Pretty Good Passwords
=The importance of passwords=
Passwords are one of the most important pieces of the security puzzle when it comes to protecting your online assets. Passwords are one of the most frequently targeted vulnerabilities by the bad guys, and for good reason. Most of the time, your password is all that stands between your bank account and the bad guys. To them, if they can't scam you into giving them your money, taking it from you is the next best thing. Keyloggers, trojans and other malware exist precisely for getting at your password.
=Pretty good passwords=
You'll hear people talk about the importance of strong passwords. In reality, truly strong passwords are a pain in the butt because they end up being impossible to remember, or at least, very difficult. We all want our online accounts to be secure from the bad guys, but we don't want them to be secure from us!
Strong passwords are important but in the everyday world they have to be balanced with the practical need of being accessible to us while still being inaccessible to others. Because there are more secure kinds of passwords that I don't recommend for practical reasons, I humbly call my recommended password method "pretty good" passwords. In the first place, most of us have pretty terrible password practices by comparison, so even pretty good passwords are a big improvement.
What makes a pretty good password? Pretty good passwords actually incorporate a lot of the attributes of really strong passwords. They:
* are long, at least 8 - 12 characters if not more
* contain a combination of upper and lower case letters, punctuation and numbers
* are different for every account you have
That's a tall order!
In addition, pretty good passwords have one important attribute that most strong passwords don't:
* easily memorable
Also, your password practices should add to the strength and usability of your passwords:
* passwords are never reused
* passwords are changed at least once a year
* passwords are kept written down somewhere safe and accessible
Why all that stuff? Well, generally speaking there are four methods for "cracking" a password:
* steal it, by whatever means
* guess it by knowing something about the person who made it
* guess it using a "dictionary" attack that looks for passwords made from words from the dictionary or other "words" (like people names)
* guess it using a "brute force" method where you just keep trying different combinations of letters and numbers until the system gives you a match
The first method, stealing, is cause for concern. Keyloggers and trojans try to steal your password by installing themselves on your system, so good antivirus is essential in preventing these. Some websites appear legitimate but aren't, hoping that you will use the same password that you use with other accounts to register on theirs. Finally, hackers can attack a legitimate website in the hopes that the users' passwords aren't kept securely there. While you can't necessarily prevent these last two methods from getting your password on those sites, you can protect your other accounts by using different passwords on every site. That way one password being compromised doesn't open the door to the rest of your accounts.
The second method, guessing your password by using your knowledge about you is usually reserved to your circle of family and "friends". We won't worry about this much, but there are three important things you can do to avoid this. First, don't use an obvious password, such as a pet's name. Second, treat your passwords as sensitive information. Don't leave them lying around, don't share them with anyone and change them on a regular basis (yearly or more frequently). Finally, if more than one person uses your computer, make separate accounts and use a password to protect your account. Also make the user have to enter the password when the computer comes back from the screensaver.
The third method, using dictionary attacks to guess your password, is a favorite method used by password crackers. Even simple modifications of words, such as the infamous "password1" get quickly cracked this way. The best way to protect your password against this is to not use real words as your entire password. It's unfortunate, because words are the easiest passwords to remember, but you can still use them if they are only part of a more complicated password which isn't in a dictionary.
The last method, brute force attacks, are simple to defeat, but come at the cost of usability. Brute force attacks simply try to guess every possible password combination there is. While this may take a long time, computers are pretty powerful at doing this under the right circumstances. Password length and "complexity" are the only effective deterrents to a determined and resourceful cracker. Unfortunately, an 8-letter password is no longer effective at stopping this method. You should be using a password that contains more than 8 characters, preferably 12 or more. You can see why this is harder, both on the plus side for cracking it as well as the minus side for remembering it. Also, since crackers prioritize what characters they use in their guesses, trying all lower-case letter combinations first, you want to include less-anticipated characters in your password. Banks and other security-conscious institutions often make requirements that you use numbers, punctuation and/or capital letters in your password for this reason. While they can still be guessed, using these characters usually makes sure that it takes longer rather than shorter for your password to be cracked. Sometimes all you need is to be more secure than the next guy to avoid attack.
=Creating Pretty Good Passwords=
Here is the method I use for generating my passwords. It meets the criteria of:
* is long, at least 12 characters in general
* contains an upper case letter, two numbers and punctuation
* for the most part, not based on a dictionary word
* is memorable (to me) and I think for most people
* is different for every account
The other requirements about having it written down and changing it regularly are up to you, so don't forget to pay attention to those no matter how you make your actual password.
Before I go into the steps, a word about diversity. Diversity in passwords is a good thing. As soon as I describe how you make my password, I make it easier for the bad guys to target that method by making their cracking method smart to it. Unfortunately, that's the bad thing about trying to come up with a single method. The act of explaining the method itself weakens it.
However, it's still a good thing to use a known method, as long as it's stronger than the password you would otherwise use. So I still recommend this method, but I encourage diversity. Feel free to change the method to suit you, as long as it still meets the basic criteria. For example, instead of using your birth year for the digits, use a two-digit number that means something to you. Diversity can strengthen your password by making it more unpredictable.
The only thing I wouldn't recommend changing is that the site-specific part of the password should come near the end. The reason is that because some sites limit the length of your password, you don't want the password cut down to the point that it only contains the site-specific part. If it were, it would probably no longer meet the capitalization, number, punctuation and dictionary requirements.
The last thing I'll mention is that I checked my financial accounts first to see that this method would generate an acceptable password. This method isn't useful if you can't use it on your most important accounts, and financial accounts usually have the most stringent requirements. You may want to check your bank's password requirements before you use this method. If you need to make modifications, do so beforehand.
Here are the steps I use:
1. Come up with a random, memorable word that's six letters or more.
I use http://watchout4snakes.com/CreativityTools/RandomWord/RandomWordPlus.aspx. I like using this site because you can adjust the "commonality" of the word. I crank it up high and bring it down if it comes up with words I can't remember. This ensures that you won't use a common word that crackers guess easily.
2. Capitalize the word and cut it down to the first five letters.
If cutting it down to five letters yields a regular word instead of just a fragment, go back to step 1 and choose another word.
This gets you the capital letter requirement. It should also make it a non-dictionary word. While this offers limited protection, since crackers will also try word fragments, it adds strength compared to using a full word. Additionally, this won't be the whole password, so the other parts of the password protect from dictionary attacks as well.
3. Add your birth year as two digits at the end.
While this is very predictable as a number, it's only part of a larger password, so this is another compromise for memorability. You should be able to remember your birthday, right? If you can think of a different, just as memorable two-digit number you'd like to use, feel free to do so in the interest of diversity. You can also place it before the word instead of after. Once you pick a rule though, stick with it so you don't get confused the next time you make a password.
4. Add a period to the end of it.
This gets you the punctuation requirement. Again, you can pick another punctuation mark or symbol and place it earlier in the interest of diversity, but stick with your rule. Also, there are punctuation marks that you *don't* want to use, despite what some people say. Computers are notoriously bad at correctly using spaces in something that's supposed to be a single "word". Don't tempt fate by using spaces, since you don't want to be the one to discover some website's bug that accidentally locks you out because of it. You also want to avoid "SQL characters", which include ";", single- and double-quotes and "%". The reasons for this are arcane, but it's just a good idea. I like using "." (without quotes) because it's safe and easy to type.
What you have now is your base password. It's the unchanging part of your password that isn't specific to a particular site you're visiting. It satisfies the requirements for not using dictionary words, for using upper case letters as well as numbers, and for punctuation. Additionally, it should be eight characters long, which is the minimum required password length for most sites. If for any reason you can't or don't want to make the password site-specific, you can use this base password by itself without being completely exposed.
The final step is to make site-specific versions of this password for each site where you have an account. Before we do this, however, take the following steps for securing this base password so you don't forget it, which is a frequent problem with new passwords.
Write down your base password in two places. First, write it on the back of a business card you keep in your wallet, someplace you won't clean out, such as behind your driver's license. Second, write it down on a piece of paper, card or address book that you keep in the same place with your valuables, such as a fire safe. This takes care of the writing down requirement.
5. When you visit a site to create or change your password, double-click the site name in your browser's address bar, then copy and paste it onto the end of your base password.
Let's say you visit www.google.com. When changing your password there, first enter your base password, then double-click the "google" in "www.google.com". Double-click automatically highlights the entire word "google", which you can then paste onto your base password. Ctrl-C is the keyboard shortcut for copy and Ctrl-V is the shortcut for paste.
One important thing to note is that different browsers capture different amounts of the site name when double-clicked. Internet Explorere, for example, only captures "google", while Google Chrome captures "google.", with the trailing period. It is important to know which your browser does so you can write it down properly. I use Chrome, so I always remember the trailing period when I write down a password. (Don't rely on this period to take the place of the punctuation requirement though since some sites cut it off.)
What does this accomplish? Two things. First, it makes your password specific to that website, which means that when someone cracks your password, if they blindly enter into your account on another website, it won't work. This protects you from automated attacks. For example, an illegitimate site that tricks you into registering may turn around and automatically try to log into your email and Facebook account with the password you provided. Your password won't work, so it defeats this kind of attack. It requires human eyes and thought to determine how to use your password to get to your other accounts, which is still a weakness to be concerned about, however. More on this in my discussion at the end.
The second thing it does is perhaps more important, which is that it adds significant length to your password without the need for typing *anything*. The strongest protection against brute-force attacks is a long password, as the cracking program will have to try innumerably more letter combinations to reach your password. Long passwords are hard to remember and type, though, which makes them hard to use. This method takes care of both problems. Simple, huh?
=Care and Feeding of Passwords=
You'll need to track these individual site passwords, but you don't need to store them in a safe or your wallet. Either write them down in an address book kept somewhere reasonably safe (a desk drawer) or use a password manager such as LastPass.
Make a list of your important accounts now. You'll need this list whenever you need to change passwords, either when you routinely change them or when one has been hacked.
There are two kinds of important accounts; ones that have access to your money and ones that don't. The money ones are your most important and the others are important, but for other reasons. You should list your accounts should such as:
==Most important==
*Email*
Password Managers: LastPass, KeePass, Roboform, etc.
Financial: Bank, Investment
Payment: PayPal, etc.
Money Management: Mint, BillGuard, etc.
Shopping: Ebay, Amazon, Google Checkout, anything that stores your credit card info
==Important==
Windows logon
Social Networking: Facebook, etc.
Anti-theft: Prey, Hidden
Backup: Mozy, Carbonite, CrashPlan, etc.
Synchronization: DropBox, Windows Live, SugarSync, etc.
Remote Access: LogMeIn, GoToMyPC, etc.
Encryption: TrueCrypt, BoxCryptor, etc.
After your bank and investment accounts, email is by far the most important account. Why? Because a hacker with access to your email account can reset the passwords for virtually *all* of the rest of your accounts. Email is like the back door to all of your accounts. Protect it as you do the most important of your accounts. If you use Gmail, strongly consider using their 2-step verification feature, which requires you to enter a code sent to your phone via text message in order to complete the logon process. It's that important.
Set a reminder for 6 months or a year from now to change your base password. Never reuse a base password you've used in the past. You'll need to immediately change to the new password on all of the accounts on your list. You should be able to accomplish this in half an hour or so.
The rest of the accounts not on this list don't need to be changed as long as you have the passwords written down or saved in a password manager. For this reason I strongly recommend a password manager to track them for you, such as LastPass. It keeps me sane so I don't have to change every single password I have on the non-important accounts.
Finally, if you do use an online password manager such as LastPass, then this is a good time to export your passwords. Print them out and put the printout in your safe place with your valuables. Delete the exported file and remember to empty the Recycle Bin at this point. Don't keep the exported file on your computer unless you know how to encrypt it with an encryption solution such as KeePass or BoxCryptor.
=An Example=
Have you made it this far? Great!
Here's an example of how to generate a base password.
Using the random word site set to generate a random uncommon noun, after a few tries I get "headhunting". I can remember this and the five-letter version, "headh", isn't a dictionary word, so I choose it.
I capitalize it and add my birth year as well as a period. Let's say I was born in 1969, so my base password is "Headh69.". I write this down on two cards, one I put in my wallet behind my driver's license and the other in the firesafe I keep at home.
Now I go to my important accounts to change my password. Let's take Gmail first. When I go to www.gmail.com, I log in and go to account settings to change my password. First I type in "Headh69.". Then, I go to the address bar and double-click the site name. Because Gmail changes the site name to "mail.google.com", when I double-click it I get "google". Actually, since I'm using Google Chrome as my web browser, I get the trailing dot as well, so I get "google.". I copy and paste that onto the end, so my password is "Headh69.google.".
That's your pretty good password for Gmail.
Note: do NOT use this example as your real password.
=An Important Word of Advice=
Now, before you go and change your passwords on all of the rest of your accounts, I need to point out one important thing. Remember when I said there's reason for concern that the site-specific part of the password is just the site name? That's because if someone gets your password, such as "Headh69.google.", it's not too difficult to see that it's for your google account. One easy guess later and they could have your bank password by substituting the bank domain name for "google".
While pretty good passwords are better than using some simple password on all of your accounts, you should really take another step to secure your most important accounts. That's why I make more than one password. In fact, I use three passwords. I use one password on the most important accounts (email and financial), another password on the other important accounts (Facebook, etc.) and a third on the rest of my accounts, the ones that I really don't trust. These three tiers; very secure, secure and insecure; isolate the important accounts from the less trustworthy ones.
Even though this is harder to remember, I highly recommend you take this step. If you can't remember three, then use at least two. Use one password for all of the important accounts and another password for the rest. A password manager like LastPass makes all of this much easier than you might think.
Still, you don't have to go this far if it's too much for you. If all you do is make one password using these instructions, you're still much better off than the vast majority of other people's passwords. There is no perfect password and although this method has its issues, it's better than "password1" by a longshot.
=A Final Word on Other Password Methods=
There are lots of opinions on how to make passwords. If you want other ideas, you can check out these resources:
One more which deserves most of the credit, to which I basically made refinements (as well as coming up with a snappy name):