Helping people with computers... one answer at a time.
Good passwords are hard to crack and hard to remember. As a result, many people don't use really good passwords, even though they should. We'll look at what makes a good password, and some ways to make them easier to remember.
I told my friend my password, and she said it was a really bad one. What does it mean to have a "bad" password? And what's a "good" one, then?
•
You told someone else your password? Yikes! I've seen more accounts get stolen by that one simple act than by any other single cause. I sure hope you know what you're doing - most people that have told a friend their password have come to regret it.
So what's a bad password? One that someone could easily guess.
A good password? One that's hard to guess, of course.
The problem is that people are way better guessers than you think. And it gets worse if the guesser starts using a computer to do the "guessing" for them.
•
What's a bad password?
A bad password is any password composed of common words or names, particularly if the password is short. For example, "iLoveMikey" is a bad password. "mydogspot" is a bad password. "GeorgeInParis" is a bad password. All are simply combinations of words or names. On top of that, many people choose bad passwords that express information that someone who knows you might be able to guess. If your boyfriend's name is "Mikey", your dog's name is "Spot", or you met someone named "George" during a trip to Paris, these are all things that people who know just a little about you can use to start making some educated guesses as to what your password might be.
And as I said, people can be really good guessers.
The irony is that the people who know you the best - your friends - are the ones who can probably make the best guesses and are the most likely to guess your password if it's a bad one.
Another problem with passwords made up from words and names is that it's really easy for a determined hacker to set up a computer with a dictionary of words and names and have it start trying combinations until something works.
What's a good password?
A good password is a long random sequence of characters - letters, numbers and any "special characters". "qicITcl}" is a good password. "rAg2imWOIgIf47IM24busml6kpetPF9UGRpPAFBMCoSmSTptbDcOxwcG3aPoa79" is a great password. The best passwords are made up of completely random characters and as long as you can make it.
You can see the problem - great passwords are impossible to remember. So if you can't remember it, what good is it?
The solution is either a compromise, or the use of some technology.
The compromise
The compromise I use works like this:
-
I never include full English words or names - instead I use misspellings or phonetic sound-alikes
-
I always include a mix of uppercase and lowercase letters and numbers
-
I always make sure the password is at least eight characters long, preferably longer
So, for example, while "Macintosh" is bad, "Mac7T0sh" might be good and probably easier to remember. "HondaPrelude" is bad, but "Pre7ood6" is much, much better.
The bottom line for this compromise: pick a random looking password that YOU can remember but that "they" would never guess - and as I've said a couple of times, always assume that "they" are always really great guessers.
Using Technology
Never, ever, write your password down on a piece of paper near your computer. Paper is definitely not the technology I'm talking about. It's amazing how many passwords are stored on sticky notes right on the monitor, under the mouse pad or in a desk drawer. It's not that hard for the motivated to go searching and find all that.
My old approach was to use an Excel spreadsheet with all account names and passwords - in fact I still do for much of my sensitive information. By itself, that's incredibly insecure and dangerous. Anyone who can get a hold of that spreadsheet has everything. Other people use simple text files that suffer from the same fundamental flaw - it's the moral equivalent of a sticky note. Anyone who has access to the file has all the passwords.
The solution is to encrypt the file. I'm not talking about the encryption built into applications like Excel - which I'm led to believe is reasonably easy to defeat - but an "industrial strength" encryption solution such as TrueCrypt. Using TrueCrypt, you can control exactly when the information is actually visible, and the rest of the time it remains safely encrypted.
My current approach for website logins is to use RoboForm. RoboForm captures passwords when you enter them as you visit websites requiring login and then remembers them for you in an encrypted database. When you return to that site, RoboForm makes the login available for you automatically. It includes a handy random password generator. Since RoboForm remembers passwords for you, you can use completely random strings - the most secure passwords possible, as I described earlier.
But - be aware that RoboForm and the TrueCrypt-style of encrypted solutions both require one thing: a password to decrypt the database of passwords. That password needs to be something you can remember, yet something secure. However, remembering that one password then opens up the vault to your entire set of accounts and passwords.
Article C2799 - October 1, 2006
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
First, I believe if you use Linux and Thunderbird you are much safer. There is a Linux system, Linux Mint 9, that is very easy to install and very user friendly. If you ever make the change you will never go back.
Posted by: SelfHelp at December 28, 2010 9:00 AMSecond, I have not tried this but I just thought of it and it sounds good. Type a very long, very complex line of characters on a sticky note somewhere on your computer. Keep this for future passwords. Then, to set up a password, highlight and copy the desired number of characters from that string. Example, *sFl$B{9o0xY. You would make it much longer. Then copy from that, I$B{ for example and paste it as your password. (For some reason I was unable to copy that and had to type it in.)
When you want to use the password just remember to copy the 4 through the 7th character. Of course, actually make it longer than that. When time to change the password just copy characters 16 through 25 and use that for the new password. As long as that password is in use you can always copy characters 16 through 25 and insert them as password.
I have not tried this. It is just a sudden idea.
Most advice I've read suggests not using family and pet names and details. I use presidential initials, a significant year in their term and something specific to the website. For AskLeo it might be HST1948Ask. Password Evaluator says it is Medium and gave it a score of 32 out of 50.
Posted by: Art1745 at March 29, 2011 10:33 AMIf you allow google chrome to remember a password, how secure is that?
Posted by: John w at June 14, 2011 9:24 AMI was using Keepass, until the file got corrupted and I landed in a problem. I will be glad to know how to take back of these facilities, and also move from one computer to another. Thanks.
Posted by: Vaidya at June 21, 2011 10:23 PMHow do you prevent total loss when your password solution goes belly up.
Posted by: Arobinb at December 4, 2011 12:55 AMIt seems to me that you really need triple redundancy for that sort of solution. Also if a I do you access data from multiple locations either on an internal network our "the cloud" it needs to be cloud based and is only a good a your network connection.
By the way thanks for a great newsletter. I have been working with networks and computers for 25 years and you are still teaching me new stuff.