iPhone app iPad app Android phone app Android tablet app More

Featuring fresh takes and real-time analysis from HuffPost's signature lineup of contributors
Hot on the Blog
Michael R. BloombergJeb BushRep. Steny HoyerGrover Norquist
Larry Magid

Technology journalist

GET UPDATES FROM Larry Magid
 

How to Create and Remember Strong Passwords

Posted: 07/12/2012 8:26 pm
Inspiring
 Funny
 Obsolete
 Scary
 Must-Have
 Amazing
 Innovative
 Nerdy

This article was updated from one that appears on ConnectSafely.org after the Yahoo password breach on July 12, 2012

A strong and confidential password is essential, not just for financial sites, but for social networking sites too. With social networking sites like Facebook and Twitter, there's the danger of people faking their way into the site and posting something embarrassing about you or others. They could use your account for hate speech or to bully or defame another person or put something on your site that jeopardizes your reputation or even your safety. Another risk is that they could use your online profile to assume your identity as part of a con, such as logging into a person's Facebook account and using it to solicit money from his friends to a "friend" out of a tight spot.

Children and teens should be especially careful to never share their passwords, even with their best friends. It's sometimes tempting for kids to give out their password to a friend so that the friend can update or check their profile for them, but it's a bad idea. Friends have a way of becoming ex-friends and there is the danger that a friend might share the password or be careless with it.

Have strong passwords
One of the best ways to protect your online security is to have strong passwords that you change periodically. But that's easier said than done. Coming up with hard-to-guess passwords is hard enough, but it's even harder to have separate passwords for different sites and to remember new ones after you change them.

One way to create a password that's hard to guess but easy to remember is to make up a phrase. You could type in the entire phrase (some sites let you use spaces, others don't) or you can use the initials of each word in the phrase, for instance, "IgfLESi#85″ for "I graduated from Lincoln Elementary School in '85" with a # symbol to add more security. An even better one would be "Mn1bfihswE&S" for "My number 1 best friends in high school were Eric and Steve." You get the idea-upper case numbers, letters, and symbols that are seemingly meaningless to everyone but you. Microsoft has an excellent primer on passwords and a password strength checker.

Don't use the same password on all sites
But even if you do come up with a clever and hard-to-remember password, don't use it for every site. Since lots of people do that, there's the risk that a sleazy site operator -- or a sleazy person who works for a legitimate site -- could use it to break into your accounts on other sites. Or if hackers break into a site and grabs some passwords, they might try to use those passwords on other sites. One trick is to add a couple of unique characters for each site. For example, for your Google accounts you could have "Go" somewhere in the password and perhaps "Fk" in your Facebook password.

Extra security for financial sites
You might want to consider having even stronger passwords for financial sites where there is a financial incentive for hackers to break in. Again, use numbers and symbols and letters that have no meaning to anyone but you.

Lots of people have weak passwords
You might be surprised at the passwords some people use. After a July, 2012 password breach at Yahoo, CNET's Declan McCullagh wrote a program to analyze passwords and found 780 times where "password" was used as a password and 2,295 "times a sequential list of numbers was used, with "123456" by far being the most popular password. There were several other instances where the numbers were reversed, or a few letters were added in a token effort to mix things up."

Password managers
One solution is to use a password manager. There are several available programs and Web storage services, but the ones I'm most familiar with are RoboForm and Lastpass. These programs can generate passwords for you and remember them so you don't have to. Both programs are, themselves, password protected, though you have the option of running RoboForm without a password or having Lastpass remember its own password on your computer, tablet or smart phone. That's OK as long as no one else has access to your machine. I recommend that you manually enter your master password on a laptop or mobile device that could more easily fall into the wrong hands.

On Firefox, Chrome and Internet Explorer, Lastpass records your usernames and passwords when you first enter password-protected sites and then enters them for you automatically for subsequent visits. Passwords are stored in a "vault," which is actually a Web page stored on your PC, as well as the company's servers, so you can access it from any device, including a borrowed machine. The password vault on your machine is automatically synchronized with the server, so you don't have to worry about synchronizing or backing up your data.

For a lot more on this password management, see CNET News reporter Elinor Mills' post, "Facing the pain of passwords."

Also, see ConnectSafely.org's "Tips to Create and Manage Strong Passwords."

 

Follow Larry Magid on Twitter: www.twitter.com/larrymagid

FOLLOW TECH
 
 
  • Comments
  • 37
  • Pending Comments
  • 0
  • View FAQ
Comments are closed for this entry
View All
Favorites
Recency  | 
Popularity
Page: 1 2  Next ›  Last »  (2 total)
StinkyMoBub
391 Fans
11:30 AM on 07/14/2012
"use the initials of each word in the phrase"

That's what I do...as for a password vault, I've used StickyPassword for years...
Permalink  |
jerryny
70 Fans
02:35 AM on 07/14/2012
I have a mac and use a program called pastor which generate all my passwords and remembers my login names, passwords and url for the site. I have a very special password for the program which which is very strong. I also keep it on a USB drive as well and have a printed copy in a special book.
Permalink  |
HUFFPOST SUPER USER
Tukumek Young
42 Fans
07:20 PM on 07/13/2012
How can I have passwords as police keep being attated to my PC and change my password to derent site and control all passwords to my aol and facebook ? they stole my computer ,as being hackers and keep hacked into me , they don`t care and don`t want to go to jail, as there is a penal code for high jacking a computer .I am not criminal or terrorist , is about them being stalkers .
Permalink  |
photo
Heidihh1
8 Fans
05:43 PM on 07/13/2012
I always forget my passwords, if I can't remember them, then how is a hackers supposed to get them
Permalink  |
StinkyMoBub
391 Fans
11:31 AM on 07/14/2012
Because it would be obvious to the hacker that you're using super simply passwords...
Permalink  |
photo
HUFFPOST SUPER USER
rbrady6925
32 Fans
03:53 PM on 07/15/2012
Passwords are the bane of my existence. I now keep an A-Z file handy which helps a lot. I must consider changing some passwords...is there an easy way ?
Permalink  |
photo
jf12
Esta vez saldré como las otras y me escaparé.
951 Fans
05:05 PM on 07/13/2012
People who are required to use strong passwords are required to NOT destroy the entropy by having cute phrases. Unfortunately, these requirements conflict with human nature.
http://en.wikipedia.org/wiki/The_Magical_Number_Seven,_Plus_or_Minus_Two
So in reality, everybody always writes down their passwords, exactly what they're not supposed to do. But policies that are unrealistic should be broken until the policies change.
Permalink  |
Freedomaphile
319 Fans
04:55 PM on 07/13/2012
Someone else mentioned KeePass and I like it because you can put the whole thing program, database and all on a thumbdrive.

Copy it onto several thumb drives, one for me, one for my wife and one in case something happens.

A file on the computer has the password to the data base which is encrypted.

And the whole thing is so compact it will fit in your oldest and smallest thumbdrive.

In fact, I think you could fit the whole thing on a floppy drive, if you still have one.

It will generate passwords and it will keep URLs so you don't need bookmarks and can even open programs like Trucrypt with it.
Permalink  |
StinkyMoBub
391 Fans
11:32 AM on 07/14/2012
StickyPassword works with flash drives as well and will synchronize with the DB on the machine...
Permalink  |
This user has chosen to opt out of the Badges program
photo
Jan Tiffany
58 Fans
03:49 PM on 07/13/2012
The password breach happened long before 7/12 because I received a bogus Yahoo email claiming to be from a stranded relative asking for $2,000 to be wired to a Pacific Island's wire service at least three (3) months ago. That involved not only the breaching of the email address but also an online business. My own address from another service has been attacked a number of times since the Yahoo email so it may be more widespread than Yahoo.
Permalink  |
photo
limaSwhiskey
Kicking ass since 1775
89 Fans
 
02:39 PM on 07/13/2012
One can also create a data base of logins and passwords and saved to a flash drive that may be kept in a safe place. The drives can disguised as any number of items in or near your desk. I use a file cabinet, as most people probably do, and my printout of logins and passwords is stored in an unmarked place. Sometimes I have to hunt for it. Don't forget to make use of the characters from the character map. I never type logins or passwords, now all I have to do is drag and drop. I do know some sites will not allow you to drag and drop passwords.
When ever I have to update I just print off another hard copy and file it away ...after finding and shredding the old one!
Permalink  |
HUFFPOST SUPER USER
DanJake
Just another all-American blend
223 Fans
04:30 PM on 07/13/2012
I use drag and drop from a flash drive I plug in for the purpose. I eject and safely remove the flash drive after use. My flash drive comes in with me personally and leaves with me personally. If I want to make a new password, I copy a from a six lined random list of letters and numbers. I also have a bigger "password set" containing symbols intermixed with random letters and numbers for those sites that allow them. I refrain from using any sites that insist I type in passwords, because someone might have slipped in a hack that reads my keystrokes. I keep a copy of an email I send to those sites, letting them know why I cannot deal with them on the net - just in case they might redo their security software.
Permalink  |
wendygoerl
39 Fans
01:49 PM on 07/13/2012
The problem with password managers is you have to own the computer they're on. Quite useless for people like me who have to rely on public access computers that 1) won't allow users to add programs to the machine and 2) wipe all caches on a daily basis. so people like me either have to carry a hardcopy of passwords around or memorize them all. And for a brute force attacker, outlawing "weak" (i.e. passwords without the upper/ lowercase mix and symbols) passwords just makes their job easier, because it's that many feweer combinations to sort through.

And these sites that have half a dozen rules about what the password must and can't have. . .I think I named one "StupidPassword#1" because I didn't have anything memorable that fit their rules (MUST have upper and lowercase, MUST have number, MUST have symbol, Must something-about-where-in-the-password-numbers-couldn't-appear). So complex rules forced me to a MORE guessable password than I normally use!
Permalink  |
woodies123
17 Fans
01:47 PM on 07/13/2012
this is fool proof, password : your favorite B-side song, pick a favorite, second or so verse with what it was on the charts. thats the other side of the album to those who don't know. Mine ,is and no one can guess my favorite song from the 60s, second verse, third line. B-side thats over 1000 songs ...lol
Permalink  |
PierreB
0 Fans
11:56 AM on 07/13/2012
If you are a Mac user, 1Password is delightful. It keeps track of everything, and has a configurable strong password generator (you can configure passwords to be pronounceable, or specify length, and how many digits/special characters it should have). It also has browser plugins (for Safari, Firefox, and Chrome) that will autofill login forms for you when you want it to. You can store the encrypted password file in Dropbox, so it's up-to-date on multiple computers, including your iPhone or iPad (if you're using the 1Password iOS app, which costs extra). A bit pricey if you want both the Mac and iOS apps, but definitely worth it in convenience.

If you want something free, try KeePass, which works well, but isn't as polished or friendly, doesn't have the auto-filling capabilities, and its iOS app is read-only. The ability to have 1Password auto-fill is one of those convenience features that mean I actually use the program every time (rather than be tempted to use an unsecure password I can easily remember just out of convenience).
Permalink  |
This user has chosen to opt out of the Badges program
photo
Midnight Son
153 Fans
10:47 AM on 07/13/2012
Just use a long nonsensical phrase with shifted caps, numbers and symbols if it involves an account that you care about. It's as simple as picking something like two of your favorite quotes from movies and adding them together. You won't forget it and it won't be compromised by a brute force or wordlist cracking method. The longer, the better.
Permalink  |
StinkyMoBub
391 Fans
11:35 AM on 07/14/2012
Or, simply use a sentence with a pronoun, number and punctuation...
Permalink  |
photo
tres tragique
5 Fans
06:51 AM on 07/13/2012
This is sound advice, but one problem is actually what you're making the password for: sites vary on whether they allow symbols, what type of symbols, just numbers, at least one number, one cap, etc., et al., ad nauseum. The more passwords you make, the more your system is bound to be shot to hell. Some examples: My school forced me to change perfectly good passwords every 3 months - you start running out of memorable variations. Also, I find it ridiculous, for instance, that places like my credit union force a max password length (the max number does not instill confidence). Of all places, that's where it should allow greater variety. In fact, I'm going to email them this and the Yahoo article right now!
Permalink  |
photo
HUFFPOST SUPER USER
mumi009
"The truth will set you free"
278 Fans
06:30 AM on 07/13/2012
The best passwords are as vulnerable as weak passwords if the provider (Yahoo) doesn't encrpyt them on his servers.
Permalink  |
photo
HUFFPOST SUPER USER
CBPatriot
32 Fans
06:10 AM on 07/13/2012
Check this out . . .

http://www.passwordcard.org/en

Pretty slick
Permalink  |
photo
HUFFPOST SUPER USER
David Amaya
... and I approve the following message;
87 Fans
02:11 PM on 07/13/2012
Thanks for the link!! I'm surprised no one has thought of this before!

A static random-password generator!!
Permalink  |
TheBugler
0 Fans
03:45 PM on 07/13/2012
That is VERY clever!
Permalink  |
Page: 1 2  Next ›  Last »  (2 total)