Ten Simple Rules to Secure Your Online Life with a Secure Password

Best Practices for a secure password

A week doesn’t go by without someone asking me about internet security. They tell me stories of their kids installing software that also installs malware, lament about Facebook changing privacy settings so all their personal information is public, or express concern over the latest internet security breach (e.g. Epsilon).

I know that for every one of us, online security is important. We spend so much time installing anti-virus software and tweaking our Facebook security settings that we forget one of the most important way we can secure our online lives. Secure passwords. Security doesn’t need to be about 16-digit alphanumeric random codes that make no sense in real life. I’ve written here my Ten Simple Rules To Secure Your Online Life with a Secure Password.

1. NOT SECURE: Using a blank password or leaving a default password.

Many sites assign simple default passwords, or passwords built by a static algorithm. You cannot get less secure. Because of that, they are very easily guessed. Immediately change your password after an account has been created. Never use the default.

2. NOT SECURE: Using personal information in a password.

Whether you know it or not, most of your personal information is available publicly online. Your spouse’s name, family birthdays, anniversaries, kid and pet names, and your interests (music, movies, sports, travel) are all available on Facebook for anyone you know to use to guess your password. Don’t use this information.

3. NOT SECURE: Using any of the most common passwords.

A great list can be found at http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time (sorry about the language, but it is what it is). Remember that every password on this list is most likely used by hundreds of thousands of other people. If yours is there. Change it.

4. NOT SECURE: Trying to be more clever than the Internet when choosing a password. 

 Don’t try to make things up, thinking you are clever and no one else has thought of them. Key patterns like ‘qwerty’ or ‘okmijn’,  insults like ‘eatit’ or ‘biteme’, combinations of words and acronyms like ‘letmein’ or ‘lolrofl’, or words spelled backwards like ‘drowssap’ or ‘llabtoof’, are very ineffective and are included in every brute force dictionary attack password file.

5. NOT SECURE: Using a dictionary word (in any language) as a password.

There are 250,000 words in the English language (source). Since a desktop computer can try approximately 10,000,000 passwords in a single second (source), a good brute force attack would have guessed your password in less .025 seconds, assuming the attackers aren’t using powerful server hardware or multiple machines, in which case it would be faster.

6. SECURE: Replace letters with characters / insert characters into the password.

An example of this is the word ‘password’ becoming ‘?a5s_w0rd’. According tohowsecureismypassword.net, the former will be broken almost immediately, the latter will take 75 days.

7. SECURE: Capitalize random letters, usually NOT the first letter.

If you capitalize the s and R in the last example, it becomes ‘?a5S_w0Rd’, which would take about 9 years to crack, a very good improvement.

8. SECURE: The best method I have found to help myself both make up secure passwords and remember them is this: Think of a favorite quote of yours, take just the first letter of every word, apply the previous rules and you have a secure password.

My favorite quote is by Robert J. Oppenheimer, one of the men who invented the atomic bomb. He said, “I am become death, the destroyer of worlds.” (I know that’s a Vishnu quote from the Bhagavad Gita, don’t email me). That password becomes ‘Iabd_Td0w-rj0’. I am never going to forget this password, because it’s based on one of my favorite quotes, and it will take a brute force attack 301 MILLION years to crack it.

9. SECURE: Change your password fairly often.

Even if someone is able to crack your password, when it changes, they no longer have access to your accounts.

10. SECURE: Use different passwords for your social networks and forum logins as you do for your bank and medical logins.

If your Facebook or webmail accounts get hacked, do you want the hacker to then have your bank account password too?

I know that sometimes these habits are hard to start, and even harder to maintain, but it is infinitely easier to remember secure passwords than it is to recover from identity theft.