Today is actually World Password Day – May 3 – so it’s a great time to talk about how to choose passwords and ensure you have maximal privacy and security on your online accounts. Let’s talk about it…
When you work in the security space, you’re constantly amazed at how bad humans are at picking complex passwords and ensuring the security of their online accounts and systems. It seems hard to imagine, but passwords like 12345678 and asdfghjkl are astonishingly common. Not only that, but it’s true with way too many consumer electronics devices too, where Bluetooth pairing is done by entering 0000 or 1111 as the security code. Your home devices aren’t immune either: Way too many routers have “admin” as the administrative account with the word “password” as the password. And that controls access to your entire home network!
Heck, Keeper Security analyzed millions of passwords and ascertained that the ten most commonly used “security” passwords are:
- 123456
- 123456789
- qwerty
- 12345678
- 111111
- 1234567890
- 1234567
- password
- 123123
- 987654321
Do I even need to say that those are ghastly, horrible, no good passwords and that if you’re using something like that, you might as well just post your account credentials to the net at large – and the dark web – so that you save hackers the less than one second it takes to break into your account?
So let’s review good password selection. First off, imagine that you have a bunch of boxes, one that’s just upper case letters like ABCDEF, one that’s lower case letters, one that’s digits and another one that’s punctuation. Your goal with any password you use is to have at least one from each of these boxes represented, ideally two or three of each. That’s a simple strategy to make your passwords dramatically more secure. Easy, right?
Now, for bonus points longer is always better with passwords. As Keeper Security CEO Darren Guccione says regarding six-character passwords: “today’s brute-force cracking software and hardware can unscramble those passwords in seconds.” So aim for at least 10 characters.
None of which means you can’t also have mnemonics to help make things easier to remember. Because, as Ready Player One neatly demonstrates, having your password on a post-it stuck to your computer system isn’t very good security even if you have a good password. Which is a bit ironic, because actually villain Nolan Sorrento’s password was pretty good, if a bit short: B055man69
He’s demonstrating some good strategy, though, particularly using digits that “look like” letters as a mnemonic. His password is “bossman69” with a few simple substitutions. Then again, if we can see the substitutions, so can hackers who can add “replace S with 5, try again” to their code.
One strategy I like for passwords is to take a favorite phrase or motto and make a few substitutions to mix it up a bit. For example, from the great midnight movie Buckaroo Banzai comes the phrase “hey, hey, don’t be mean.” That can be turned into a good password by having every other word capitalized – hey, HEY, don’t BE mean. – a few words mushed together, and a letter or two replaced by digits (notice there’s already punctuation, both spaces, commas, an apostrophe and a period). This becomes the nice, long, and complex:
hey, H3Y, d0n’t Bm3an.
See how we got there? And it’s still easy to remember while darn hard to guess or crack. Even better, consider using one of the solid commercial password management programs like 1Password or, yes, Keeper Security. Finally, if the service has 2-step verification or authentication, sign up and use it. You’ll need your smartphone near you to receive text messages when logging in, but bad guys won’t have that access even if they do guess your password! There are a lot of services that support it now, and I have tutorials on how to get started with quite a few, including: Amazon, Dropbox, Instagram, Pinterest, Google and PayPal.
Now, go and clean up your passwords! And don’t forget to use a different password on each service so that one being hacked and compromised doesn’t open up the gate to every other account you have online.
To my personal experience, the hard part is not finding a strong password. The hard part is finding a strong password that you can remember and I quite like your method.