Many people say to me, “I don’t need a secure password. I don’t have anything sensitive on my computer, so I don’t care if a hacker gets in.” You, my friends, are a hacker’s dream. Because it’s not necessarily your personal information they want, although they’ll happily steal your credit card info if they can. No, what they really want is control of your computer, your email address, your Facebook page… anything and everything that will let them do their dirty work from behind a smokescreen.
I originally posted this on Tech Tips in 2010, based on many years of teaching tech support clients about password safety. But some of the old rules no longer apply, so this is my newly revised edition. If you think you can still get away with slapping an exclamation mark on the end of a word, you need to read this revised advice.
Strong passwords must be:
Not in use on any other system
This is perhaps the biggest no-no in the password rulebook. When hackers nab passwords, they try the same account/password combinations on popular sites like Google, Facebook, Twitter. If you’re using the same password you just let them in. Do not ever, ever, ever use the same password anywhere. Before you despair, keep reading. There are tools to make it easier.
Yes, you have to change your passwords. And yes, they still have to be different everywhere. Use a secure password management tool if you find it unmanageable (see below).
12 characters or longer
Think passphrase rather than password. We used to say 6-12 characters was enough, but we’ve found that the longer and more complex a password is, the less likely it can be cracked.
A mix of upper- and lowercase letters, numbers, and symbols
Some systems won’t allow you to use a range of characters in your password, in which case I suggest you reconsider using that site. Do you really trust someone who isn’t going to allow you to secure your account properly? Makes you wonder how secure everything else on the site is.
Not common words or proper nouns found in a dictionary
An analysis of the recent LinkedIn breach found that many people were using ridiculously simple passwords like “password” and “123456.” If your passwords sound like these, change them now.
Not the names of your spouse, kids, pets, or other personally identifying information
Presidential candidate Mitt Romney’s online accounts were hacked via the very simple expedient of answering security questions with information that had been made publicly available. Same thing happened to Sarah Palin. Don’t create passwords out of information that can be gleaned about you, and don’t share information that can be used to guess security questions.
Examples of good and bad passwords
Good passwords (but don’t use these!)
- Don’t rotate between the same two or three passwords. It’s just as bad as using the same password everywhere.
- Don’t send passwords via email, Facebook, Twitter. Use other means like text message or fax, which goes directly to the recipient. Or, even better, a phone call.
- Don’t stick passwords on Post-It notes. Whether it’s under the keyboard or on a bulletin board, it’s exposed. Be like Gandalf: Keep it secret, keep it safe.
- Don’t share passwords and accounts. This is especially prevalent in small businesses. Don’t create one account then share the password; create multiple accounts for each person who needs access. More time consuming? Sure. More secure? You bet.
Tools to manage your secure passwords
Feeling overwhelmed? Don’t worry, there are plenty of password management tools available. With a password management tool all you have to remember is one master password and the software takes care of the rest. I recommend KeePass, 1Password or LastPass. Even better, you can use the same password management tool on your computer and on your mobile devices.
Why not take this opportunity to change your passwords? It’s the best thing you can do to protect yourself against identity theft and cybercrime.
[Originally posted in 2010 as How To Create Secure Passwords. This version has been updated with the latest advice on secure passwords.]