I have seen friends spend half an hour trying to devise the perfect password, an unguessable password, for a knitting forum. Unfortunately they invent a password that looks like ZdSA#%f=D and it’s too complicated to remember. They have so many passwords that their monitors are covered with sticky notes with scribbled passwords. Or they go the other way and use their middle name as a password for their online banking. That’s not secure.
I divide sites into three security levels, based on how much personal, professional or financial damage can be caused if someone guesses my password. I try to have one password for all the sites on each level.
Level one is no password: I usually do not register for forums that allow anonymous reading and posting. If you see a post from Anonymous Coward somewhere, that’s possibly me.
Level two passwords, reasonably secure: If I register for a newspaper website, a blog, or forum I use a pseudonym, false address information, and if possible I use the same password I use at all the other level two sites. It has enough letters (8) to satisfy most security schemes, but it’s nothing fancy. I only have to remember one password, wherever I go, whoever I am claiming to be.
These passwords would be breakable if someone made enough attempts, but simple substitutions of numbers for letters make them hard to crack. Instead of applesauce, for example, I use appl3sauc3.
Level three passwords, most secure: I use my strongest passwords on websites where I make money, spend money, or store money. Inserting numbers and punctuation marks in ordinary words makes it difficult to guess or even to crack using a computer to generate and test passwords.
Here’s how to make a strong password: Take two short words and glue them together with a non-alphanumeric character. Then replace a couple of letters with a number that resembles the letter: the letter “o” become zero; “i” becomes the numeral 1, “s” becomes 5, etc. Examples: ice cream becomes 1ce^cream, base ball becomes ba5e*ba11.
Bilingual passwords are even stronger. To guess the password you have to know which languages to guess in. Bilingual examples: gat0=chat (Spanish/French words for cat); perr0~d0g (Spanish/English).
Of course, this can’t protect you if you click on a link in an email and enter your account details, including your super-secure password, in whatever page your browser lands on. Beware of pfishing attempts.
Secure the Security Questions: Security questions are supposed to make it possible for you to get a new password if you forgot the current one. However, security questions usually ask things that can be discovered about you, such as your mother’s maiden name, where you met your spouse, or your favorite TV show. Governor Sarah Palin’s Gmail account was accessed when the snooper reset the password using publically available or easily guessible answers to her security questions.
The solution is to give false, but easily rememberable answers to these questions. If you always wear blue, your first pet has a memorial page on dogsrule.com and your MySpace page has a Chicago Bears theme … just say your favorite color is vermilion, your first pet’s name was Zaragosa, and your favorite sport is quoits.
Passwords you don’t want to use: Never use a password that relates to your life, family, pets, profession, hobbies, or on-line nicknames. They are too easy to guess if someone researches your activity. Remember how Sarah Palin’s gmail password was discovered?