Passwords, passwords, passwords! There’s no escape! You need them to bank online. You need them to log in to the many social networks you use. You need them to pay bills. You need them to shop online. Have you noticed that you can seldom just shop in an online store? You nearly always have to create an account first – and this means yet another password for the virtual key-ring.
So it’s little wonder that many of us decide to use the same password for everything.
We’ve all heard the advice from security professionals.
1. Make every password at least eight characters long – and 15 plus is better.
2. Don’t make them easily guessable. There’s a good chance that personal details such as your date of birth, place of birth, partner’s name, etc. can be found online – maybe even on your Facebook wall.
3. Don’t use real words. They are open to ‘dictionary attacks’, where someone uses a program to quickly try a huge list of possible words until they find one that matches your password.
4. Combine letters (including uppercase letters), numbers and symbols.
5. Don’t ‘recycle’ them, e.g. ‘david1’, ‘david2’, ‘david3’, etc.
The thing is, if we follow this advice, there are too many, and they’re too complicated, to remember – especially in the case of an account we don’t use very often. To make matters worse, not all online providers follow the same criteria. Some don’t allow special characters. Some don’t allow numbers. Some don’t allow more than 12 characters.
On the other hand, passwords are the keys to our online life. So if we use the same key for every lock, and it’s stolen, a cybercriminal is able to assume our online identities in one fell swoop – access all areas!
So what’s to be done? How do we create unique, complex passwords that are effective, but still memorable?
Here are three tips to make things easier.
(1) Instead of trying to remember individual passwords, use a memorable passphrase plus a three, four or five-step routine (depending on how good your memory is) to jumble it up to make it unique for each online account.
Let’s say my chosen passphrase is ‘A stitch in time saves nine’ (this will work as an example, but I’d suggest you make yours much longer). I would take the first letter of each word, to create
‘asitsn’
This becomes the core of every password I create. Then I simply apply my four-step rule to jumble it up for each account.
(a) Capitalise the fourth character.
(b) Put the name of the account you’re logging into after the second character.
(c) Put the number 3 after the fourth character.
(d) Put a percentage sign after the eighth character.
(e) Move the sixth character to the front.
If I’m choosing a password for Amazon, this would give me ‘aasAm3zo%niTsn’.
If I’m choosing a password for Mybank, this would give me ‘basMy3an%kiTsn’.
And so on.
Of course, there’s always a chance that if one of your passwords is compromised, a cybercriminal might be able to work out your method from the stolen password. So you might want to get a bit more creative. For example, you may want to have three passphrases and use a different one depending on the first letter of the account your logging into, i.e. passphrase1 for A-H, passphrase2 for I-P and passphrase3 for Q-Z. Or maybe keep a list of your accounts and apply the passphrases in sequence as you move down the list. Or maybe even have two passphrases and ‘interleave’ them for each password – i.e.
asitsn + otgdy = aostigtdsyn
(2) Save yourself the trouble of creating complex passwords, and remembering them, by enlisting the help of a password manager application. These will store all your passwords in a secure vault, encrypted to prevent them being stolen. Some of them will also auto-generate strong passwords for you. Some will also auto-enter them for you when you login to an online account. If you’re not sure which one to go for, look online for reviews conducted by one of the PC magazine reviewers.
(3) If the first option seems too complicated, and you don’t like the hi-tech approach, you could write your passwords down somewhere. Now I realise that I’m risking the wrath of some security professionals and that the general advice is not to write down passwords. Just to be clear, I’m not suggesting that you do this at work. Or that you write them on a sticky-note and stick it on your monitor. But remember that it’s highly unlikely that the online criminal is also going to come crashing through your front door to get your passwords. So as long as you store them discreetly, and keep them from prying eyes, I believe that it’s better to write down unique complex passwords for each online account than to use the same password for everything.
David Emm is Principal Security Researcher at Kaspersky, a provider of security and threat management solutions.
David joined Kaspersky in 2004. He is a member of the company's Global Research & Analysis Team (GReAT) and has worked in the anti-malware industry since 1990 in a variety of roles, including that of Senior Technology Consultant at Dr Solomon's Software, and Systems Engineer and Product Manager at McAfee.
In his current role, David regularly delivers presentations on malware and other IT security threats at exhibitions and events, highlighting what organisations and consumers can do to stay safe online. He also provides comment to broadcast and print media on the ever-changing cyber-security and threat landscape. David has a strong interest in malware, ID theft and the human aspects of security, and is a knowledgeable advisor on all aspects of online security.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.