This weekend on Twitter, @itsokayihaveabook linked to a great article on the current thinking for choosing a secure password. I don't keep up with this stuff all the time, but every so often I will check in to see what the developments are. If you only read one password security article this year, this is a good candidate.
I liked this one because it wasn't just preachy-talky on why good passwords are important - he explains how password hacking works, and gives advice based on that to create better passwords.
Some things not to do:
- don't use words: password guessing software crunches through multiple dictionaries at unbelievable speeds, so even nonsensical word combinations will eventually be guessed
- don't use personally-identifiable information: many aspects of our lives are online, and hackers will use everything they know about us when guessing passwords - so don't use addresses, phone numbers, birthdates, schools, mascots, relatives' names, etc
- don't be common: there's lots of standard passwords (like pa$$w0rd, temp1234, i<3book$, etc) that are incorporated into password-guessing - even though it looks tricky to the eye, if other people are using it, chances are the hackers will try it
- don't reuse passwords: with corporate-level security breaches, even a good password might be compromised through no fault of your own. But if you use the same good password for all your accounts, once the hackers get it from Home Depot or Target or where ever, then it's much easier for them to get into your PayPal and Amazon and bank accounts
So here's what he feels you can do - the "Schneier scheme":
So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary. Of course, don't use this one, because I've written about it. Choose your own sentence -- something personal.
The entire article is worth reading. But his bottom-line takeaway is kind of scary: "Pretty much anything that can be remembered can be cracked."
I'm going to start recommending this technique when helping patrons set up email accounts. Thanks Jenny!
A reader sent me a link to another article, Why you don't need long, complex passwords. I sort of referenced the gist above, but it does a much better job of spelling out another major vulnerability. Thanks R. E.!
The bottom line of all of this seems to be that living is inherently dangerous, so live well and don't worry too much about it.