PASSWORDS - For Normal People
YOUR PASSWORDS MAY BE LEAVING YOU OPEN TO GETTING ROBBED.
In this summary, I'm going to try to explain the why and the how of making good passwords, hopefully in such a way that most anyone can understand it.
I'll present this in just four sections:
My hope in creating this page is that after reading it, you will understand why good passwords are so important, how to create good ones, and be able to use helper programs to make it easy to have good password security.
The best reason to use a different password on EVERY website is that if you don't, you're vulnerable.
How? Vulnerable to identity theft, for one. Vulnerable to someone getting into an online store and ordering something in your name and having it shipped somewhere else. Vulnerable to spammers sending out ads for distasteful products from your email account. Vulnerable to people running up debt on your credit cards, or even getting into your bank accounts and stealing your money, or taking out loans in your name.
Ask anyone who's had it happen to them - having your any of your passwords stolen or cracked is not a good thing.
People who don't know any better, or those who do but are lazy, tend to use an easy-to-remember password, and frequently use the same password on every website.
There's an excellent article in the Windows Secrets Newsletter, "The Thousand-Dollar Penalty For Reusing Passwords." You can read that article here.
Right up front, I'll say this: you really don't have to choose.
The main reason for password security is to keep people out of your private online dealings, right? Make no mistake, there are hundreds of slimeball people out there trying to get IN to your online dealings, most of them out to steal from you somehow. If they get your passwords, you're sunk.
How do they go about getting your passwords? There are several ways.
(1) They get them by subterfuge. One way of doing this is they sneak into your house or your office when you're not there, sometimes even when you are, and look for where you have them written down. The solution? Don't write down your passwords. EVER. Repeat: do not ever commit any of your passwords to paper, or to any unsecure computer file, no matter where it is. If you have to put it into a computer file, the best way is to use one of the password keeper programs listed below. It's also possible (but not advisable) to put them into an encrypted MS Word document (Word version 2007 or later is much more secure than earlier versions), or some other well-encrypted filing system. Since this isn't a treatise on encryption, I'm going to leave it at merely this: don't EVER write down your passwords.
Another way they can get your passwords through subterfuge is something called "social engineering." This is when they fool you into giving them your password.
Your phone rings. "Hello, this is Bob."
Voice: "Bob, this is Stu Baker in the IT department. We're just about to reinstall an upgrade module for the operating system, and we want to make sure everyone can get back on the system after the install. Can you please confirm your password is bob1234kathy?"
You: "No, that's never been my password."
Voice: "Oh, you changed it? What is it now, please?"
You: "Yes, I changed it last month, as required. Now it's bobandkathy88494."
Voice: "Oh, right. I see it now. Thanks. We'll be doing the installation at 11PM tonight. If you can't log on in the morning, just give us a call and we'll fix it for you."
You: "Okay, thanks." Click.
You've just been socially engineered out of your password. You were put at ease because they used the name of someone in the IT department, and they had found out your wife's name (you'd be amazed what's available online) and put it into the bogus password they asked you about.
The bottom line about preventing people from getting your password through subterfuge is (a) never write down your passwords - ever; and (b) never, NEVER give out your password to anyone, especially over the phone. Sure, there are exceptions, but realize that if you make an exception, you're making yourself vulnerable.
(2) The second way people can get your passwords is through guessing them.
The most common password in the world is "12345678" (or however many digits are necessary) - is that yours? If so, you could be sunk.
Other common passwords are "password," "qwerty," "abc123," "11111," "monkey," "consumer," and variations on those.
It's easy to find lists of the most common passwords used on the internet. There's a good article on that here. Do you honestly believe someone intent on cracking into your accounts won't try all of those?
Besides the error of using common passwords, people also make the mistake of using names of family members, birthdays, social security numbers, addresses, and other personal but easily available information.
Make no mistake, if criminals are intent on breaking into your online accounts, they will get this information and more, and they will try all variants of it.
Criminals will use any and all of these techniques to try to guess your passwords, so if you've used any variation on the above, you could be sunk.
Don't think being clever by using symbols instead of letters is any more secure - such as using "$ylve5ter" instead of "sylvester" - believe me, criminals know this, too. They'll try those variations.
If they can't get your password by guessing it themselves, they'll get a computer to help. That's the next topic.
(3) The third way people can get your passwords is to have a computer guess them. Computers are dumb - they only do what we tell them to. But they're fast. Amazingly, blazingly fast. They can try out more passwords in one second that you could type in a year, working 24/7.
This is called "brute force" password cracking, and yes, there are some criminals out there (usually not in the U.S.) that own super-powerful computers, computers that can try not just millions of operations per second, but billions, and yes, even thousands of trillions of operations per second. Don't believe this? Check out the Cray XK6, capable of 50 petaflops.
(Note: some websites lock out all access to your account for a period of time after a certain number of failed logon attempts. This is good, but it's not something we can control, so we don't address it here.)
Brute force means they try every possible combination of characters until they find the one that lets them in to your account.
(4) Yet another way criminals can get your password is through leaks. All of us have heard of major corporations "losing" a disk drive that contained users' account information, or teenage crackers in some middle-European country breaking into a corporate database and publishing their customers' login information to underground websites. Disgruntled employees, even dishonest businesses can gather your information and share it with people who shouldn't have it.
In view of this, how can you possibly keep people from getting or guessing your password, and still have a password that's usable, one that doesn't get in your way?
First, make the password as long as the website will accept, a minimum of 24 characters would be good. Yes, you can use any combination of letters, numbers, and symbols, and you should, because computer guessing programs generally go for known words first.
If the website limits the number of characters you are allowed to use as a password, use all they will allow, and make them random. Don't worry about trying to remember the password, but instead, use a program to help you. More on that below, in the section on Password Keeper Programs.
There's a pretty good (but somewhat esoteric) cartoon illustrating the difference between short-but-cryptic and long-but-clear passwords here. The tagline for the cartoon is, "Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess."
Finally, be sure not to violate rule #1: Use a different password on every website. This way, even if they do get one of your passwords through theft or brute force, that's the only one they will have.
Most "password gurus" will tell you it's better to have a string of random characters as a password, but that's just not true (if the string is shorter) when it comes to preventing brute force attacks.
To see this for yourself, go to the Gibson Research Corporation's website and use their "Password Haystack" tool. (Steve Gibson is one of the world's foremost authorities on computers, security, and hard disks.)
This Haystack tool calculates the time it would take for the world's fastest computers to crack the password you enter, using brute force.
To give you an idea of the difference between the time it would take a brute force attack to crack a cryptic but shorter password as opposed to a longer but simpler one, consider this comparison (using a networked set of powerful computers called a "massive cracking array"):
Password Time To Crack $y1ve5ter 6.00 minutes mockingbird trumpet17 1.33 thousand trillion centuries
Go to the Gibson Research Haystack tool and try it for yourself here.
When people first hear they should use a different password on every website, the typical reaction is, "Oh, no! I can't even remember the password for ONE site, let alone all the sites I use!"
Fortunately, you don't have to remember a dozen, or a hundred, or more (in my case). You only have to remember one - the one to get into your password keeper program.
When I first realized I'd need help remembering passwords, I started with a free program that I won't mention here because it wasn't very good. I then moved to KeePass. My son (a computer guru in his own right) uses LastPass and says he would never use anything else. Other experts recommend both of these, as well as RoboForm.
I'll tell you a bit about each.
Keepass Password Safe. (website here) for PCs, or
KeepassX (website here) for Macs.
Note: This writeup is principally about Keepass, since that was the original program; however, everything described here applies to KeepassX as well. Please go to the respective web sites for more information on what each program does.
The Keepass website says it will also run under mono, which means it will run under Mac OSX, BSD, and LINUX. We have not yet verified this, but you are welcome to do so..
For an iPhone/iPad compatible app, search the app store for KyPass.
This password keeper program is FREE and open-source. It uses 256-bit AES encryption (the same level used by banks) to keep your data file safe. It allows you to set up folders so you can sort your entries as you wish, and it has an instantaneous search capability, such that you can put in any word - website address, login ID, any word in the comments area of the entry, and all matches appear immediately. I have never had to spend more than a second or two to find any entry. It stores your information in a .kdb (Keepass DataBase) file, which is a common and open source format.
These files are readable by other password keeper programs, such as KyPass for the iPhone and iPad. This means I can put the KDB file into the DropBox folder on my computer, and get to my passwords anywhere I want, any time I want, from my iPhone, iPad, or some other computer. This has come in handy a number of times already. If you want a randomly gnerated password, KeePass will make one for you. KeePass has won over sixty awards for being the "best of" in various categories.
LastPass (website here) This password keeper/helper program has a FREE version and a Premium version ($12/yr at this writing). The main differences between the free and paid versions are the paid version allows you to sync with a mobile app; and it allows importing data from other password keeper programs. According to their website, LastPass offers automatic form filling, one-click logon to websites, seamless integration with all major browsers, secure notes, secure backup and restore online, a secure random password generator, an on-screen keyboard (protection against keyloggers if you're using a strange computer, such as in an internet cafe), and phishing protection. If I were looking for a password keeper program to start with today, I'd probably pick this one.
RoboForm (website here) They have a free version, but it is limited to 10 logins, very likely not enough for any serious web user. Roboform provides password managment and form filling. They have several versions: (1) the Roboform Everywhere license, which costs $10 for the first year and $20 in subsequent years; this license is good for using their software on multiple computers, including PCs, Macs, and mobile devices. It stores your (encrypted) information on their servers (in the cloud.) (2) A desktop version runs $30 (free 30-day trial) and keeps your information on your hard disk. (3) A "2go" version works on a USB drive. This software is the darling of a large number of knowledgeable computer experts, having won over 50 awards, and garnering many rave reviews by people who know what they're talking about. For example, it won the "spectacular" rating from CNET editors. You can read their review here. The review from PC Magazine (here) says the program is extremely easy to learn and use, and will work on pretty much any computer and any browser.
There are certainly plenty of other password keeper programs, but these are the ones I know about, and the ones that are most well-known.
In summary, it really doesn't take a photographic memory or a genius-level intelligence to use good password procedures. It only takes self-discipline.
If you can force yourself to get into the habit of using good, long passwords, a different one for every site you visit, and into the habit of using a good password keeper program, then you will reduce your online vulnerability manyfold.