Tips for creating and maintaining strong passwords

In this article, I’ll be sharing some of the information that I’ve picked over the years. I am by no means a computer security expert. All I can really attempt to do is offer you some basic tips in the hopes that you will upgrade your security habits. It is important to realize that no one out there is safe. You can assume that a persistent hacker will eventually gain access to anything, given enough time. You should only hope to make yourself such a difficult target that it would just be easier for the hacker to attack someone else. =]

If you want to know how your password can be cracked, just ask any 8 year old kid. I’m kidding – but honestly the problem is that most kids these days know exactly what illegal things can be done and how to do them. Meanwhile, most of the adults using computers are absolutely clueless when it comes to protecting their information. Even government employees (*cough*Sarah Palin*cough*) conduct their daily business with lackadaisical security efforts. Usually it’s the people who possess a lot of information worth protecting that don’t know the first thing about security.

STOP – I suggest that you read this other article on how criminals get your passwords before reading this post. If at any point while reading this, you become frustrated and think that this is all too much non-sense; you are probably the type of person that needs to read everything in this post – so pay attention.

Phishing & Keyloggers

These threat usually rely on your gullibility. There are two programs that I highly recommend you arm yourself with. I believe that AVG Internet Security (read my post on AVG’s Internet Security software) and RoboForm (read my post on Siber System’s RoboForm software) are incredibly useful tools. I use both of these programs on a daily basis and they have both saved me many headaches. AVG checks all of my incoming emails for viruses, keyloggers, likely phishing scams and other goodies. Should I accidentally find myself on a phishing website, RoboForm won’t let me accidentally fill forms with my precious information.

There are millions of spam messages out there leading users to thousands of phishing sites. These sites are usually only up for a few days before they get shut down, but are constantly evolving. The stories vary but once you learn to spot one type of phishing scheme, you’ll probably notice all of the rest. Even without the helpful software that I mentioned, if you keep the following things in mind, hopefully you won’t be a victim.

URL or Web Address

Do not click any links that you have received from suspicious sources with suspicious stories. If you’ve been notified of an account problem, you can always call the company to make sure. If you want to login to your account, you can use a bookmark that you’ve used before or type the web address as you normally would. Don’t click the link in the email or instant message and don’t type that link either. Always verify the URL or web address of a page that you’re visiting, before you submit any personal information. Big companies generally won’t operate websites with an IP address as their URL. If you’re visiting a website and it says something like http://209.85.171.100/ in the address bar, you should be careful about submitting any personal information. You might think that you’re visiting bestbuy.com if you saw something like this ‘www.bestbuy.com.ww2.us‘ in your address bar, but you’d actually be on the ww2.us server.

Spam Mail & File Downloads

Do not download any programs attached to your emails – unless you trust the source and know that they have scanned their files for any malicious software. An executable, no matter how small, can do serious damage to your computer or track your activity. Do not reply to any emails from princes in other countries who have boatloads of money waiting for you. and please don’t send them any of your hard earned money either.

Stronger Passwords

If you’ve read my article about common password cracking methods, you should know all about the brute force method, dictionary attacks and making educated guesses. Once again, I’m going to suggest that you look into getting yourself a copy of RoboForm – as it will save you a lot of trouble. It generates secure passwords and remembers all of them for you.

Safety in numbers

The longer your password is, the more secure it will be. Just imagine trying to troubleshoot a password that is 1 character in length and consists of a number between 0 and 9 – pretty easy right? There would only be 10 possibilities; but now imagine trying to systematically solve a password that is 20 characters long. Each character would have the same range of numbers (from 0 to 9) but arriving at the perfect combination of all 20 characters leaves us with 100,000,000,000,000,000,000 (10^20 or one hundred quadtrillion) possibilities.

While computers make it easier to systematically attack all of these possibilities – it all comes down to a matter of time. The point is that choosing a long password will cost an attacker a great deal of time. Keep in mind that the attacker probably wouldn’t know the exact length of your password. This means that they would have to start guessing from passwords with only a few characters, all the way up to those with 20 characters – which ends up adding another 11 quadtrillion possibilities to the mix. When you start adding symbols, punctuation, lower-case letters and upper-case letters to the simple 0 through 9 range that we were using – the possibilities become even more ludicrous.

Characters galore

Try to use as many different types of characters as possible. Some websites don’t allow you to use punctuation (like `, ; and “) or special symbols (like #,$ and %) – but whenever they are allowed, use them! No one is likely to guess that your password is +@wEd&.nJ(uF[4=Nr/’- (this is a random 20 character password generated with RoboForm) and attempting to brute force it will take a bunch of computers or a lot of time.

The ‘Don’t Do It’ Section

Don’t use a word and then replace the letters with numbers or symbols. For example: tH!sP@$5w0rD is more secure than tHIsPaSSwOrD but you’re still using words and words are weak. The letter A is commonly replaced with @, O is commonly replaced with 0, I is commonly replaced with 1 or !, E with 3 and so on and so forth. This is predictable and can be added as a simple variation to common words during a dictionary attack.
Don’t choose a word that is somehow related to you in any way. Don’t reverse the word, don’t capitalize it – DO NOT use a word that is related to you – period.
Don’t use any words that can be found in an English dictionary or any foreign dictionaries.
Don’t make a password out of any names, initials, streets, dates, telephone numbers, driver’s license numbers, license plate numbers, or anything else that just popped into your head right now.
Don’t use any cute sequences on the keyboard that are easy to remember. For example, do not use QWERTY, ASDFGH and so on.
Get it through your head already, taking a simple password or theme and making a slight change or some sort of variation – still results in a weak password!
Don’t use any of the examples that you’ve seen in this article or any other password related post.
Don’t tell anyone your password. Don’t put your password in an email. Don’t offer hints to anyone about what your password might be.
Don’t share your computer with anyone that you don’t trust. If you have to share, consider setting up a restricted login account for guests.

Different Passwords for Different Accounts

Yes, you have to. This is the biggest problem for everyone; nobody wants to have all these different passwords for a bunch of different accounts. As I’ve been telling you, you need to get yourself a password manager and it will all be easy after that.

Imagine how stupid you’re going to feel when someone, gets your password for your eBay account somehow. Then that crook gets some smart idea to go see if you use the same login information for PayPal. I’ll bet that the criminal was surprised to find out that not only do you use the same login information for PayPal but for all of the bank accounts and email accounts that are linked to your PayPal account.

Upgrading Your Stupid Password

As I’ve said in the ‘Don’t Do It’ section, I’d rather you not choose a word and replace certain letters or vowels with numbers or symbols. If you are going to stick with one password for all of your accounts but want to be strong, try this. Think of a line or phrase that is very easy for you to remember but isn’t connected to your life in any way. For example, the phrase ‘A Spoonful Of Sugar Helps The Medicine Go Down’ might be easy – so now you would abbreviate this phrase. ASOSHTMGD isn’t a word, so it’s already somewhat strong. It’s also more than 8 characters in length – so that’s good. Now, if you can manage it, try to get a good mix of lower-case and upper-case letters, numbers and symbols in this abbreviation- perhaps A5*sHtM6D. You’ll just have to see how it works with your own special phrase, try a couple different ones.

Assigned Logins and Passwords

Never accept a generic login or password that was assigned to you by a website. If you’re setting up a blog or something and you’re given the username of ‘admin’ or something similar – you need to change it. Likewise, if you just entered your email address as part of the sign up process for some new account and then the website sent you an email with a password in it that they setup for you – you need to go login to that account and change your password.

Your Username is a Password

Your login usually consists of two parts – your username and your password. If you use the same username everywhere that you go – the criminals only have to work on getting / guessing your password. I recommend that you vary your username from account to account whenever possible. This will keep the crooks guessing and working twice as hard to gain access to your data.

Final Ramblings

I guess most people prefer a weak password that is easy to remember over a secure password that is hard to remember. This makes a little sense, considering that a strong password isn’t any good if the user isn’t able to remember it; however, you must keep in mind that a weak password doesn’t really protect your information.

I recommend that you always use a randomly generated password for each online account. Each account that you create should have a completely different password. These passwords should be the maximum length allowed by the website that you’re creating an account with. Your passwords should contain a good mix of lower-case and upper-case letters, numbers, symbols and punctuation. If some o these characters are not accepted, use as many different characters as is allowed by the website. Use RoboForm to remember all of your password and complete all of your logins with one simple click.

For security questions, I suggest that you answer them with the same type of randomly generated passwords as described above. Again, use RoboForm to save these answers in a SafeNote or have RoboForm automatically fill the answers for each security question whenever you’re prompted.

If you’ve been using one password for everything, this might sound very complicated but with RoboForm it’s all very simple and way more secure. You should download your free version of RoboForm right now. Or at least read my detailed article on RoboForm and it’s many uses.