Who’s Got the Password?

What password guidelines are you given?

1. 87 characters long
2. No words, only gobbledygook
3. Upper & lower case, numbers, symbols
4. Change it every 27 minutes
5. Don’t use symbols
6. Use a different password everywhere
7. Don’t write it down
8. and…Make it easy to remember!

Let’s look at each of these recommendations:

1. Length:  Longer is better, if you can remember it.  Passwords of 12 or more make it harder to pre-crack your password.
2. Dictionary Words:  To remember your password you’ll either have to use dictionary words (more than one so it’s not trivially easy to break), a personal algorithm (easy to remember but hard to guess), or a password manager (you can have hideously complex passwords, but not need to remember them).
3. Upper/Lower/Numbers/Symbols:  Many sites will force you to use 3 or more categories so that you can’t be easily defeated by brute force guessing.
4. Changing it:  This is a huge pain, but not much gain.  Frequent changes probably tempt you into using little yellow stickies.
5. Don’t Use Symbols:  Strange as it sounds, some financial institutions limit good passwords, often so that you can use a phone keypad to enter your password.
6. Use a different one everywhere:  Horrifying as this sounds, there are good reasons to have different passwords.  Many websites store your passwords unencrypted, and if they get hacked, you don’t want your one password to be public domain.  A personal algorithm (see above) allows you to have different passwords  AND remember them.
7. Don’t Write it Down:  What if you have 200 passwords?  If you feel you must write them down, use password reminders, not the actual password.  A password manager is a way to have your cake and eat it too.
8. Make it easy to remember:  This sounds cruel after all the other requirements thrown at you.  Once again, pass phrases and personal algorithms help a lot, and password managers mean you don’t have to remember all of them.

Common Sense Tips:

• Never use cutesie passwords such as “password”, “123456”, “letmein”, a birthday, or “porsche”.  Those are in the most common 500 passwords and are trivial to break.
• Put a password on your laptop.  If it gets stolen you don’t want the thief to own your information.  Admittedly, a tech savvy thief could steal some information anyway, but defending against 95% of thieves is still not bad.
• Have your screen saver lock automatically so the password does you some good.
• There is no perfect defense, but a little bit of work makes you much safer.