By now you’ve heard endless warnings about the risk of short, trivial passwords. There’s a good chance you ignore them. Let’s talk about why that is and what you can do about it.
To begin with, it really does matter. Easy to guess passwords (12345, pet’s name, kid’s name, birthdate, etc) really do expose you to snooping and identity theft. Believe me, you’ll be sorry if you find out the hard way.
Even complex passwords are getting easy to break if they’re too short. That’s because today’s inexpensive computer chips have the power of supercomputers from the year 2000. Recent research shows that souped-up PCs can crack any password of fewer than seven characters with “brute force” techniques that try every combination of characters, even if your password looks like “a4T&7u” and not “fluffy”. The researchers recommend that you choose passwords of at least 12 characters.
Trouble is, most people can’t and won’t do what security professionals prescribe, which feels like a full time job. The pros tell us to (1) create long, random passwords using upper and lower case letters, numbers and special characters, including nothing that appears in any dictionary; (2) write them down nowhere, or only in remote, inconvenient places, (3) use a different password for every account, and (4) change them every few months. As Bruce Schneier argues, it’s foolish to blame ordinary people for failing to take impractical advice.
So what might be practical? For most people, any of these would be a big improvement:
- Schneier commits the heresy of suggesting that people “write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.” That’s because people “can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember.” (An explanation and some other useful tips from the Electronic Frontier Foundation are here.)
- If you do write down your passwords, don’t make it obvious which password corresponds to which account. Even better, write the passwords incorrectly and make up an easy rule for fixing them. You could decide to add 1 to each number in your password, so that 2x6Y is written as 3x7Y. (But make it a long password, right?)
- Or: take your password from something you carry all the time — the serial number of your cell phone, or a combination of your drivers license number and your employee ID. For each online account, add a suffix. One possible suffix: the stock symbol of the company that hosts your online account. So if your root password is the serial number of your gadget — say, DQN-11.aa764 — then your Amazon password is DQN-11.aa764,AMZN and your Yahoo password is DQN-11.aa764,YHOO. Changing gadgets, which you probably do every year or two, would encourage you to change your password.
- Best of all, if you’re willing to use it, is an electronic password safe. It’s a piece of software to store your passwords. You need a password to get into it, but that’s the only one you need to remember. The others are in the safe and protected by strong encryption. To me a product like this is useful only if it’s available in both desktop and mobile versions. I’ve tried several products that let you keep everything in one database and open it in Windows, Mac, iPhone, BlackBerry and Android. The best free solution I know is KeepPass, which runs on all those platforms. The commercial product I like best at the moment is Ascendo’s DataVault. As always I encourage suggestions.
P.S. You may think you don’t need high security for your email accounts, especially for the one you use for registering at web sites. Think twice. Suppose a bad guy guesses the password for your throwaway Yahoo address. Now he goes to major banking and commerce sites and looks for an account registered to that email address. When he finds one, he clicks the “forgot my password” button and a new one is sent–to your compromised email account. Now he’s in a position to do you serious harm.