Good passwords keep your online accounts safe and secure, but far too many of us break the simple commandments of password creation. It’s not a terribly difficult set of rules; don’t use common dictionary words as your password (especially common fare such as “password” or “123456”, use something memorable to you and (preferably) only you, and don’t re-use one password for one site on another, because if there’s a large scale security leak (over which you may have little or no control) at one site, a common password could leave other sites you log into susceptible as well.
LinkedIN had that issue come to the fore recently with the results of a hack that actually dates back to 2012 going live online, with potentially millions of susceptible accounts revealed. You may have received an email instructing you to change your password; frankly if you use LinkedIN I’d suggest it’s good form to change your password regardless in any case, because regularly changing your passwords is general good security form anyway.
With that in mind, however, you’ve got to pick a new secure password, and this then shifts to the secondary problem. Most of us are terrible at picking secure passwords, because picking something that’s both unique and memorable for the dozens of services many of us use online is actually hard work. To complicate matters, many of the ways that sites actively try to force us to create “strong” passwords may actually make those passwords easier to crack, even while making them seemingly harder to create.
That’s because en masse, people tend to think and create in rather predictable patterns. I’ll give you a very simple example. You’re told to create a password. You choose “password”, because it’s simple. Yes, this is a terrible password, but let that slide for a moment. The system you’re entering it into rejects it because the rules for that site require a number to be part of the password.
An awful lot of people would then choose “password1”, just because it’s the first number in any simple counting system. Not everyone, to be certain, but enough to make that complex rule effectively useless if you’re protecting an account, because it’s essentially obvious. The rules “work”, but they don’t protect in the way they should.
One interesting shift here in password allowance is coming from Microsoft. In a recent blog post Microsoft researchers outline methodologies for IT professionals to install routines that check for obvious passwords and combinations and reject them outright. They may meet the specific rules laid down for the service, but if they’re on the banned list, you can’t use them. Microsoft already uses this approach for Microsoft accounts, but wants it spread further to encourage good password creation.
So what do you do to keep yourself secure? Mnemonics are decent if you’ve only got a few passwords to remember. Anyone who’s ever studied music probably remembers Every Good Boy Deserves Fruit as a simple scale mnemonic, and you can apply that to passwords, perhaps choosing not quite so obvious a phrase as the basis for your passwords. Something you would remember, but not that anyone else might guess. So (again, as a random example) if your Uncle Kevin Used To Pickle Fruit, that would be UKUTPF. Mix up your capitals and sort out some numbers — maybe Uncle Kev was 73 at the time — and you’re well on your way.
If you’ve got more than just a few passwords, though, I’d still advocate for using a proper password management application such as Keepass, Dashlane or 1Password to not only securely store your passwords, but also generate them dynamically and at length. That dodges the obvious human creation rule problem, means you don’t have to stress remembering tough passwords and makes it simple even if you’re asked to create new passwords, because they can all simply generate a new random character string at the click of a button.