No matter how sophisticated security gets, we still need to handle the basics properly. One of the most basic tasks is to create and use secure passwords. You need them to log onto your computer, reach internal applications, and enter just about every website you visit. They are pervasive in our connected world.
But how many of us give any real thought to how secure our passwords are? Because we use them so often, we’re tempted to reuse the same one over and over again. However, as your mother might say, that’s a poor decision. Here are pros and cons of several common password techniques, and a simple-to-remember method that is both easy for you and hard for hackers.
Frequency and complexity
Our decisions about passwords are often some balance of frequency and complexity. The more frequently we use a password, the easier it is to remember it; and the more complex the password is, the less likely we will be able to remember it. This difficulty leads many people to use the same password for all their online accounts. Banking, auction, and social networking sites could have the same password for the same account name. In such a situation a hacker who compromises a single website can get the username and password for all of your accounts. It is important for people to remember that their website passwords are owned by that website, not by the individuals who entered them. Thus giving a website a password that accesses other accounts is not the best way to maintain security.
Users should avoid any password that can be cracked by a dictionary attack. If your password can be found in an unabridged dictionary, then it can be “guessed” by having a computer program try them all out. “123456” is not adequate to avoid a dictionary attack because it is the most commonly used password in existence. Using profanity may make talking about the password unacceptable in polite conversation, but that social boundary will not stop someone willing to breaking the law to steal your identity.
Most people’s password habits fall into one of three categories:
- The global password. Many people use the same password everywhere. This is the worst password method; it means that someone who hacks a website that you bought something from years ago can now get into all your most frequently used accounts.
- The short list of passwords. Others create a hierarchical list of passwords that they reuse. This allows them to use their most complex password for financial websites, a simpler password for websites where items are purchased, and another password for social networking websites. This is exponentially better than the single global password, but exponentially better than “worst” is still not good.
- The black book of passwords. Some people choose a unique password for every website they visit, but because of the huge list of passwords they need to remember, they all are written on a pad of paper kept near the computer. This is not only unwieldy and not flexible (if you go on vacation and forget it), but you can lose the list or have it stolen by someone who gains brief access to your office or computer. Many corporate environments that force people to constantly change their passwords are littered with passwords on sticky notes or on paper in a drawer that is accessible by coworkers, cleaners, or burglars.
Creating your password algorithm
In creating passwords we want to maximize complexity and eliminate repeating passwords without adding any additional stress to our brains. To do this we need an internal algorithm that will generate a unique, difficult-to-guess password for every website we visit. The algorithm needs to be repeatable, so that remembering the passwords is not important: All we need to remember is the algorithm that generates the password. Thus we need to take something about to ourselves, add something unique about the website in question, and modify that information so that the algorithm is not obvious to anyone looking at the password.
Here is an example of a password for mcafee.com.
My token: light
The website: mcafee.com
The password: 123l1ghTjdqr33^!
In spite of the password’s complexity, the algorithm here is relatively simple. We start with “123,” and then add the word “light” with the “i” replaced with the number 1 and a capital “T” at the end. We add “jdqr33,” the letters (and numbers) above the word “mcafee” on my keyboard. We finish off with a bang””“^!”””to make sure we include some special characters.
Here’s another password with the same token and website:
The password: LlIiFCM999gh+
That’s the “li” in “light,” but with an upper and lowercase of each, then capitalized consonants from “mcafee” written backward, a few 9’s, and a “ght” with the “t” replaced by a plus sign.
Your algorithm can be anything you want, but you should choose one that includes numbers, letters (both capital and lowercase), as well as special characters. Some password validation algorithms don’t accept special characters, and others require you to start with a letter. These can be your second and third tries if you don’t get it on the first. Having a good password algorithm prevents someone from getting one password and using it on all your accounts, it also makes your password hard to guess, and it doesn’t require you to carry around a list of passwords.
In the case where your office administrator forces you to change your password frequently, you need only to write down the website token instead of the full password. So even if people find your little black book of passwords, they’ll be lost without the algorithm.