The New York Times released an article titled If Your Password Is 123456, Just Make It HackMe addressing the popularity of very weak passwords.
Vance (the author) says, “According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data.”
This doesn’t surprise me at all. In the years I’ve spent in this industry, I’ve seen many very weak passwords. As a web designer, some clients will authorize me to set up their site and create email accounts for them. This means they’ll give me the password they want used. Often, I’ve had to go back to them with a new password since their chosen one was too weak for the system to accept. Even the client’s alternative password, though finally accepted by the server, are still often far too weak to be secure.
One of the ways some will get the system to accept their password is to combine words and numbers. And that is somewhat more secure. But that isn’t even enough.
For example, happy45kitty would not be a secure password by any stretch? Why? Because it contains words in the dictionary. Hackers run programs that will try every word we know. If you are using an actual word in your password, its not very secure. Some will try and get a little more advanced and use numbers to replace letters, such as bi11yb00m. That’s not any better since hackers were doing this long before the rest of us were. There is even a word for this: l33t (translated as leet or leetspeak).
So how do you make a better password?
My own method involves using mnemonic devices. Remember tricks we used as kids to learn things? Did you learn Every Good Boy Deserves Fudge to learn the EGBDF scale in music class? Or Roy G Biv to learn the colors of the rainbow: red, orange, yellow, green, blue, indigo, violet?
Those are mnemonic devices. How does this work for passwords?
Here is an example of a good password. (Note: I don’t use this as a password. I’m not even going to give you a hint as to what my password involves. In fact, some of the information below is false.)
I’m a fan of Star Wars. I graduated high school in 1992. My cat’s name is Rorschardt. I design using CSS. My favorite color is yellow.
This gives me a password of:
Now that’s a secure password!
Some of that is pretty obvious. My actual password involves lesser known likes, numbers, and symbols. What works for you?
Another option is just picking letters, numbers, and symbols at random and then just memorizing them. I have another password that is this exactly.
The drawback on using symbols is that there are some websites (with lazy programmers) who don’t accept symbols in a password. So I’ll use the same password but without the symbols.
So remember, the best passwords are:
- Not easily guessed
- Have no words from the dictionary
- Do not use proper names either (Bob, Jane, Harold, etc)
- Are at least 8 characters long
- Use a combination of letters, numbers, and symbols
Got too many passwords to remember? One option is to have a handful of passwords that you rotate depending on where they are used. Another option is to use a program like KeePass to store your passwords.
Now go forth and change your passwords!