Is Your Password Strong Enough?
You wouldn't lock up your car and leave the key in the door as you walked away. But many people do essentially the same thing when they create weak passwords for their online accounts. Don't make it easy for hackers to plunder your bank account or go on an online spending spree with your credit card. Here are some tips to help you create and manage passwords...
How Secure is Your Password?
I used to say "If you can remember your password, it's not strong enough." But my thinking on this has changed, somewhat. Short passwords composed of familiar words and only alphabetical characters are easy pickings for "brute force" password-cracking software. Such software simply cycles through all possible combinations of letters until it hits the set that works. This is why many Web sites insist that you create a password of 8 characters or more, and include at least one non-alphabetical character.
But 8 characters is a poor compromise between security and user convenience. Actually, 12 or more characters are needed to make a password that would take too long to crack with brute force. Don't limit yourself to all lowercase letters, or just numbers and alphabetical characters, either.
The best advice I've seen on this topic is to choose a password that's memorable, which contains a combination of uppercase and lowercase letters, along with at least one number and at least one special character. But on the other hand, length trumps complexity.
For some excellent info on how to gauge the strength of your password, see Steve Gibson's article on password haystacks. I also recommend How Secure Is My Password?, which is a password security calculator that tells you whether your password is good or bad and WHY. For example, it'll warn you if your password is too short, contains only common dictionary words, or if it needs more character variety.
If all that sounds confusing, here are some examples of what I'm suggesting:
|SAMPLE PASSWORD||TIME NEEDED TO CRACK|
|Mary had 1 little lamb!||30 octillion years|
|the dog ate my homework||837 quintillion years|
|q!M*c.4XP&7+||4 million years|
You might think the 12-character one that looks like gibberish is the best, but the first example is actually the strongest, because it's longer, and it contains upper, lower, numeric and special characters. The second example is also better than the third one (even though it's all lowercase) just because it's long -- 23 characters. The first two are uncrackable using current technology, and have the advantage of being easy to remember. Hopefully you can see why the last two are poor choices.
Using the same password everywhere you need one is a bad idea, too. If that password is compromised, a bad guy has a master key to your email, bank account, credit cards, Facebook page, and everything else a password is supposed to keep him out of. Create a unique password for every online account you create, or at least for the most sensitive personal accounts.
Many sites let users choose a "security question" from a list and supply a supposedly secret answer that will serve to confirm your identity in case you lose or forget your password. But think about what you've posted online, and what's available through public records. Your mother's maiden name and the high school you attended are not secrets. Whenever possible, create your own security question with an answer that can't be Googled.
Managing Your Passwords
The leading web browsers ask, by default, "Do you want me to remember your password for this site?" Well, of course you don't! Letting a web browser automatically fill in your password is like telling your car to turn the key for whoever touches the door handle. Disable this "feature" and don't store passwords in your browser.
If you follow these guidelines, you will need help managing passwords. Password management software will help you create strong passwords, store them securely, and automatically enter them on web forms. A master password gives you access to the database as needed. Make it as complex as you can remember. See my article on the Best Passwords Managers.
If you want to take it one step further, look into a security feature called 2-step verification. This can make your online accounts more secure by helping to verify that you are truly the owner of an account. You may have already seen this on some banking websites. For some transactions, your username and password are not enough. After logging in, you may need a pin code sent to you in a phone or text message, before completing a transaction. Google is now offering this type of enhanced security for Google accounts such as Gmail, Google Docs, etc. Using this additional layer of security means that even if you gave someone your password, they wouldn't be able to login.
How do YOU manage your passwords? Post your comment or question below...
This article was posted by Bob Rankin on 22 Jan 2013
|For Fun: Buy Bob a Snickers.|
Is The FBI Holding Your Computer for Ransom?
The Top Twenty
Geekly Update - 23 January 2013
There's more reader feedback... See all 28 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Is Your Password Strong Enough? (Posted: 22 Jan 2013)
Copyright © 2005 - Bob Rankin - All Rights Reserved