This post is an excerpt from my new book Understanding Personal Data Security, which covers centralized data, backups, strong passwords, and malware protection. The following is from Chapter 4: Passwords.
Basic Password Rules
There are some basic rules that will help prevent hackers from stealing your passwords, gaining access to your online accounts, or stealing your identity. While following these rules doesn’t guarantee that your accounts won’t be compromised, it vastly improves the resiliency of your online accounts and protects you about as much as possible.
You’re creating what is known as a “strong password,” meaning it has a mix of letters (both lower and upper case), numbers, and symbols and is of a minimum length.
- Make a Strong Password: Use a minimum of 16 characters that are a mix of upper and lower case letters, numbers, and symbols. Don’t use easy-to-guess phrases, such as “iloveyou” or “MaryHadALittleLamb.” While “MaryHadALittleLamb” has both upper and lower case letters and is of appropriate length, it lacks numbers and symbols. Also, hackers look for common phrases, using dictionaries and even terabytes of Wikipedia and Bible content as a “check against” list. Guess it’s time to change that “yabbadabbado123” password.
- Change Your Password Frequently: You should change your password/passphrase every six months. This is the rule few people follow (simply because it’s a hassle), especially if all of your online accounts feature unique passwords. Nobody ever said protecting your accounts and data was a total cakewalk.
- Use a Unique Password on Each Account: Nobody likes this because it’s such a pain (especially when you should change all passwords with such frequency). This is where password vault software comes in handy. In 2014, nearly no one has only one or two online accounts. A dozen or more accounts is not uncommon. As you’ll learn below, password vault apps that store all of your passwords in a single password-protected program or app are a solid strategy for keeping several long, strong passwords at your fingertips.
- Tell Nobody: This means nobody. Putting effort into creating strong passwords that are difficult to crack and then simply giving them away to a friend or co-worker is stupid. Even if your friend/family member has no malicious intent, they can easily get sloppy and expose your password to others (like by writing it on a sticky note and slapping it on their computer monitor!). There’s no reason for anyone else to know your passwords. It’s simply antithetical to the cause!
Even if a hacker doesn’t get your password from you or your devices, the bad guys can compromise a password database held by a service provider (your bank, email service, large retailers like Target or Amazon, social media like Facebook or LinkedIn, etc.). Once the hacker has gotten into the password database (often by breaking its encryption), they then have to guess the passwords. Something like “P@ssw0rd1” will be guessed in mere seconds. Regardless of the quality of your home or office firewall or the security of the individual devices you use to access your accounts, the password itself must stand up to the most robust cracking attempts that will most likely be perpetrated on the organization with which you have an account.
You have already learned that the strength of your passwords is determined by their length, complexity, and lack of predictability (why you don’t want “maryhadalittlelamb” or “ILoveNY”).
The password “Tr0ub4dor&3” seems like a relatively strong password on the surface. Although it’s too short (only 11 characters), it features both lower and upper case letters, numbers, and a symbol. However, a hacker with a computer capable of producing 1,000 guesses per second (an old computer can do this) will require only three days to guess this password. Compare this to “correcthorsebatterystaple,” a passphrase that requires 550 years to crack (at the same rate of 1,000 guesses per second). And this passphrase doesn’t even include upper case letters, numbers, or symbols! By adding these elements, you would have a passphrase that, for all practical purposes, is nearly impossible to crack (unless it’s the NSA trying to get it) and relatively easy to remember.
Longer, more complex passphrases are also more difficult for others to steal through simple observation. Sometimes, passwords are nefariously obtained by the act of observing the owner type them. Short, simple passwords and passphrases can be learned by watching the owner input them only once or maybe a few times. If someone really wants your password, they may even use a wi-fi-based webcam or security camera to record your keystrokes! Don’t underestimate the lengths to which a hacker or enemy will go to steal your information, identity, or money.
One of the best ways to understand strong passwords is to consider weak examples. Weak passwords include those that:
- are shorter than 16 characters
- include personal details such as your name or the name of a family member, a pet’s name, your street or address, your birthday, etc.
- include complete words or sequential number strings (like “qwerty” and “12345678”)
- lack a mix of upper and lower case letters
- lack numbers
- lack symbols
Curt Robbins is author of the following books from Amazon Kindle:
- Home Theater for the Internet Age ($9.95)
- Understanding Personal Data Security ($4.99)
- Understanding Home Theater ($4.99)
- Understanding Cutting the Cord ($4.99)
- Understanding Digital Music ($4.99)