There have been many articles written about online passwords and security, but I know that some people that read this blog don’t read tech blogs. The Gawker Incident last year showed in a big way why you shouldn’t use the same passwords all across the web. One security breach and someone could get your password. If that happens, the worst-case scenario is that someone can use that password and e-mail address to do nefarious things. Best-case scenario is that you have to change all your passwords. Neither would be enjoyable.
When creating passwords there are three things you want to avoid: 1. Using the same password everywhere 2. Using passwords that can be guessed 3. Using passwords that can be brute forced1
At this point, rule #1 seems the most violated and presents the most risk. Brute-force attacks are becoming less common and are easily defeated with even basic password security. Password guessing is tough for strangers, and many websites2 present some kind of feature to help track or prevent this.3. But re-using the same password is something that can only be controlled by the user, and can be compromised by the websites you use them on. The problem with using different passwords for everything is the challenge of remembering all of them.
Write Down Your Passwords
The equivalent to “don’t talk to strangers” in the tech world is “don’t write down passwords.” This rule is 100% true in offices or businesses, but unless you live with someone you don’t trust, it makes little sense at home. Even if you have all of your passwords written down next to your computer and someone has access to those, they are already in your house and in all likelihood the fact that they have your Facebook password is the least of the issues. Write down your passwords and keep them in a drawer somewhere. That way they will be hidden from anyone you have over who might need to use your computer, but will be there if you forget any passwords.
If you feel uneasy about this, get creative. Make it a long list with lots of fake passwords intertwined. Write down the wrong site names next to the passwords to throw people off. Just make sure there is a way for you to remember which is which.
Tiered Password System
It’s also useful to use a tiered-password system. The idea here being that password strength increases relative to the importance of the account.
Tier one would include things like the forums you frequent about dogs that play musical instruments. It’s unlikely anyone could do anything malicious with that password, so strength likely isn’t as important. If you are confident that the site doesn’t have any personal information, then go nuts using the same and easy-to-remember passwords for generic sites.
The second tier are what I call medium-security. These should be strong passwords, but ones that can still be easily remembered. These are the passwords you will type the most and shouldn’t be re-used, think e-mail, Facebook, Amazon, etc. In a perfect world these passwords should contain upper and lower case letters, numbers and a symbol or two. The shorter the password, the more variation is needed. But length can be used to combat complexness.
The best tip I can offer is to create your own system for creating passwords. Patterns are OK as long as they aren’t guessable. For example, let’s say that I am a fan of the New York Yankees and I want to make a system using players from the Yankees. Using the great Password Meter website, here the strength scores that some passwords would achieve:
baberuth - 9%
baberuth3 - 27%
BabeRuth - 29%
babe3ruth - 31%
BabeRuth3 - 33%
Babe3Ruth - 62%
Babe+3+Ruth - 95%
bAbe+3-ruTh - 99%
You can see the strength increase as things get more complicated, but even the 2nd to last one isn’t all the complicated to remember. The one thing that Password Meter doesn’t take into account, is context. Anyone that is a baseball fan knows that Babe Ruth’s number was 3, which is why I used it. So if someone knows I am a Yankee fan and figures out my pattern, they could guess my password for my other email account “Lou+4+Gehrig”. So when going with a system like this, it’s nice to add a twist, like multiplying the jersey number by 11, or something else that’s easy for you to remember but hard to guess.
The third tier of passwords should be bulletproof NSA-style passwords for highly sensitive information like bank accounts, or any other places where identify theft could occur. These should be at least 10 characters long and contain a variety of upper/lower case, numbers and symbols. They shouldn’t contain any dictionary words straight up. In this case, using a phrase from a movie or song is a great method.
For example, if you love A Few Good Men, you could take the line “You can’t handle the truth!” and turn it into something like “JN:Yc’thtt!” I put JN for Jack Nicholson and changed can’t to c’t. Otherwise I just used the first letter from each word. That password scored a 91% on password meter. You can get creative and change it up to this “J:Yc’thtt!:N” which would earn you 100% on Password Meter. It looks like gibberish to most, but with the background I gave it’s totally meaningful.
There is a software solution to the problem, several actually. 1Password is the gold standard, with versions for Mac, Windows, iOS and Android. The idea here — if you couldn’t tell from the name — is that you only have to remember a single password, your Master Password. This password is the one you type in to save and fill other passwords. So as long as you have 1Password available on the computer you are on, its like using the same password for everything. The Mac and Windows versions are accompanied by browser plugins that allow passwords to easily be saved and filled with a click without having to open the application. The iOS version requires you to look up the password separately in the application when you need it. The biggest downside to 1Password is cost. The desktop versions run $40 and the iOS version costs $15. Irregardless, these are the first apps I would buy if I had to start over.
LastPass is a free alternative that is extremely popular. Besides being free, LastPass is simply a browser extension that stores it’s data in the cloud and is therefore accessible on any browser — a major plus over 1Password. In order to make use of the mobile applications though, a premium subscription must be purchased, but that runs just $1 a month, which means you can get over a year’s worth of use for the cost of the 1Password iOS app. The downside here is that your data is stored elsewhere and therefore somewhat at the mercy of LastPass. Although you can export your data, it appears this ends up in a plain text file.
If recent history has taught us anything, it’s that companies can screw up and allow passwords to get out. This becomes a major issue if you use the same password everywhere. So if you are one of those people who uses the same password everywhere, make it a priority to break this habit. It doesn’t have to be an all at once activity. As you login to places over the next couple of months, start changing passwords one by one. It seems inconvenient, but having to deal with your bank when someone accesses your account would be much more inconvenient.
- Passwords that can be guessed by computer programs [↩]
- At least the important ones [↩]
- Either with notifications of failed logins, two factor authentication, or accounts that lock users out temporarily after several failed attempts [↩]