As computers and networks get faster and the hackers get more aggressive, it is increasingly important that you use strong, unique passwords for each of your various online accounts. Where 8 characters passwords were once sufficient, they really need to be longer and more random (ie not 'words' at all). In fact we need to stop calling them passwords since this just encourages us to use a word that's in the dictionary - the same dictionary hackers use to break into accounts. Let's call them "Pass Phrases" from now on.
Manage Your Pass Phrases
Question: How am I supposed to come up with all of these long random pass phrases for all these different sites on the web and possibly be expected to remember them all?
Answer: Use a password manager. We strongly recommend LastPass. It's free. It's really easy to set up and use. It's extremely secure - provided you choose a strong pass phrase for your LastPass account. With LastPass you only have to remember ONE password. It generates long, very random pass phrases for all of your sites and automatically logs you in as you browse.
Picking A Fantabulous Pass Phrase
So how do you choose one really strong pass phrase that you will always remember?
Here are two suggestions: Cobbling and Extending
Cobble together some letters and numbers that have meaning to you but would be impossible for someone to guess (even your best friend). For example.
Pick a song from your album collection. Let's use "Bullet the Blue Sky" on U2's Rattle & Hum album.
You now have a bunch of jumbled letters that you can use to form the base of your new super-passphrase just by taking the first letter from the song, album and group. BtBSR&HU2.
That's looking pretty good already. It has a mix of upper and lower case letters, it has at least one punctuation character and at least one digit. Too bad it's only 9 characters. We need to pad it out some more.
Let's prefix it with the year the album was released. Now our pass phrase is 1988BtBSR&HU2. That looks horrible but it's 13 "pseudo-random" characters and really easy to remember.
The hard core crypto geniuses will scoff at this recommendation as it is not really random at all. The point is to dramatically improve the quality of your pass phrase over what you are currently using, not to keep the mathematicians happy.
If you are completely at a loss for creating a new pass phrase, then extend or enhance the pass phrase you already have memorized.
Let's say your current pass phrase is "ducksoup" Make your new pass phrase "ducksoup1&DUCKSOUP2" That's a 19 character pass phrase that has a mix of upper, lower, digits and punctuation. All you have to remember is three extra characters. It's not as strong as something more random, but attacker has no idea what your password structure is like. Remember - longer is stronger.
Write It Down
Conventional security wisdom is "Never write down passwords". Go ahead and ignore the conventional wisdom on this one. Write it down and put it somewhere secure. Be extra sneaky and add a few extra characters on the end that you only you know are not part of the real password.
If you are going to use LastPass, it is extremely important that you use a strong pass phrase and that you NEVER FORGET IT.
Advice Not To Ignore
If all of this seems excessive and unnecessary to you, I'd like to draw your attention to the fact that Sony, Disney, Marriott and many other companies have had their client databases hacked in the last two years. Customer email addresses and passwords were stolen and are now being used by hackers to attempt to gain access to personal records, banking, etc...
So play it safe. Choosing a new password is not rocket science. Have some fun with it!
Bottom Line Recommendations
- Use a mix of upper/lower case letters, digits and punctuation characters like @#$%&.!_
- Make your pass phrase at least 12 characters long. Longer is stronger.
- Use a different pass phrase on every web site/service
- Use LastPass to manage your pass phrases.