Good Password Hygiene
Be Unique
Extreme Makeover: Password Edition
Prioritize and Get Started
Ready: Prioritize
Set: Create a Password Recipe
Go! Change Your Passwords
Password Strength Testing
A Recipe for Change (every six months)
Keep Your Passwords Secure
Password Managers
Would you wear your underwear for days, months, or years on end without changing it? That thought is positively revolting! How about loaning your toothbrush to someone else? Even a spouse? "No way!" you say? Yet many of us think nothing of using the same password for years on end or giving our spouse, sister, parent, friends, sometimes even our coworkers our passwords. Our passwords should be no different than our underwear or toothbrush. Change them often and don't share them!
We've all heard horror stories about identity theft and hacked accounts. A couple years ago my iTunes account was hacked and some unauthorized purchases were made. Because Apple sends automatic email notification of all purchases from the iTunes store, I was able to catch it immediately. Apple locked down my account until the password was changed and I could sufficiently verify my identity to them.
A BitDefender study reported that 75% of Facebook account holders use their email password for Facebook as well as several other sites. I must shamefully admit to having been one of them. While my password wasthe minimum eight characters, and a combination of upper and lowercase letters and numbers, it was fairly straightforward. An ordinary word (my pet’s name) followed by a number that could easily be guessed by anyone who knew me. And, I hadn't changed it in years. I had been lulled into a false sense of security thinking knowing I had never shared with anyone. There was certainly a mad scramble to change all my passwords after the iTunes incident.
Avoid using the following in any recognizable form:
- Names of family members, friends or pets.
- Personal information about yourself or family members. For example, birth date or year, phone number, license plate, or any part of your address.
- Sequential or consecutive letters or numbers, or adjacent keys on the keyboard (abcde, 12345, qwerty), or in reverse order (edcba, 54321, ytrewq).
- "Real" words from any language, even in combination with number in front or back (novios1986)
- Any of the above points in reverse order (semaNylimaf, yadhtrib, 54321, edcba, DaorYebba).
Even if you follow the above advice, many forums and discussion boards require user names and passwords. Any site administrator can see that information. I recently created an account on an employer's website in order to submit a job application. Shortly thereafter, an HR representative emailed a request for more information. For my convenience, since the form was on their site, my username and password had been included in that unencrypted email. It is impossible to know how many people in that company have access to such sensitive information. If I were still reusing my email address, user name, and password combination elsewhere, an unscrupulous person would now have all the ammunition needed to go to any banking website or email program and attempt to log in as me. Thankfully I have a password recipe in place. A password recipe is an easily remembered set of “ingredients” used to create unique passwords for each site you visit.
Thinking of the effort and time involved in instituting tighter security protocols and changing your passwords can be daunting, so you keep avoiding the task. There is no need to tackle all your passwords at one time. Make a prioritized list of the 10 sites where your most important information is stored. Secure those now while laying the groundwork for the rest of your sites and a foundation for future password changes. Changing your top 10 will probably take 30 minutes or less. Break it down into three steps.
Ready: Prioritize
Set: Create a recipe
Go!: Change the passwords
Which passwords are most important? Of course bank, credit card and financial passwords must be at the top of the list, but email accounts are just as critical. Your password is usually sent to your email account when you click a “Forgot my password” link on any site. So if anyone can get into your email, they can most likely get your banking information — especially if you have undeleted emails from your financial institutions or don’t clear the recycle bin frequently. To keep the task manageable, keep the first list short – 10-12 at most. Your list might look something like this:
- Personal email (Yahoo!, gmail, etc.)
- Work email
- Checking account
- Savings account
- Brokerage account
- 401k account
- Mortgage company
- Visa
- MasterCard
- Store credit card
- The first ingredient in your password recipe is the salt. Salt is a cryptography term which refers to a random number needed to access encrypted data. To begin to create your salt, come up with your base term. This can be a thing, date, phrase, name, or event unique to you which will be at least 8 characters long.
- Take some meaningful sequence of four words, like "Lucky, Beau, Harley, and Buddy" (my dogs’ names), and use the first two letters from each: LuBeHaBu.
- Use a passphrase: create a mnemonic from the initials of a song, phrase, or sentence that will be easy for you to remember but difficult for someone else to decipher. For example, "Password management can be easy, if you know some tricks!" becomes "Pmcbe,iykst."
- Next, create substitution rules to replace the regular characters with special characters. Some suggestions are below. Feel free to use these or make up your own.
- Replace any ‘a’ with @
- Replace any space with %
- Replace any ‘i’ with !
- To use my name as an example, Linda Pady becomes L!nd@%P@dy.
- Add the URL or site name to your salt term
- Use your substitution rules above on the URL or site name. Google could become G00g1e.
- Take out all the consonants from the secondary-level domain name (google) and capitalize them: GGL.
- Use simple number substitution on the first four characters of the site name. For instance A=1, B=2, etc. So Chase.com would be 38119. Sites other than Chase.com, you could add a special character between the letters and numbers.
- Add characters to your recipe for different types of sites (financial sites get a dollar sign, social media gets a pound sign, and email a period) or top level domains (% for .com, @ for .org, ! for .net, ^ for all others).
- Don't make it too complex, but make sure it's something only you will remember. You can even write your recipe down on a note and keep it in your smartphone or wallet; as long as you don't label it "password recipe," it will be pretty tough for someone to figure out what it means.
- Don’t get too complicated or crazy. If it take you too long to remember or figure out your password each time you have to type it in, you’ll go back to old habits.
With a recipe in place, you can now go about changing your passwords. Check off the sites on your prioritized list as you go through them. If you're interrupted, you'll remember where you left off. If you have the time, check your other account information like phone, email addresses, or street address as long as you’re in there.
Checking your password at How Secure is My Password? will tell you how long the average PC would take to crack it. For example, cracking "kroywen" (New York backwards) would take 13 minutes, "kr0yw3n" (substituting number look-alikes for letters) would take about 2 hours, "Kr0yw3^" (capitalization and special character) 15 days. Each character added makes a huge difference. A single capital letter to the end of "Kr0yw3^," such as "Kr0yw3^Z," boosts the crack time to 3 years. Throw another special character in ("Kr0yw3^Z!") and it jumps to 237 years. I don't know about you, but I don't think I'll be around that long.
Password Meter shows the criteria used in scoring your password at the bottom of their site. It can point out areas of weakness in your password and give you ideas for improvement.
Like the batteries in your smoke detectors, you should change your password every six months. "That is an enormous chore," you say? Here’s what you can do:
- Instead of appending the site name to the end, move it to the front, the middle or split the site name into parts. For example:
- Y@h00L!nd@%P@dy
- L!nd@%Y@h00P@dy
- Y@L!nd@%P@dyh00
Change your substitution rules. Use # for b, * for o, ^ for n, etc.
Change your salt term.
Never write down your actual password. It's like keeping your house keys in the fake rock next to your front door. If you use a password recipe, you can keep the “key” in your wallet or on your smart phone and as long as you don’t label it “password recipe,” it should be fairly safe. Here is an example of a recipe key in which the author uses the first two characters of his sister's names, a special character denoting the type of site, followed by the first four digits of the URL coded as a=1, b=2, etc.
There is never a reason to send your password to anyone via email. Hackers send some pretty convincing and legitimate appearing emails posing as a support or banking personnel and asking for your user name and password through email or to enter it on a fake website. Legitimate websites or organizations will never ask you for your user name and password either via email, web, or phone. If there is a problem with your password, they will reset it, but they will never ask for your current one.
Password managers can be helpful in trying to remember the multitude of mangled character strings you are now juggling for the multitude of sites on which you have created individualized passwords. There are a lot of free password management tools available and one I've seen recommended several times is LastPass. Password managers encrypt your passwords for you and then automatically log you into sites whenever you enter the master password. The only password you will have to remember is one password to unlock your password manager. A good password manager will work across multiple devices, like your laptop and smartphone. Some will even work off a USB thumb drive, like a physical key. Setting up a good password manager for the first time takes longer than changing your most important passwords, but it's usually a one-time effort with long-term payoff.