I thought I would start my blog with a little word of advice to all my friends about securing your online identity. The problem, as Mr. Munroe so deftly explains, is not so much how strong or weak our passwords are, but the fact that we reuse them all over the place. I would say that password complexity is also an issue, but you have to pay attention to both.
On the one hand, using the same, very hard to crack password on all systems might not seem so bad, especially if you are one of those people who don’t think they have much of an online presence. But if someone gets your email password, they have access to EVERYTHING, because then they could reset your password on other accounts you have as well as create new accounts in your name.
At the other extreme, you could use a password locker like Keypass (a very good program, which I highly recommend). Keypass lets you store your passwords, has an easy way to copy your password to the clipboard (for pasting into the password entry box), and can automatically generate long random passwords for every online account you maintain. This is an excellent approach for those who want the maximum of security, but it is a bit too technically challenging and tedious for most.
So for people like my children, my non-technical friends, extended family, etc., let me offer the following strategy:
- Maintain 3 or 4 passwords for use with different categories of websites.
- Create STRONG passwords.
For instance, your strongest, most secret password would be for your main email account. This one is never used anywhere else, never shared with anyone, and only typed in on computers you trust. Then have a second password for financial sites – your bank, your credit card, your insurance company, etc. This one should also be very strong, but you my use it in several places. Again, only enter this password on computers you trust. Select a third password for your social networking sites, your Diaspora account, your Cubbi.es account, your Twitter account, even (gasp) your facebook account. And then finally have a password for all those myriad sites that make you create an account before you can get in. These are the sites you may never visit again, and in which you’ll have very little investment. Four passwords shouldn’t be too hard to remember, is it?
Now, as for passwords, what is a strong password? It is a password that has a high degree of randomness, which means that it’s very difficult to predict. This is why passwords like “password”, “123MainStreet”, and “123456789” are weak — they are all common sequences. A password like “Abithiwtitb” is stronger because a) it’s long, and b) it doesn’t follow any easily recognizable sequence. A truly random sequence of characters is hard to remember. So how do we create apparently random passwords that are easy to remember? Easy — pick a medium length phrase that you can remember. To create the sequence above, I used “A bird in the hand is worth two in the bush”. Then take the first letter (or the second letter, or the last letter, or what ever pattern you like) of each word and use it as the next character of your password. Finally, put in some non-letter characters into your password, either by replacing certain letters, or inserting them somewhere. So, we could make “Abithiwtitb” a bit stronger by replacing one of the i’s with a 1, t (for two) with a ‘2’, and adding a ‘#’ symbol like this: “Ab1thiw2itb#” This is a pretty strong password.
Just for comparison, I submitted some of these passwords to a password strength-o-meter and here’s what I got:
123456789 4 - Very weak
Abithiwtitb 35 - Weak
Ab1thiw2itb# 95 - Very Strong
So, I hope this has been helpful. Post questions to the comments section.