Password Do’s and Don’ts

Here are a few tips for creating strong passwords. Take a moment to review these, and consider strengthening some of your passwords if they fall short.

-Create unique passwords that that use a combination of words, numbers, symbols, and both upper- and lower-case letters.

-Do not use your network username as your password.

-Don’t use easily guessed passwords, such as “password” or “user.”

-Do not choose passwords based upon details that may not be as confidential as you’d expect, such as your birth date, your Social Security or phone number, or names of family members.

-Do not use words that can be found in the dictionary. Password-cracking tools freely available online often come with dictionary lists that will try thousands of common names and passwords. If you must use dictionary words, try adding a numeral to them, as well as punctuation at the beginning or end of the word (or both!).

-Avoid using simple adjacent keyboard combinations: For example, “qwerty” and “asdzxc” and “123456” are horrible passwords and that are trivial to crack.

-Some of the easiest-to-remember passwords aren’t words at all but collections of words that form a phrase or sentence, perhaps the opening sentence to your favorite novel, or the opening line to a good joke. Complexity is nice, but length is key. It used to be the case that picking an alphanumeric password that was 8-10 characters in length was a pretty good practice. These days, it’s increasingly affordable to build extremely powerful and fast password cracking tools that can try tens of millions of possible password combinations per second. Just remember that each character you add to a password or passphrase makes it an order of magnitude harder to attack via brute-force methods.

-Avoid using the same password at multiple Web sites. It’s generally safe to re-use the same password at sites that do not store sensitive information about you (like a news Web site) provided you don’t use this same password at sites that are sensitive.

-Never use the password you’ve picked for your email account at any online site: If you do, and an e-commerce site you are registered at gets hacked, there’s a good chance someone will be reading your e-mail soon.

-Whatever you do, don’t store your list of passwords on your computer in plain text. My views on the advisability of keeping a written list of your passwords have evolved over time. I tend to agree with noted security experts Bruce Schneier, when he advises users not to worry about writing down passwords. Just make sure you don’t store the information in plain sight. The most secure method for remembering your passwords is to create a list of every Web site for which you have a password and next to each one write your login name and a clue that has meaning only for you. If you forget your password, most Web sites will email it to you (assuming you can remember which email address you signed up with).

-One thing to note about password storage in Firefox: If you have not enabled and assigned a “master password” to manage your passwords in Firefox, anyone with physical access to your computer and user account can view the stored passwords in plain text, simply by clicking “Options,” and then “Show Passwords.” To protect your passwords from local prying eyes, drop a check mark into the box next to “Use Master Password” at the main Options page, and choose a strong password that only you can remember. You will then be prompted to enter the master password once per session when visiting a site that uses one of your stored passwords.

-There are several online third-party services that can help users safeguard sensitive passwords, including LastPass, DashLane, and 1Password that store passwords in the cloud and secure them all with a master password. If entrusting all your passwords to the cloud gives you the creeps, consider using a local password storage program on your computer, such as RoboformPasswordSafe or Keepass. Again, take care to pick a strong master password, but one that you can remember; just as with the Firefox master password option, if you forget the master password you are pretty much out of luck.

6 thoughts on “Password Do’s and Don’ts

  1. Crystal Stewart

    This was actually great information to send out because I know people who use the same exact password for every single account they have no matter what it is..

    Reply
  2. Olaniyan Joyce

    Good day
    I am still having problem when I get to the username and password. It is showing “something went wrong” when I type.

    Reply
    1. MgFrobozz

      Olaniyan Joyce, are you getting the “something went wrong” when you are trying to set up a password on an unspecified web site somewhere?

      Some sites unnecessarily disallow use of some printable punctuation characters; this needlessly weakens passwords for that site, since someone attempting a brute-force attack can eliminate use of all of the characters they disallow, which speeds up the attack. Those sites will _usually_ list the punctuation they don’t allow, but sometimes they provide only a very general error message when you use a character they won’t support. On these sites, I’ve reverted the punctuation characters one by one, until I identify the problem character, then reset the password using the characters which it _did_ allow.

      For those site designers that disallow some punctuation characters because they’re worried about SQL injection attacks: stop that, and instead use a modern library with built-in protection against SQL injection.

      Reply
  3. Bob

    Immediately above this box: “Your email address will not be published.” Sweet. But what does “will not be” include? Does this mean, “WE will not publish it. Full stop.”? Or, does it mean “NO ONE will publish it”? Including the trackers, et al who take info about visitors, without knowledge – much less permission? And are you certain that said trackers et al are not taking info that YOU don’t know about? This was true with my former bank’s online banking. More than one senior tech, in more than one conversation, admitted that he was unaware that ‘others’ were collecting information. How…? Which is why it is my ‘former’ bank. I, however, was aware: the reason for the conversations was that it became impossible for me to bank online while using NoScript to block those whom I felt did not need to be privy to my banking….

    I’ve come to believe that, in practice, ‘security’ means ‘its hard to hack my connection to a website and to hack my information stored by the website owner’. And that ‘privacy’ means that ‘the website owner will not sell, trade, give away, leave lying around, etc. my information’. I’ve come up with the phrase ‘security of privacy’ as a 3rd keyword, meaning that no 3rd party will be taking info. (“Sleeping under the bed” as Google has recently described themselves, although the “sleeping” part, I believe, is false.) Although I see a few privacy policies that admit 3rd parties ARE taking notes, I’ve yet to see a policy that states ‘it don’t happen here’. That includes every privacy policy I’ve read in the past few years, and every one I can remember before that. (Before I started looking for ‘security of privacy’ clauses I probably would have remembered one because it would have stood out.)

    I have read every EULA and Terms of Service for every site and service I’ve signed up for (and everything else I’ve signed), for more than a decade. (With 3 exceptions ,close to 2 decades.) A few years ago I started looking explicitly for ‘security of privacy’ clauses because I didn’t remember seeing any. I still haven’t. Although I have seen the occasional ‘insecurity of privacy’ clause. My local public library is quite open that 3rd parties collect data from users, and they give an explanation why. (Although, in my opinion, there are no good explanations.) At least they are transparent. Personally, I’d prefer they were ‘closed’ about 3rd parties collecting…

    A few years ago I opened an account at another bank, to see if I could do online banking with not just ‘security’ and ‘privacy’, but ‘security of privacy’. They were transparent enough to say that they get money from ads based on data collection when I’m on their site. …The banks don’t make enough money? At what level DO they value my privacy? They get points for transparency, but that does not make it acceptable. And I couldn’t (do online banking with security of privacy).

    Am I out in my own world, fighting windmills, or (a) am I simply out of the loop, or (b) is this something we should start talking about?

    As an aside, I recently read the Terms of Service of a dating site (for relationships and marriage) which stated that there are fake girls on the site. They explained that as the site is for entertainment (I hadn’t put marriage in that category…), the fake girls are there to liven up the site and keep the conversations active. I’ll believe that. Full marks for disclosure. But who reads the entire Terms???
    – Bob

    Reply
  4. MgFrobozz

    Regarding “collections of words that form a phrase or sentence”: I would still add at least one punctuation character (other than space/0x20) and at least one numeric character to the password, in order to foil brute-force attacks using only alpha and space characters.

    Reply
  5. Aris Velez

    ooh wao very good information here i didn’t know that having or using the same password across different platforms, was actually not a really bright idea for cry sakes “its always a good idea to create passwords that requires combinations of words, numbers symbols and upper and lower case letters.”

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *