This post was first published in 2009. It has since been updated with additional tips.
In January 2016, SplashData released its annual list of the worst passwords most commonly used in 2015. And believe me, they’re pretty bad. Here are the top five:
However it’s one thing to know what the bad passwords are and another thing altogether to create good ones. One of the greatest frustrations I have with the digital world is trying to manage all my passwords for the many online sites I use. Security experts tell you to create a separate password for each site to reduce the risk of hacking/identity theft, etc. Unfortunately, these experts have a much better opinion of my memory than is actually warranted.
And even if you didn’t care at all about security and decided to just use the same password everywhere, there are a lot of web developers out there that think they’re doing you a favor by forcing you to add special characters or mix cases to make your password stronger. Of course, then you forget whether a particular site is the one where you’ve added a number to the end or started it with a capital letter and there you are, clicking on the “Forgot Your Password?” link yet again. (For some reason, it seems like the sites I visit least regularly have the most stringent requirements, virtually guaranteeing a password reset on each visit…)
That’s why I’ve come up with a system that works for me by letting me create different passwords for each site while making it easy for me to remember what they are. If you struggle with this yourself, you may want to give this system a try.
Note: A lot of people use password managers, like SplashData’s own SplashID software, that let you create totally different passwords for each site while making you only have to remember one master password. I’ve never used one of these myself because I worry if that master password is hacked, well then, so are the rest of your passwords. However, I’ll be honest that I haven’t explored them enough to fully understand how they work so you may want to check some out yourself.
My system requires just 3 easy steps:
- Start by picking a “base” password of at least 8 letters that will be easy for you to remember but not something too obvious like the name of your kids or the city you live. For example, I might go with “luddites”. (I don’t! 🙂 )
- Make at least one of the characters uppercase and add at least one number and one special character (e.g. @ # & etc.) to it. While the most obvious choice is to add the number and special character to the end of the password, a better idea is to replace similar letters with them. For example, a “!” can take the place of an “l” or “i” and a “5” can be used for an “s”. So if my base is “luddites”, it now becomes “Ludd!te5”.
- The next step is the one that will make the security folks happy—and more important, reduce your risk of being hacked. For each site that requires a password, add a 2- or 3-character prefix that is tied to the name of the site. For example, my passwords could be “boaLudd!te5” for Bank of America, “fbLudd!te5” for Facebook, and “vzwLudd!te5” for Verizon Wireless.
Tip: You may want to practice typing your new password a few times before committing to it, just to make sure there are no particularly awkward keystrokes involved.
Now you have a system that gives you a unique password for each site that meets most security recommendations, while making it much easier to remember.
Of course, like any system, it’s not perfect. For example, some sites will insist you use a special character while others don’t allow them. So clearly a single password can’t meet both those criteria. Some sites have specific length requirements, which your password may not meet. And there are some places that force you to change your password every x months, so that can still cause problems. (However, I’ve mostly seen the latter practiced by employers for corporate systems rather than for public websites. So if you end up having to constantly bug your firm’s tech support, they really have no one to blame but themselves…) But this system should work for the majority of public sites you visit.
When I first wrote this post back in 2009, I felt like the process above was sufficient and it’s certainly better than using the exact same password across all sites. However, the number of stories of stolen user data seems to be growing. So here are a few more tips you can use that will help you keep your passwords safe without putting you back in the situation of having to remember so many passwords you eventually give up.
- Make your base password stronger. In the article I linked to above, it notes that the most common password used in 2015 was “123456.” Even if you use the system above, having such a simple base password would make it a lot easier to crack. So don’t use common number patterns, words (e.g. “password”), keystrokes (e.g. “asdf”), birthdates, pet names, etc. It’s also better if you can avoid using a single word that can be found in the dictionary as automated hacking systems can find those quickly enough. Instead, use a combination of two or more words or an acronym for a phrase that’s meaningful to you alone.
- Use more than one base password. The data about you on some sites is probably more important to you than others. For example, you would probably be more upset to find out your bank password was stolen than your Twitter password. So you could have a few different base passwords for different kinds of sites: One for sites containing financial information, one for social media sites, one for membership sites, etc.
- Don’t click links or download files from unknown sources. Data breaches aren’t always a result of websites being hacked. Data is also frequently stolen from individual users’ computers through malware programs that were installed on them. This generally happens when you click a link or download a file from an email or website. If you’re not sure if a link is safe, don’t click it. If it was in an email supposedly sent by your friend, send them a separate note first to ask if they really did send you that link.
- Never give your password to someone claiming to be from a company. Reputable companies never ask for it. If you get a notice that your password has been compromised, don’t click the link they provide. Type in the company website URL yourself to see if there’s a notice there or, better yet, call the company’s customer service number.
Finally, using a two-factor authentication (2FA) system, where you have to do more than just log in with username/password, is one of the strongest ways to protect your data (although still not 100% secure). This CNET article is a few years old but it still has a good explanation of how 2FA works.
Two-factor authentication: What you need to know (FAQ) (CNET, 05/23/13)
If this all seems like too much of a hassle to you, you should read this account of what happened to more-than-tech-savvy Wired journalist Mat Honan back in 2012—it might just change your mind. It begins: “In the space of one hour, my entire digital life was destroyed.”
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/ (Wired, 08/06/12)