Passwords, PIN numbers and security access codes – they seem like the bane of 21st century living. It’s so easy to forget which combination goes with which web site or with which credit card. Remembering passwords is almost a skill in itself!
But with more and more of our lives going online, the first and foremost line of defence against unwanted intruders is the strength of our passwords.
DON’T PANIC!
I don’t want to scare you regarding the security of passwords – they’re essentially as safe as you want them to be. Short or long, guessable or random, it’s up to you.
While it’s true that most web sites can be hacked by what’s called a ‘brute force’ or ‘dictionary’ attack (where the attacker simply tries thousands and thousands of different password combinations), the truth is that you’re very unlikely to be targeted specifically. In fact, you’re more likely to have your passwords guessed by those close around you than by someone anonymous over the internet.
Attacks to try to gain access to web sites do happen every hour of every day on the internet, but the best defence is simply to use a strong password that’s committed to memory. 99% of these attackers aren’t real people, but other computers, so once they hit a time limit without success, they’ll move on – after all, if the password you use isn’t an obvious one, hopefully the next person on their list will be using an obvious one. The internet is a big ocean to fish in.
Password styles from bad to good – where do yours stand?
The worst type of password is to use some variant of your name. It’s convenient, sure, but it’s also easily guessable.
The next level of bad passwords are the ‘default’ ones. Ones like: ‘default’, ‘password’, ‘123456’, or even ‘letmein’. Sure, they were once cute or memorable, but they’re now prime targets.
A single English word. A ‘dictionary attack’ literally goes through the dictionary of common words to see if one works. Choose some weird old words or some scientific ones or anything totally unique to you and you alone and you should be OK – but steer clear of football teams or the street you live on.
An English word with a couple of numbers tacked onto the end. Getting better, for sure. Adding two extra digits to a common word will make for another 100 possible combinations to try per common English word, so you’re getting there. Don’t use your birth year, though – very common!
Semi-random numbers and letters. We’re getting decent now. Anything that makes sense to you and you alone is AOK: 3bm3bmshtr (Three blind mice!). Don’t use your car license plate, though!
One assigned to you that you can’t change. Actually, the most painful, but also the very best ones to use. I still use two old passwords assigned to me at Uni waaaay back – they were hard to learn, but they contained numbers, letters and punctuation, and are now committed firmly to memory. The first step’s a doozy, but totally unguessable – only by brute brute force could one be discovered.
How to make passwords complex, yet easy to remember
A really simple way to make a semi-random password using both numbers and letters is to make a *pattern*. Rather than memorising a random string of characters, devise a repeating pattern on the keyboard. Play hopscotch down the numbers row, or hit keys in triangles or squares or circles until you have enough characters to fulfil the length requirement.
Don’t believe me? Well then, see how easy it is to type 4rfvgy7 or 12we45ty, yet see how random they look on the surface. Simple and memorable, yet semi-random!
A good plan: build a hierarchy of passwords
My best piece of advice regarding the use of passwords is to keep one as a ‘good’ password – make it a really long pattern – and use it everywhere that you need a really secure password.
Then over time, maybe after a year or so, you’ll notice that you’ve been using your super-secure for, well, web sites that didn’t really need to know your super-secure password. See – you really shouldn’t be logging into the local pigeon fanciers web site with the same password that you log into your bank with, but that’s just how it happened.
So… break out a new top-level super-secure password, and begin using that for all mission-critical stuff and for all new password requests. Keep your former super-secure password, but it now gets relegated to second spot in your security ladder.
Then when you go to a web site that you should have access to, and your password is wrong, all you have to do is remember the most recent two or three ‘secure’ passwords you’ve been using – it’s sure to be one of them.
In this fashion, you’ll end up with a small number of places using your top-level, super-secure password; a wider range using last years secure password; and a whole plethora of old web sites using your old password.
The most important sites you visit will have the least known password, whereas the pigeon fanciers’ web site can survive with the old fallback.
I guess in the CIA it’d be called compartmentalisation, but for folks like you and me, it’s just easier to use two or three passwords for 95% of the many hundreds of web sites we use, than remembering many hundreds of passwords.
—–
Need more help? Let me know if you need to know more on this topic, and I’ll do my best to either answer your questions directly, or I’ll compile them for a follow-up on another aspect of online security.
AB out
Andrew Ballard runs ReBusiness.com.au, a marketing/IT/design consultancy based in Geelong, Victoria.
