With all of the recent online services and companies falling under attack to hackers in the past few months, it seems only fitting to talk about password creation and management. There are a lot of resources out there discussing this, but it never hurts to revisit this topic time and again because of its importance.
Password management isn’t necessarily a difficult thing to do, yet it does seem like a bit of an annoyance to most people. When it comes to password management, you will hear the famous line, “I don’t really care about changing my passwords regularly. I have nothing important online anyways.” Let’s see if you have nothing important online when your PayPal account gets taken over because you thought the password “password” was good enough.
In my opinion, it is an “internet user’s” responsibility to make sure that they keep secure passwords and update them on a regular basis. In this article we will discuss how to make your online presence more secure and keep it secure.
The easy fundamentals
First thing is first; creating a strong password.
A strong password is a mixture of alpha-numeric characters and symbols, has a good length (hopefully 15 characters or longer), and doesn’t necessarily represent some word or phrase. If the service you are signing up for doesn’t allow passwords over a certain length, like 8 characters, always use the maximum length.
Here are some examples of strong passwords:
* i1?,2,2\1′(:-%Y
* ZQ5t0466VC44PmJ
* mp]K{ dCFKVplGe]PBm1mKdinLSOoa (30 characters)
And not so good examples
* sammy1234
* password123
* christopher
You can check out PC Tools Password Generator here. This is a great way to make up some very strong passwords. Of course the more random passwords are harder to remember, but that is where password management comes into play.
Managing your passwords
I know some people that keep their passwords in an unencrypted text file. That’s not a good idea. I suppose that if you aren’t doing much online and are decent at avoiding viruses and such, it could be OK, but I would never recommend it.
So, where do you keep your strong passwords for all the services that you visit on a daily basis?
1Password can be locked down with a master password to protect all of your sensitive data.
There are a ton of password safes out there including KeePass, RoboForm, Passpack, Password Safe, LastPass, and 1Password. If and when I recommend any of these I always count on LastPass and 1Password.
Both LastPass and 1Password offer different entry types for online services logins (PayPal, Twitter, Facebook, Gmail, etc.), credit cards and bank accounts, online identities, and other types of sensitive information. Both have excellent reviews and only differ in a few subtle ways. One of the ways that is more notable is that LastPass keeps your encrypted password Vault online where 1Password allows you to keep it locally or shared through Dropbox. Either way, you are the holder of the encryption keys and both ways are very secure.
LastPass and 1Password both offer cross-platform support as well as support for Android and iOS (LastPass even has BlackBerry support). 1Password is a little pricey ($39.99 for either Windows or Mac) where LastPass has free options as well as premium upgrades that allow for mobile syncing.
Upkeep
You should probably change your passwords for your “important” accounts at least every 6 weeks. When I say “important” accounts I am referring to ones that you just couldn’t imagine losing access to. For me that would be Gmail, PayPal, eBay, Amazon, all my FTP accounts and hosting accounts, Namecheap, etc. Basically these include any account where financial information could be lost or accessed as well as accounts that could be totally screwed up (like my webserver).
There is no hard and fast rule to how often you should change your passwords, but 6 to 8 weeks should be pretty good.
Alternatives
You may think that all of this is just too much to manage on a daily basis. I will admit it is kind of annoying to have to change your passwords and use a password manager on a daily basis. For those people out there that don’t want to go through all of the hub-bub of super-secure, encrypted, password management, here are a few tips to keep you safe:
- Create a unique and hard to guess “base password” and then a pattern to use for each site you logon onto. For instance a base password could be “Ih2BaSwAa” (this stands for “I have two brothers and sisters who are annoying”). Then you would add something “site specific” to the end of it. For Twitter Ih2BaSwAaTWTTR, Facebook Ih2BaSwAaFCBK, etc. This is sort of unsecure, but probably more secure than 99% of the passwords out there.
- Don’t write your passwords down in public places. If you want to keep track of passwords on something written, keep it on you at least. The problem is that if you get your wallet stolen you are still out of luck.
- Don’t use the same passwords for every service. I’m not even going to explain this; just don’t do it.
These are just a few things that can be done rather than keeping your passwords in a management system. Personally, with over 100 entries in my password management system, I couldn’t even dream of doing any other way. But those out there with only a few passwords, having a simpler system may be beneficial.
So, if you want to be a “responsible internet citizen” or you just don’t want to lose your precious account data, then creating and maintaining strong passwords for your online accounts is a must.
A more secure alternative (compared tho adding a site specific string to the base password) is the use of something like pwdhash ( http://pwdhash.com/ ) to generate a site specific password from wich it’s not easy to obtain the base password.
For example, if your main password is “lh2BaSwAa”, when used on twitter the site specific password is “X385Q05s96B”.
Available plugins for different browser are really useful.
I use an IronKey with its built-in IDM app which talks to a protected part of the key’s memory (not available via the filesystem) and keeps everything encrypted with its onboard crypto processor. Windows only for the IDM part unfortunately.
https://www.ironkey.com/
If you don’t want a hardware solution then try LockNote (Windows or Linux/WINE). It’s open source and free and a single, self-modifying executable file and works a treat.
http://sourceforge.net/projects/locknote/
I think there’s a better method – Steve Gibson’s Password Haystack: http://www.grc.com/haystack.htm
Thanks for this TesTeq. I took one of my 1Password passwords and ran it through Steve’s tool. Check this out below.
Thanks for this TesTeq. I took one of my 1Password passwords and ran it through Steve’s tool. Check this out below.
Fully agree with Andrea: A very safe way for passwords on the Internet is something like http://passwordmaker.org/, which offers plug-ins for all browsers. You always use your one strong password, and the plugin creates a hash from that and the name of the site which makes a unique strong password for that site. As easy as it can get. No password storage anywhere needed.
[...] Protecting Your Online Life With Secure Passwords (lifehack.org) [...]
I am so glad you passed along ways to keep our passwords safe. I never even looked int it before. Thanks.
This was a very timely article. My skype account got hacked into on the 30th and the hacker managed to get 4 automated recharges in the space of 5 hours, whilst making over 100 calls to Nigeria, Somalia, Lebanon, etc. Luckily the limit of what skype allows to be charged per month was reached at that point and the final request to recharge did not go through. The lesson learned was not only to be more careful with the password but to NOT tick the automatic recharge box on skype or similar type of accounts. This way means that you do have to manually add funds from time to time buts its a whole lot safer.
A non-technical solution is to use a long but simple base password, something like: longsimplepassward, instead of a cryptic expression that is hard to remember.
It’s really hard for me to memorize several passwords. What I do is to use the same password to any accounts but has a long password. That’s what I do.
I like using a mixture of names interlaced with a number and symbol at the end.
Web Development Company
I’m not clear why changing a password on a regular basis is good practice. If I have a 12 character password with a mix of upper/lower case, numbers and special characters that does not appear in any dictionary, why would I need to change it?
Get real, people need to think about what a computer actually does to hack passwords!! http://xkcd.com/936/