Often the disclosure of a password is no fault of our own but rather the result of a website or application compromise. Use these tips to develop a password management strategy that will dramatically decrease your overall risk if any one of your passwords is compromised. Hopefully the next time you have to create a strong password it won't take nearly as long to think up something secure.
Password best practices:
1. Don't use Personal Identifiable Information (PII) in your password such as:
- User name
- Pet's name
- Child's name
- Alma mater
- Hobby keyword
2. Don't use any word that can be found in the dictionary as your full password
3. Don't use the same password for online banking that you use for social networking or email
4. Don't give your password to someone over the phone
5. Try to use special characters such as non-alphabetic characters
6. Try to create passwords at with at least eight characters
7. Try to use a password vault application to protect and help manage your many passwords
8. Try to change your most critical passwords on a regular basis
Tips for managing passwords:
A cardinal sin with passwords is reusing the same password in both public and private applications. Yet sometimes creating a different password for every website and every application can be problematic. If this does not work for you here is a tip to reduce the number of passwords while retaining some level of logical separation.
Group sites and applications into different categories such as:
- Private - online banking
- Personal - email accounts
- Public - social networking
- Business - corporate email, web, and vpn access
Create a password for each category.
This control limits the impact if one of the passwords is compromised.
Choosing the password string:
Some of us are quite creative when thinking of passwords and others of us need some help. Here are some possible strategies for creating your passwords:
- Think of a phrase, quote, or song verse and select the first character of each word to create a password.
"In the middle of a difficulty lies opportunity." translates to "Itmoadlo."
- Passwords are often case sensitive and here we've used a capital "I" just like the start of the sentence.
- Vowels can be replaced with numbers to add entropy
"Itmoadlo." translates to "1tm0adl0."
- Punctuation is a good way to add entropy to your passwords as well as a little length. Note the use of the period punctuation mark in the password above.
It is important to realize that the above strategy results in a password that is better than average but can still be guessed in time using today's powerful computers. The key is to establish your own unique password creation pattern and ensure the password is of sufficient length. Password length is the most important factor in creating passwords.
Add length and in turn strength to your passwords
- Create a unique string that you can prefix or append to your passwords such as:
prefix string + password = stronger password
tdr0cks! + itm0adl0. = tdr0cks!itm0adl0.
tdr0cks! + torvt11. = tdr0cks!torvt11.
The prefix string can be the same for all your passwords thus making it easier to remember. However the core password must be different for each website, application, or category. Also the prefix string must not be a single character as its common practice to brute force passwords using ! or 1 as the first or last character.
- Use common but unrelated words
If the above strategies still look too cumbersome one can simply think of 4 or 5 unrelated yet common words and concatenate them together to create their passwords.
princess + toast + finance + captain = princesstoastfinancecaptain
The key to this common word strategy is picking unrelated words and building a sufficiently long password. It's the length that really increases the password strength. Lastly it is recommended that these strategies be combined with the use of a password vault application to securely store your passwords.
*All password documented here are provided for illustrative purposes and as they are now public their use is contraindicated.