Helping people with computers... one answer at a time.
Good passwords are hard to crack and hard to remember. As a result, many people don't use really good passwords, even though they should. We'll look at what makes a good password, and some ways to make them easier to remember.
I told my friend my password, and she said it was a really bad one. What does it mean to have a "bad" password? And what's a "good" one, then?
•
You told someone else your password? Yikes! I've seen more accounts get stolen by that one simple act than by any other single cause. I sure hope you know what you're doing - most people that have told a friend their password have come to regret it.
So what's a bad password? One that someone could easily guess.
A good password? One that's hard to guess, of course.
The problem is that people are way better guessers than you think. And it gets worse if the guesser starts using a computer to do the "guessing" for them.
•
What's a bad password?
A bad password is any password composed of common words or names, particularly if the password is short. For example, "iLoveMikey" is a bad password. "mydogspot" is a bad password. "GeorgeInParis" is a bad password. All are simply combinations of words or names. On top of that, many people choose bad passwords that express information that someone who knows you might be able to guess. If your boyfriend's name is "Mikey", your dog's name is "Spot", or you met someone named "George" during a trip to Paris, these are all things that people who know just a little about you can use to start making some educated guesses as to what your password might be.
And as I said, people can be really good guessers.
The irony is that the people who know you the best - your friends - are the ones who can probably make the best guesses and are the most likely to guess your password if it's a bad one.
Another problem with passwords made up from words and names is that it's really easy for a determined hacker to set up a computer with a dictionary of words and names and have it start trying combinations until something works.
What's a good password?
A good password is a long random sequence of characters - letters, numbers and any "special characters". "qicITcl}" is a good password. "rAg2imWOIgIf47IM24busml6kpetPF9UGRpPAFBMCoSmSTptbDcOxwcG3aPoa79" is a great password. The best passwords are made up of completely random characters and as long as you can make it.
You can see the problem - great passwords are impossible to remember. So if you can't remember it, what good is it?
The solution is either a compromise, or the use of some technology.
The compromise
The compromise I use works like this:
-
I never include full English words or names - instead I use misspellings or phonetic sound-alikes
-
I always include a mix of uppercase and lowercase letters and numbers
-
I always make sure the password is at least eight characters long, preferably longer
So, for example, while "Macintosh" is bad, "Mac7T0sh" might be good and probably easier to remember. "HondaPrelude" is bad, but "Pre7ood6" is much, much better.
The bottom line for this compromise: pick a random looking password that YOU can remember but that "they" would never guess - and as I've said a couple of times, always assume that "they" are always really great guessers.
Using Technology
Never, ever, write your password down on a piece of paper near your computer. Paper is definitely not the technology I'm talking about. It's amazing how many passwords are stored on sticky notes right on the monitor, under the mouse pad or in a desk drawer. It's not that hard for the motivated to go searching and find all that.
My old approach was to use an Excel spreadsheet with all account names and passwords - in fact I still do for much of my sensitive information. By itself, that's incredibly insecure and dangerous. Anyone who can get a hold of that spreadsheet has everything. Other people use simple text files that suffer from the same fundamental flaw - it's the moral equivalent of a sticky note. Anyone who has access to the file has all the passwords.
The solution is to encrypt the file. I'm not talking about the encryption built into applications like Excel - which I'm led to believe is reasonably easy to defeat - but an "industrial strength" encryption solution such as TrueCrypt. Using TrueCrypt, you can control exactly when the information is actually visible, and the rest of the time it remains safely encrypted.
My current approach for website logins is to use RoboForm. RoboForm captures passwords when you enter them as you visit websites requiring login and then remembers them for you in an encrypted database. When you return to that site, RoboForm makes the login available for you automatically. It includes a handy random password generator. Since RoboForm remembers passwords for you, you can use completely random strings - the most secure passwords possible, as I described earlier.
But - be aware that RoboForm and the TrueCrypt-style of encrypted solutions both require one thing: a password to decrypt the database of passwords. That password needs to be something you can remember, yet something secure. However, remembering that one password then opens up the vault to your entire set of accounts and passwords.
Article C2799 - October 1, 2006 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
June 21, 2011 10:23 PM
I was using Keepass, until the file got corrupted and I landed in a problem. I will be glad to know how to take back of these facilities, and also move from one computer to another. Thanks.
December 4, 2011 12:55 AM
How do you prevent total loss when your password solution goes belly up.
It seems to me that you really need triple redundancy for that sort of solution. Also if a I do you access data from multiple locations either on an internal network our "the cloud" it needs to be cloud based and is only a good a your network connection.
By the way thanks for a great newsletter. I have been working with networks and computers for 25 years and you are still teaching me new stuff.
May 18, 2012 3:38 PM
Try your old auto license number ,one you recall.
May 28, 2012 6:58 AM
To me what makes a good password is having some form of 2FA (two-factor authentication) where you can telesign into your account. It's very important that the leading companies in their respective verticals are giving users the appropriate additional layer of authentication and security for access to accounts and transaction verification without unreasonable complexity.
June 12, 2012 8:42 AM
How do I know when I change my password(s) that everything is secure at...for instance...the Google or Yahoo site?
Am I being paranoid since I was previously hacked w/1000's of others?