Despite technologies like biometric scanners and password managers, many of us will have to continue relying on good old text passwords to access a lot of our important online accounts.
In my particular situation, it looks like I will continue to need using several different computers, including computers on which I shouldn’t install password managers, or couldn’t even if I wanted to.
I suppose I could install a password manager on my home computer. But then how does the password manager know I am who I say I am? Wouldn’t I need to create some sort of master password if I can’t attach a biometric device to it?
Before I go any further, I should give the standard disclaimer for articles on password security: do not use any of the example passwords listed here, not even the good ones.
However, do create your own password using the principles of good passwords.
So, for example,
correcthorsebatterystaple would be an excellent password if it hadn’t appeared in an XKCD cartoon.
Then again, a password consisting of four common dictionary words might not stand up to the newer password cracking tools, which the cartoonist was probably not aware of at the time.
And besides, many sites require passwords to also contain uppercase letters and numerical digits. Some also require non-alphanumeric characters, which pretty much guarantee I won’t be able to remember the password later.
Even so, we should not dismiss the XKCD cartoon out of hand. It still has some ideas about passwords that we should seriously consider.
There has to be a happy medium between a password like
udl1m^Mw0Orre that would take three million years to crack but three seconds to forget, and a password like
potato that can be cracked instantly (according to the password strength meter at HowSecureIsMyPassword.net).
To complicate matters, we are supposed to come up completely different passwords for every single different account: one password for your e-mail, another for your online banking, yet another for social media, etc.
This makes sense: if, for example, your Dropbox password is compromised through phishing (it might have happened to me), your online banking and e-mail passwords are still safe.
So that it doesn’t happen to you, let me take a minute to tell you the story of how I fell for a phishing scam a couple of years ago. I got an e-mail from Elliot Moore, then director of the Detroit Medical Orchestra.
This was strange because I think Moore is the kind of person who reaches out to others only when he thinks they can be of use to him, never thinking of how he could be of use to them.
Still, I should give people a chance, right? So I opened the e-mail. It was just a link to a document in Dropbox. That should have been a clue that maybe this wasn’t actually Elliot Moore.
Instead, I was worrying that I would have to reset my Dropbox password. I clicked the link and put in what I thought was my Dropbox password. The site showed me a document about California laws.
I can’t think of any reason why Elliot Moore would send me such a document. That was when I finally realized that wasn’t actually Elliot Moore and I wasn’t on the real Dropbox site. I’d been had.
Whatever I thought my Dropbox password was, it contained enough information for the scammer to make some very intelligent guesses about my other passwords.
I don’t think the scammer would have actually cracked any of my other passwords, but I wasn’t going to give him the chance. Assuming he’d act immediately, I rushed to reset a lot of my passwords that day.
Theoretically, I should have a very distinct password for each social media platform I’m on. In practice, that would be way too many passwords to remember. In fact, I’ve completely forgotten the passwords for a lot of them.
Just Facebook and Twitter are often more than enough for me to deal with. Everything else (Pinterest, Instagram, etc.) I have linked to either Facebook or Twitter (mostly Facebook), so I just have my Facebook and Twitter passwords to worry about as far as social media is concerned.
Should we prioritize passwords? For example, I want my online banking password to be the password that is the toughest to crack that I can actually remember, but I don’t really care if someone cracks my Pandora password.
Well… not quite. The consideration there shouldn’t necessarily be whether money is associated with the account, but how much information can be gleaned from it.
I definitely didn’t give Pandora my Social Security Number, but I might have given my date of birth, or who knows what information that could be of use to an identity thief.
So now I say that you should still prioritize passwords, but your lowest priority password should be at least somewhat difficult to crack.
Social media is important these days. A bad tweet can get you fired. Not that I’m shedding any tears for Roseanne Barr, but she might have been better off blaming a hacker than blaming Ambien.
Maybe every single one of your passwords should be high priority. Some of your accounts, like your online banking, might have more security measures in place (like lock-outs after too many failed attempts, time-outs for inactivity, security pictures, etc.) than some of your other accounts.
Let’s say, hypothetically, that you are on a home gardening online forum. That forum probably has very weak security compared to your online banking. You may have noticed your Web browser gives you a security warning for some online forums.
Maybe your gardening forum password needs to be a lot stronger than your online banking password, since a hacker might get an almost unlimited number of attempts on your forum password but only five tries on your banking password.
Contrary to expectation, short passwords that look like gibberish (like
udl1m^Mw0Orre earlier) are not necessarily safer than longer, more meaningful passwords.
Let’s try to salvage the XKCD password. Shift some of the letters to uppercase:
corRecthorSebatTerystaPle. The password strength meter goes from saying it can be cracked instantly to saying it would take six septillion years to crack.
This is already much better than
udl1m^Mw0Orre (that should match the earlier instance only because I copied and pasted it). The seemingly safer password could be cracked more quickly.
It doesn’t seem to matter if the uppercase letters follow a pattern, like the fourth letter of each word in the example above. I would still suggest not the first letter of each word.
But the password strength meter points out that this is just letters. And in any case almost all websites require passwords to contain at least one digit (0 to 9).
The obvious thing would be to put the digit at the beginning or at the end. But I think that’s missing an opportunity to break up a word and make the password less vulnerable to a dictionary attack.
What I’m suggesting is to stick the digit in the middle of one of the words in a way that disguises that it’s a word (don’t use leet, though). For example:
corRecthor4SebatTerystaPle. This obscures the fact that the password contains the word “horse.” Thirty-two octillion years.
A few sites also require passwords to contain at least one non-alphanumeric character. That’s where they lose me. I have never been able to remember a password with a non-alphanumeric character.
But here’s an idea from Dashlane (a password manager advertised on the password strength meter linked earlier):
Character Variety: No Symbols
Your password only contains numbers and letters. Adding a symbol can make your password more secure. Don’t forget you can often use spaces in passwords.
Just by adding a single space to our example password, like so
corRecthor4Seba tTerystaPle, brings up the estimated time to crack up to 3 decillion years.
So now we have one very strong password. Maybe this is suitable as a master password for a password manager.
But if it’s not a master password for a password manager that will come up with tough passwords for your various accounts, you should only use it on one site. You should come up with completely different passwords for the other sites.
Which brings us back to the whole problem of remembering a bunch of different passwords. I suggest using a base password into which you insert words to differentiate them. For example:
corRecthor4Se banking ba tTerystaPlefor your online banking,
corRecthor eMail 4Seba tTerystaPlefor your email,
corRect social hor4Seba tTerystaPlefor your social media, and
corRecthor4Seba tTe forum rystaPlefor an online discussion forum.
This is not ideal, because, if, for example, your online discussion forum password is compromised, a hacker could figure out the general idea for your other passwords.
Though it might put you at ease to think that maybe the hacker’s first attempt at your online banking password would probably be
corRecthor4Seba tTe banking rystaPle.
Some websites don’t allow you to use the name of the site in passwords. Let’s say that Facebook is like that. Then
corRect Facebook hor4Seba tTerystaPle would not be allowed.
A simple way around that difficulty is to split up the name of the website. For example:
There is also the problem that some sites don’t allow spaces in passwords. I suppose if a space is not allowed but you want to use it, you might be able to substitute an underscore.
One more tip: parentheses. For example:
(313) 867-5309 Jenny. This one would take four sextillion years to crack, if you’re not known to be a big Tommy Tutone fan.
I’m not a security expert and this is all just advice. Your mileage may vary depending on the contexts in which you need to use passwords and what other security measures there are in place.
Hopefully some of these suggestions are useful to you. At the very least it’s always good to review security protocols.
A couple of thoughts on PINs
I don’t have as much to say about PINs as I do about passwords, even though I’ve had an ATM card for even longer than I’ve had online accounts with passwords.
The main thing is to not use years pertaining to family members. That kind of narrows down the possibilities to about a hundred different 4-digit numbers.
For example, we might guess 1981 for Donald Trump’s ATM PIN, since that’s his daughter Ivanka’s birth year (he probably doesn’t know any of his wives’ birthdays). It wouldn’t be worth it, though, the balance is probably negative. Plus, you know, the Secret Service and stuff.
You should also think the entry motion through for obvious tells. Like for example, if your PIN is 7410 or 1470 and the card reader is not tightly secured, an onlooker could figure out your PIN even if you shield the keypad with your other hand.
It might also be a good idea to use one digit twice but not consecutively, like 4843 or 9050. And to further throw off onlookers, add a tap to a spot on the keypad near the buttons.
And lastly, if you find yourself in a distressed situation at an ATM, don’t put your PIN in backwards. That might only aggravate the situation. Snopes has thoroughly debunked that one.