Helping people with computers... one answer at a time.
Lost passwords are the single most common topic on Ask Leo! and on many other technical support and assistance sites. I'll look at why that might be and what you can do to protect yourself.
In the nine years that I've been answering questions here at Ask Leo!, the single most common topic that I encounter is that of lost or forgotten passwords.
It's been the number one topic since day one.
In the early years, questions relating to lost Hotmail passwords were so overwhelmingly frequent that it became an inside joke among my friends – I was the guy to see about Hotmail passwords.
In the years since, the spectrum has broadened to include whatever system is popular; most recently, it's been Facebook .
Why are so many passwords forgotten? And what lessons can we take away to improve our own security, both online and off?
I've seen the instances of hacked account skyrocket in the past couple of years. Hackers are taking to breaking into email accounts and then using those accounts to send spam to the contacts listed in that account. Not only is a legitimate account more likely to bypass spam filters, but contacts are more likely to open email that came from the account of someone they know.
Hackers will often change the password on the account.
What that means is that when the rightful account holder later tries to login, he cannot. It manifests as a bad password (because it is), and password recovery techniques are the first step to regaining access to the account.
I have several articles covering that scenario already and I'd point you at Email Hacked? 7 Things You Need to do NOW for the steps that you should take if you find yourself in that situation.
That's not what I'm discussing here. This is much more mundane, and yet probably still more common.
People forget their own passwords.
When I hear the backstory to a forgotten password scenario, there are a couple of frequently reoccurring characteristics:
The individual is a relatively new or inexperienced computer user.
They're in a hurry.
In my experience, new users have an underappreciated sense of just how picky computers are about your entering the exactly correct password, and perhaps in an effort to make their password secure, they've chosen something obscure and coincidentally difficult to remember exactly. They don't realize just how easy it is to forget the exact password that they've chosen.
Newer users are often not online as often as you or I might be, and thus, often aren't even asked for their password more than every day or every week or so. If you're required to enter it correctly every day, it's more quickly committed to memory than if days or weeks go by before you need it again.
More troubling are the folks who are in a hurry. For various reasons, they want an account and they want it now. As a result, having to set up a password is more of an annoyance than anything else. Certainly no extra time is spent setting up a good password, much less committing it to memory. (More often than not, these are the accounts with passwords like "1234567." They are also more likely to be hacked.)
The common thread is simple: taking security – particularly your password – seriously from the begining is critical.
Unless, of course, permanently losing access to your account isn't something that you'd consider serious.
Even if you take password security seriously, various conveniences can make it frighteningly easy to forget your password.
I know of people who've not had to enter their password to login for years.
They've allowed the site to "remember" them – forever – or they've allowed their browser to remember their password for them.
The bottom line is that they enter their password exactly once, maybe twice, and then let the browser remember from then on.
Weeks, months, or even years later when for some reason or another they need to login elsewhere, they have no idea what their password is. They've set up their life so that they've simply never had to type it in after setting it up to begin with.
The sad news about most browser password stores is that they're often only lightly secured themselves and are accessible not only to individuals with access to your machine, but to malware as well.
I avoid them.
The classic "rules" for password are frustrating in that they seem to be crafted specifically to make passwords impossible to remember:
Passwords should be at least 12 characters long1.
Use a mixture of character case and type (letters, numbers, special characters).
Don't use words or names.
Don't use the same password on more than one site.
Yikes! If you're only allowed to use passwords like "P5S0Dk@!i2Yd", "#zJCahT0kAA3" and "4Jy%zsX6H9!^", and you're not allowed to re-use them, then it's no wonder we can't remember them all! Even when choosing something slightly less secure than those rules, the best of us would fail miserably without help of some sort.
One approach to generating memorable (or "remember-able") passwords is to use an algorithm or a set of rules to create all your passwords. For example:
Begin with a memorable quote (or phrase or song lyric or ...)
Use the first (or last or second or ...) character from each word in that quote
Add into the middle (or beginning or end or ...) the first and last characters of the domain that you're setting a password for.
So, let's say I use the first 10 words of The Gettysburg Address:
Four score and seven years ago, our fathers brought forth
Now, I'll use the first letter of each word:
Let's say I'm setting up a new Hotmail account, so I might use the first and last letters of the domain (hotmail.com) and I'll insert them into the middle:
Given that you always remember your own algorithm or password generating rules and always remember the phase or song lyric or quote you start with, then regenerating almost any password you created using those rules is a snap.
Longer passwords are better. In fact, the longer the password, the more acceptable it is to break some of the other "rules" associated with passwords.
Enter the pass phrase – a sequence of words (yes, dictionary words) that you can remember that is significantly longer than your old eight- or 12-character password.
For example, the passphrase "correct horse battery staple" would be considered a better password2 than, for example, "P5S0Dk@!i2Yd" by virtue of it being significantly longer – 28 characters as compared to 12.
A passphrase doesn't have to be "weird" or nonsensical – although I suppose it helps – a good, lengthy passphrase can be anything that you would easily remember.
No problems making it unique to each site, either. Modifying your passphrase in a site-specific way, for example "correct horse battery hotmail," works great.
The frustrating downside to passphrases is that they don't work everywhere. Many sites, for inexplicable reasons in today's world, limit the length of passwords to something silly like 16 characters. (Or worse, only pay attention to the first N characters.) Often, they don't accept spaces. These limitations often prevent us from using secure passphrases for some logins, requiring us to fall back to more traditional and often less secure techniques.
I don't know my online banking password.
It's not that I forgot it; I never bothered to even try to remember it. And it's quite secure and obscure.
So how do I get in?
I admitted defeat when it comes to my memory long ago.3 I use a password storage tool: Lastpass.
The concept here is simple: remembering a single, strong password to unlock the vault, the tool contains a database of all my other logins and passwords and works within my web browser to enter them automatically as needed, or on demand.
Lastpass remembers so I don't have to.
Tools like Lastpass are significantly more secure than allowing your browser to just remember your passwords for you. Lastpass was built for security from the ground up. Without your master password, your vault is inaccessible and Lastpass can be configured to require you to supply your master password every time; after your computer's been idle for certain amount of time or after your browser's been closed and re-opened. (Lastpass specifically also supports two-factor authentication for additional security, particularly useful if you travel.)
The real bottom line to not becoming "one of those people" is to take your account security and password seriously from the moment you open your account.
Select a technique that you know will allow you to remember or regenerate it as needed.
Choose a strong password – the longer the better.
Make sure to properly set up (and remember and keep current) additional account security options such as mobile numbers, secret questions, alternate email addresses and more.
If you want to use technology to remember things for you, opt for a tool like LastPass specifically designed for this job.
Above all, take your time and do it right from the start.
Trust me, a little extra time and thought now will help avoid a lot of pain in the future.
1 The old rule of eight that many of us "grew up" with is no longer secure. Passwords these days should be 12 characters or longer.
2 OK, this specific example is an incredibly poor passphrase as it's been used frequently as an example of a very good passphase. So don't use it. Use your own set of words to make a passphrase.
3 My wife would agree to the defeat, but not to my ability to consistently admit it.