You sign up for an account. The system asks you to set a password – and at that moment you hold your security in your hands, because you need to pick one that a hacker can’t guess, ever. To that end, there are some simple rules to follow to keep hackers from using statistical methods to turn you into a statistic.
#1. Don’t be cute.
Gosh, you could just run your finger across the keyboard and make “123456” your password, or (on the next row) “QWERTY.” Or it might seem clever to use “Password” as your password. Except that hackers use dictionaries of commonly used passwords to mount brute-force attempts to get into accounts, trying one possible password after another. And as it turns out, “123456” is the most commonly used password out there. “QWERTY” is number 20. “Password” is number four.These disturbing statistics are from a recent analysis by Imperva, a computer security firm in Redwood Shores, CA, of a recently discovered file of 32 million stolen passwords. Similar research both 10 and 20 years ago revealed similarly sad situations.
#2. Longer is better.
The same study also found that 26 percent of people used passwords that were only 6 characters long. In fact, nearly half were shorter than eight characters. With six characters, your password can have 308 million letter combinations. That sounds like a large number, but for modern hackers with automated password cracking programs, six characters spells “easy meat.” NASA warns its employees that hackers can try that many combinations in a few minutes – and then start ransacking your account.
#3. Use the shift key.
If your measly six-letter passwords combines uppercase and lowercase letters, things aren’t quite as hopeless, as you have upped your game to 19 billion combinations. If you move on to eight characters (which NASA advises as a minimum) you’re up to 53 trillion.
4. Comic book cussing is good.
Sure, using “@#$%^&*” might seem reminiscent of juvenile cusswords. But including characters from outside the alphabet (including numbers) sends the possible combinations sky-high. Indeed, NASA calculates that an eight-symbol password with at least one lowercase letter, one uppercase letter, one numerical character, and one special character or punctuation mark gives slightly more than 6 quadrillion (that’s 6 followed by fifteen zeros) combinations.
But if you think that’s unbreakable and offers genuine security – sorry, there’s no such thing. But if it’s a choice between wrestling interminably with your 6 quadrillion combinations, or looting the account of someone else who used “123456” as a password, you can guess what the hacker will chose to do.
5. Keep it centered.
By now you’ve figured out that you should not use any words out of a dictionary. This includes slang and vernacular, plus names, especially your own. Variants of e-mail addresses are also unwise. Obviously, the way to go is potential gibberish, like “Szb21#^&.” But keep in mind that some passwords are gleaned by hacking into computers where intruders can find stored passwords. Those are stored in encrypted form, but there’s software that can attack the encryption. Nearly all encrypted passwords are stored with the last character in clear text, warns NASA, so the last character is a throwaway. So put the funny, unpredictable characters in the middle of the password. In other words, our example would be better as “Szb#^&21.”
#6. Keep it fast, keep it mental.
The password should be something you can type quickly, so no one can follow your fingers as they fly across the keyboard. It also has to be something you can remember with precision without writing it down – something you should never do. Experts suggest using a passphrase that stands for the password. For instance, our example could stand for “Sally’s zealous boss’s number’s (#) up (^) and (&) it’s blackjack (21.)” If that makes no sense, that’s sort of the point.
#7. Remain paranoid.
Just because the police have not shown up at your door does not mean your password has not been stolen, somewhere. To preempt anything that may be in the works, change your password every three months. But don’t add a numeral 1 to the end of the password and call it changed – do a little more work than that.
#8. Don’t double up.
Don’t use the same passwords for your office computer that you use on Web sites. Actually, it’s best to use different ones each time, but its especially important to separate office from Web use, since Web passwords are more exposed to hacker theft.
#9. Loose lips sink ships.
Now that you’ve come up with a sensible password, don’t divulge it – especially to sudden callers whom you’ve never heard of, saying they’re from the corporate help desk and who have a plausible story about how they need your password in order to rescue some important file that your boss must access immediately to prevent something dreadful from happening, etc.
Such tale-spinning is called social engineering. It requires effort and research, but hackers do it because they can get results regardless of the length or complexity of your password.
A real help desk, incidentally, can find someone with administrator privileges to solve problems, and needn’t be calling you.
#10. Don’t turn your back on your computer.
Not that it’s plotting against you, but when it comes to doing potentially illegal activities, people prefer to do it with someone else’s computer. Turn off your computer when you’re not using it. That saves power, too.