This entry is part of the series Ten things you can do to improve IT security and reliability without spending money
The average person juggles dozens of passwords for accessing everything from social networking sites to their bank accounts. Given our increasing reliance on the internet via password-protected sites, it is worth reviewing some basics about passwords and how they should be managed.A password is a secret bit of information that allows you to prove to a web site that you are indeed yourself. There are many ways other than passwords to prove your identity online (biometrics, tokens, etc.), but passwords have the advantage of being simple to implement and easy to understand so almost every site uses them.
The Basics
The key aspect of a password is that it is secret. Only you, and the site you are using, should know it. Anyone else who knows your passwords can do anything else online that you can, from reading your mail to draining your bank account. Thus, all good rules about managing passwords revolve around keeping your passwords secret.
How The Beans Get Spilled
To understand the best way to choose and maintain your passwords, let's quickly review the ways in which a password could stop being secret.
1) You give it away
2) Someone else gives it away for you
3) Someone guesses it
Giving Away Your Password: This method covers a lot of ground, from the post-it note on the monitor, to spyware on your computer capturing passwords as you type, to phishing attacks. The best defense against these is simply to be careful. Never reply to email from your bank online or click a link in a message that claims to be from your bank. Never give technical support your password (they never need it). Don't keep your passwords written down or in a text file labeled "secret_passwords.txt" on your desktop. Don't share your password with others.
Someone Else Gives It Away: Basically, this boils down to hackers stealing your login information from one of the web sites you frequent or a careless employee of that web site losing a laptop with usernames and passwords stored on it. While there is little you can do to prevent this from happening, you can take steps to reduce the damage. The key thing is to use *different* passwords for each site you access. That way, if Site A is hacked, the hackers can't start trying the logins on popular sites B through Z. If Twitter loses your password, at least they won’t be losing your banking password.
Someone Guesses It: This method should influence your actual choice of passwords. Hackers have a very sophisticated set of tools available to them to attempt to guess your password, and given the speed of computers, they can guess thousands of passwords in a second. Since hackers are very, very good guessers, you should design your passwords to be resistant to guessing.Just like the infamous luggage lock code of 1-2-3-4, there are common passwords that every password guessing tool will try right away. A good password cracking tool can run through every combination of birthday, month, year, first name faster than you can type your password, so avoid those. In fact, most hacking tools will run through the entire dictionary, so using real words is to be avoided as well.The best possible password is an extremely long string of random numbers and letters, with some punctuation thrown in. From a technical standpoint, this is a GREAT password:
f25$$haPAsWacU!sta$8esWa9ruBr3%wRuSPUyu9uquswAbr6cEfrA9eyeR^6r*ufreyuw8
Reality Check
While that is a perfect password in theory, the reality is, no one can remember that password. Which means it will get written down, and if memorized, it would certainly be reused for every possible purpose. Which kind of defeats the purpose.
Compromise
A good password strategy needs to find a happy medium. You want to create passwords that are simple enough to remember even if you use a different one for each site. The passwords should be reasonably resistant against guessing. So what should you use to generate your passwords? One good password generation strategy involves taking some simple, easily remembered text and tacking on enough extra bits that it is hard to guess. Another good algorithm is to embed actual words, possibly linked to the site you are accessing into a template.
For example, I might choose a template of
$6<first word>*<SECONDWORD>!
and use this template for all of my passwords.
Now, my Facebook password might be
$6social*FRIENDS!
while my bank password might be
$6money*RICH!
For each site I only have to remember the two words for that site and my simple, but hard to guess template. But I have accomplished my goals of making my passwords hard to guess and different across all my sites.
There are a bunch of other similar algorithms out there to accomplish this goal. Farhad Manjoo of Slate has another good one here:
http://www.slate.com/id/2223478/
Another concession to reality
To further simplify your password management, we can admit that not all sites are equally important. It is possible to divide sites into tiers based on what a hacker could do if she had your password. Acess to sites like banking and email could allow a hacker to do a lot of damage. So could any site that stores your credit card (e.g. Amazon One-Click). But for things like commenting on someone's blog you could probably skip this whole process since the risk is low. It takes some pressure off to choose one or two ‘easy’ passwords that you use for temporary or non-critical purposes, and reduces the temptation to reuse a secure password when faced with this need.
In a Nutshell
1) Don't give your passwords to anyone or write them down.
2) Use a different password for every site you access (except the really, really unimportant ones).
3) Use a password generation strategy to turn simple to remember phrases or key words into hard to guess passwords.