This week we saw about 10 million passwords leak from LinkedIn.com, Last.fm, and eHarmony.com, and it started me thinking about the general issues of passwords, and keeping them safe.
Much has been written over the last twenty years about how to create strong passwords, but here’s the thing…
No matter how strong your password is, if your favorite website is hacked, your're likely to lose your password.
If the perpetrators have managed to download a site’s passwords to their computers, they can spend as much time as they like, using a growing number of highly sophisticated tools to crack them.
What this means is that you must assume that your favorite site could be hacked at some point, and what this really means is that if you have used your password for multiple sites, then you will have a new name, and that name will be Victim.
You simply must adopt a strategy of using a unique password for each site. That way, if a site falls, as we saw this week, at least you only lose one password, not the keys to the kingdom.
Having said that, here are some traditional DON’Ts and DO’s…
- DON’T use easy-to-guess words, like “password”, or “password123”
- DON’T use adjacent keyboard characters, like “qwerty” or “12345678”
- DON’T use things that can be discovered about you, such as your hometown, or the name of your pet or spouse
- DON’T use really short passwords. Anything under eight characters is too short
- DON’T use common pass phrases, such as “I like BBQ” – these are as easy to guess as single words
- DON’T use shared, open Wi-Fi, such as found in coffee shops and public places for anything that involves a user ID and password, in case it is sniffed
- DON’T connect to a router that’s using open access, WEP or WPA encryption. Instead use WPA-2, or 3G/ 4G connectivity
- DO use a unique password for each site
- DO use a password keeper. LifeHacker has a nice article on its favorite five here… http://lifehacker.com/5529133/five-best-password-managers
- DO use non alpha characters such as ?!$% in the password
- DO periodically change your password, and if possible ID. Many if not most public web sites and/or eCommerce sites do not require a periodic refresh of your password, so take it upon yourself to do so
- DO use a passphrase, rather than a password, and a fine strategy is to use a bunch of random words. It’s easy to remember, and the sheer length makes it hard to crack. XKCD offers a fine example in this cartoon… http://xkcd.com/936/
Remember to use separate and unique passwords for each site. Password re-use is your enemy.