What makes a password great?

Monkey, ninja, baseball, football: Words related to hurling inexplicably fast objects towards unwitting onlookers?  Not this time.  These are just four of the top 25 most stolen passwords in 2012, as reported by splashdata.comStolen is the key word here.

Two methods for stealing login credentials are:

  1. Guessing the password based on general or personal information (birthdays, spouse’s name, child’s name, workplace surroundings)
  2. Cracking a web site or server, gathering huge lists of login credentials (often not even encrypted)

Method 1 is what I will call “local threats” where the intruder probably knows you, and at least has direct access to your workspace or public-knowledge-information.  Method 2 is a “remote threat”, where an attacker is not necessarily targeting you, per se, but rather a large segment of users in which you have been included.

To protect yourself from these methods, create a password that incorporates each of the following suggestions:

Make it a “Strong Password”

The generally accepted definition for “strong password” is one of at least eight characters in length with uppercase, lowercase, number, and special (.!@# etc.) characters.  This, however, is a bare minimum recommendation.  A good password uses as many characters as you are willing to remember, and although a “strong password” is a great defense, it is not the whole defense.

Make sure it has nothing to do with you or your workspace surroundings

Password on a Post-It (Original photo by Pavel Krok)

Remove that Post-It from the bottom of your keyboard right now! Go ahead, I won’t look.

This is an important step to follow in order to avoid password theft using method 1.  Assume everyone knows everything there is to know about you.  Now, choose a password with that in mind.  “St@nford98” might be considered a “strong password”, but when you hang your 1998 Stanford degree above your computer monitor, that may be one of the first things someone tries when they sit down at your desk.  Also, you may have the strongest, most random 26 character password in the world, but if you have it written down anywhere, someone will find it.

Make it easy enough to remember

Picking a word or phrase with an easily recallable number association is a great way to come up with a password, but make sure the word is an obscure reference that nobody would think to guess.  Pick an insignificant detail from a memorable event.  For example, I recently took my daughter to her first baseball game and we had lunch together there in the 7th inning: “H@mburgerInThe7th”.  It does not mean anything to anybody but me, and I can remember it fairly easily so I do not have to write it down.

Make it unique to the web site you are creating it for

This is a very important aspect to password security.  In the case that a web site has failed to properly secure your log in information, it is important that one compromised password does not compromise every account you own.  One method I have come up with provides two fail-safes to protect your password:  Copy and paste a portion of the domain name of the website you are accessing as the start of your already-strong password: my password for google.com becomes “gooH@mburgerInThe7th”, my password for twitter.com becomes “twiH@mburgerInThe7th”.

With unique passwords, a compromised Twitter password does not also result in a compromised Google password.  Also, physically copying and pasting that portion of the domain every time makes you look at the domain name.  That means if you are the target of a phishing attack at twtter.com (notice there is no “i”) and you cut and paste “twt” for the start of your password, not only will they not get your real Twitter password, but you will probably not attempt to log in when you realize you are not actually at “twitter.com”.

Change your passwords

Finally, with all these suggestions in mind, it is time to stop using “password1″.  Coming up with a good password for new log-ins  is great, but it does nothing to protect what is already out there.