing standing between you and a financial disaster is your password (and perhaps your username). And yet many people do an astonishingly bad job of selecting secure passwords.
A big part of the problem is that secure passwords are hard to remember. When combined with the fact that most of us have dozens of online accounts (if not more), it’s tempting to just an easy to remember phrase and use that. Over and over. But that’s exactly the wrong approach.
So what makes for a secure password? For starters, it should be relatively long. All else being equal, longer passwords are harder to crack. It should also be complex, using as many different character types as possible. And it should be a random as possible, avoiding common words, names, etc.
Oh, and you should also use a different password at every site.
In general terms, you should shoot for 12-14 characters, assuming the system will allow it. Some systems don’t allow long passwords like this, which is unfortunate, so you’ll just have to do the best you can. But, all else being equal, longer passwords are harder to crack.
As far as character selection goes, the more character types you include, the more complex your password can be, and the harder it will be to crack. If you stick to numbers, you only have ten characters to choose from. Add in letters and you have 26 (case-insensitive) or 52 (case-sensitive) more options. Throw in special characters (punctuation marks) and you add yet another dimension.
You will, of course, have to stick to what is allowed, but most modern systems now allow numbers, letters, and special characters. Of course, some seemingly security-conscious websites (*cough* TreasuryDirect *cough*) use case-insensitive passwords when case-sensitivity would offer a good bit more security. But, oh well… There’s only so much you can do.
Randomness. Ah yes, randomness. In general terms, you should avoid using dictionary words, names, birthdates, etc. That being said, you can use dictionary words as long as you string them together in a random combination. But you’re probably better off using a long, completely random, and complex password. So long as you can remember it, of course.
And there’s the rub. It’s hard to remember a long, complex password — much less remember a different one for every site. That’s why I recommend using an encrypted password keeper such as 1Password, LastPass, or KeePass.
I personally use 1Password — no affiliation, I just love it. I also use the iPhone app so I have my passwords with me (but secure) at all times. Yes, you still have to remember a password, but just one.
And finally… Why should you use a different password at every site? Simple. Because if one account gets compromised, you don’t want people to be able to hit your other accounts.
Consider the case of Gawker Media. Gawker owns popular websites like Gizmodo and Lifehacker, and their password database was compromised about a year ago. And in that one event, tons of passwords (and their associated usernames) were dumped into public view.
Imagine if you had been using the same username and password for Gawker Media sites as you use for your online bank, credit card account, etc. You’d be facing a potential disaster.
Well, guess what? It’s not that uncommon for sites to get hacked and for username/password databases to get stolen and cracked. If that happens, your account may be compromised, but as long as you’re using different login credentials at different sites, the damage will be limited.
As an interesting aside, an analysis of the Gawker password database revealed an amazing lack of creativity, with shockingly frequent usage of such cryptographic masterpieces as 123456, password, 12345678, qwerty, abc123, 111111, monkey, 12345, letmein, and so on.
Note: To be completely honest, I’ve been known to use the same (relatively) easy to remember password at a number of non-critical sites around the web. But I never use this password (or the associated username) for any “mission critical” accounts.