I had a recent conversation with a newsletter reader about passwords. The reader was asking about identity theft and the security of passwords. The person worried that a hacker could crack a password that consists of a family name or a pet's name or some similar word. I agree with her. Never use a single word or name to protect something you value.
Security experts will tell you to always use passwords that are non-words. Instead, all passwords should be lengthy and should also be a jumble of letters and numbers, such as:
iltstwan7daw
That particular password looks complex, and yet it is easy for me to remember. It contains the first letter from each of the following words: "I like to surf the web at night 7 days a week." It is easy to remember and still is essentially impossible for hackers to guess.
You should pick equally inscrutable passwords. Use a sentence from a nursery rhyme or from your favorite song or anything else that you can easily remember but no one else will guess. Perhaps the first and middle initials from every member of your family, followed by the last four numbers of a telephone number. How about a telephone number but with family member initials in the middle: 555mdjd1212? Maybe a lengthy English word, only spelled backwards? Throw in a number or two in the process. How about the birth date of a favorite ancestor? Who is gong to ever guess a password of 23october1892?
Simple measures like this will greatly increase the security of your personal data.
I'd avoid simple combinations of basic personal information, as these bits of easily-gathered information can be a great head start to a hacker's dictionary.
Lifehacker just had an article today pointing to some good password tips:
http://www.lifehacker.com/software/passwords/how-passwords-get-cracked-247355.php
An excellent in-depth resource is a January 11th article by Bruce Schneier, "Choosing Secure Passwords":
http://www.schneier.com/blog/archives/2007/01/choosing_secure.html
Posted by: Infinite Ancestors | March 28, 2007 at 12:09 AM
I like that trick about using the first letters of words in a sentence. That's a great idea. One thing I do is mix upper and lowercase letters, which adds an extra layer of complexity.
Posted by: Paul K. Graham | March 28, 2007 at 12:12 AM
A password like "23october1892" is more cryptic than a lot of passwords, but still uses a word than can be found in any dictionary. This makes the password more difficult to crack, but not as difficult as it could be.
I like to mix characters like "$", "&", "@" among my other characters, although some web sites cannot accommodate such symbols.
Another approach is to use a password manager that is capable of generating a hard-to-guess series of alphanumeric characters. RoboForm is one of these. It is capable of generating pseudorandom passwords nearly as long as one wishes to create (like 25 or more), and to remember them in an encrypted password file that uses one unique password of its own that can be remembered.
Posted by: Norman B North | March 28, 2007 at 02:21 AM
I use the name of the thing I was doing when I first went into the site and substitute 1 for i,or 0 for o, and put capital letters if it is a place. eg flight to Warsaw , Poland, the password might me P0land. I've also used whole phrases eg haveag00dtime for a holiday site.
Posted by: Marilyn | March 28, 2007 at 03:20 AM
Every password you use should be unique. In other words, you should use a different password on every site on which you register. Roboform, mentioned earlier, is the ONLY way to do this effectively and efficiently without having to remember tons of information.
Additional thoughts:
1. Mix capital and lowercase letters.
2. Do NOT use the @ sign. It makes your password look like an email address which can be trying at times especially when pasted into a spreadsheet (see #2). Everything else is good if the web site will accept it.
3. Use the longest password the site will accept. Some limit to 15 characters while others will let you use 35 or more. Take advantage of every character.
4. I copy every Roboform generated password into an excel spreadsheet along with the URL and the login name (they aren't always the same) and I keep that spreadsheet in encrypted form on both my computers and a USB memory key which is always in my pocket. Since I work from home, I keep a fourth copy on my son's system in California (offsite in case of disaster (along with my genealogy database, financial records, etc.)).
Posted by: Paul Smith | March 28, 2007 at 10:09 AM
I think the internet has gone password crazy ! I know that a lot of sites need to have a registration process to avoid spammers - which has happened several times on a genealogy forum I frequent. But,do you really need an industrial strength password to register at a site to get a newsletter? I don't think so and I have one simple password for many such sites that do not involve any financial transactions. I don't think many hackers are interested in my newsletter subscriptions. I do agree that for banks and other such sites, it makes sense to have a good password and I use many of the suggestions given in previous comments. However, lets keep password use in perspective and don't go overboard where there is no need.
Posted by: Ernst Stjernberg | March 28, 2007 at 03:57 PM