How to Choose Better Password
There's always debate online about which kinds of passwords are really the most secure, but one universal truth always seems to be that you should change your passwords often. The reasoning behind that is presumably if someone gains access to your account they won't be able to get into it for long. So you're effectively constantly changing it to keep those pesky wannabe hackers guessing.
But apparently the IT department's obsession with changing up our passwords could be all wrong. According to FTC Chief Technologist and Carnegie Mellon computer science professor Lorrie Cranor, research suggests that if you have to change your password all the time you'll put much less effort into picking a secure one.
But apparently the IT department's obsession with changing up our passwords could be all wrong. According to FTC Chief Technologist and Carnegie Mellon computer science professor Lorrie Cranor, research suggests that if you have to change your password all the time you'll put much less effort into picking a secure one.
She explains her findings from one particular study:
“[People] tended to create passwords that followed predictable patterns, called ‘transformations,’ such as incrementing a number, changing a letter to similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end).”
Sound familiar? Exactly. That's why changing your password a lot just isn't smart when it comes to security. In fact, Cranor suggests that those who really want to hack into accounts can do so quite easily via offline attacks that guess a large number of passwords. So your constant changing isn't really going to slow them down that much anyway.
A strong password is your first line of defense against intruders and imposters.
Never give out your password to anyone.* Never give it to friends, even if they’re really good friends. A friend can – maybe even accidentally – pass your password along to others or even become an ex-friend and abuse it.
Don’t just use one password. It’s possible that someone working at a site where you use that password could pass it on or use it to break into your accounts at other sites.
Create passwords that are easy to remember but hard for others to guess. When possible, use a phrase such as “I started 7th grade at Lincoln Middle School in 2004” and use the initial of each word like this: “Is7gaLMSi#2004.” And make them at least a little different (by adding a couple of unique letters) for each site. On some sites you might even be able to type in the entire phrase.
Make the password at least 8 characters long. The longer the better. Longer passwords are harder for thieves to crack.
Include numbers, capital letters and symbols. Consider using a $ instead of an S or a 1 instead of an L, or including an & or % – but note that $1ngle is NOT a good password. Password thieves are onto this. But Mf$J1ravng (short for “My friend Sam Jones is really a very nice guy) is an excellent password.
Don’t use dictionary words: If it’s in the dictionary, there is a chance someone will guess it. There’s even software that criminals use that can guess words used in dictionaries.
Don’t post it in plain sight: This might seem obvious but studies have found that a lot of people post their password on their monitor with a sticky note. Bad idea. If you must write it down, hide the note somewhere where no one can find it.
Consider using a password manager. Programs or Web services like RoboForm (Windows only) or Lastpass (Windows and Mac) let you create a different very strong password for each of your sites. But you only have to remember the one password to access the program or secure site that stores your passwords for you.
Consider using multi-factor authentication. Many services offer an option to verify your identity if someone logs on to your account from an unrecognized device. The typical method is to send a text or other type of message to a mobile device registered to you with a code you need to type in to verity it’s really you. In most cases, you will not be required to use this code when logging on from a known device such as your own computer, tablet or phone.
Don’t fall for “phishing” attacks. Be very careful before clicking on a link (even if it appears to be from a legitimate site) asking you to log in, change your password or provide any other personal information. It might be legit or it might be a “phishing” scam where the information you enter goes to a hacker. When in doubt, log on manually by typing what you know to be the site’s URL into your browser window.
Make sure your devices are secure. The best password in the world might not do you any good if someone is looking over your shoulder while you type or if you forget to log out on a cybercafe computer. Malicious software, including “keyboard loggers” that record all of your keystrokes, has been used to steal passwords and other information. To increase security, make sure you’re using up-to-date anti-malware software and that your operating system is up-to-date.
Use a “password” or fingerprints for your phone too. Most phones can be locked so that the only way to use them is to type in a code, typically a string of numbers or maybe a pattern you draw on the screen. Some new phones allow you to register fingerprints, which are quite secure. Sometimes when people with bad intentions find unlocked phones, they use them to steal the owners’ information, make a lot of calls, or send texts that look like they’re coming from the owner. Someone posing as you could send texts that make it look like you’re bullying or harassing someone in your address book with inappropriate images or words.
* Some parents ask their kids to share their passwords with them. This might be OK with young children, but you might want to respect your teen’s privacy and not ask. Also, if you do ask your children for their passwords, make sure they understand that this is a rare exception to the “do not share password” rule.
Never give out your password to anyone.* Never give it to friends, even if they’re really good friends. A friend can – maybe even accidentally – pass your password along to others or even become an ex-friend and abuse it.
Don’t just use one password. It’s possible that someone working at a site where you use that password could pass it on or use it to break into your accounts at other sites.
Create passwords that are easy to remember but hard for others to guess. When possible, use a phrase such as “I started 7th grade at Lincoln Middle School in 2004” and use the initial of each word like this: “Is7gaLMSi#2004.” And make them at least a little different (by adding a couple of unique letters) for each site. On some sites you might even be able to type in the entire phrase.
Make the password at least 8 characters long. The longer the better. Longer passwords are harder for thieves to crack.
Include numbers, capital letters and symbols. Consider using a $ instead of an S or a 1 instead of an L, or including an & or % – but note that $1ngle is NOT a good password. Password thieves are onto this. But Mf$J1ravng (short for “My friend Sam Jones is really a very nice guy) is an excellent password.
Don’t use dictionary words: If it’s in the dictionary, there is a chance someone will guess it. There’s even software that criminals use that can guess words used in dictionaries.
Don’t post it in plain sight: This might seem obvious but studies have found that a lot of people post their password on their monitor with a sticky note. Bad idea. If you must write it down, hide the note somewhere where no one can find it.
Consider using a password manager. Programs or Web services like RoboForm (Windows only) or Lastpass (Windows and Mac) let you create a different very strong password for each of your sites. But you only have to remember the one password to access the program or secure site that stores your passwords for you.
Consider using multi-factor authentication. Many services offer an option to verify your identity if someone logs on to your account from an unrecognized device. The typical method is to send a text or other type of message to a mobile device registered to you with a code you need to type in to verity it’s really you. In most cases, you will not be required to use this code when logging on from a known device such as your own computer, tablet or phone.
Don’t fall for “phishing” attacks. Be very careful before clicking on a link (even if it appears to be from a legitimate site) asking you to log in, change your password or provide any other personal information. It might be legit or it might be a “phishing” scam where the information you enter goes to a hacker. When in doubt, log on manually by typing what you know to be the site’s URL into your browser window.
Make sure your devices are secure. The best password in the world might not do you any good if someone is looking over your shoulder while you type or if you forget to log out on a cybercafe computer. Malicious software, including “keyboard loggers” that record all of your keystrokes, has been used to steal passwords and other information. To increase security, make sure you’re using up-to-date anti-malware software and that your operating system is up-to-date.
Use a “password” or fingerprints for your phone too. Most phones can be locked so that the only way to use them is to type in a code, typically a string of numbers or maybe a pattern you draw on the screen. Some new phones allow you to register fingerprints, which are quite secure. Sometimes when people with bad intentions find unlocked phones, they use them to steal the owners’ information, make a lot of calls, or send texts that look like they’re coming from the owner. Someone posing as you could send texts that make it look like you’re bullying or harassing someone in your address book with inappropriate images or words.
* Some parents ask their kids to share their passwords with them. This might be OK with young children, but you might want to respect your teen’s privacy and not ask. Also, if you do ask your children for their passwords, make sure they understand that this is a rare exception to the “do not share password” rule.