With all the talk about the Heartbleed bug and the need to change your password, it is worth talking about what is a good password and what is a bad password.
Basically, there are three things you want a password to protect you against:
– Random hackers sweeping up massive amounts of info from commercial sites. Think Target.
– Targeted hackers who what your specific data for some reason. Some form of industrial sabotage or law firms with very sensitive and large clients.
– Disgruntled employees who simply want to do some damage.
The password requirements are slightly different for each case.
Bad passwords are ones that while easy to remember are also easy to break. By far the most common passwords on the “top 25 bad passwords” lists are “password” and some combination of 1234567. Also high on the list for bad personal passwords (i.e., that a disgruntled employee would know) are the name of your significant other, your pets (I once was at a client where a user had a picture of her dog on her desk and her password was the dog’s name), your birthday, the street address of your office, any actual words, etc.
Good passwords are longer (possibly an entire phrase), have a mix of upper and lower case, include numbers and special symbols (!, ~, $, etc.). The problem is that these can be hard to remember, leading people to write them down an a yellow post-it on their monitor. I once was in an office where an attorney literally had 10 yellow post-its in his monitor with various passwords written on them. On the other hand, I once saw a paralegal whose password was “idontgiveadamm.” It might have gotten her in trouble for other reasons, but an excellent password.
The basic trick to creating complex passwords that are also easy to remember is substitutions and variations. Let’s take an example (one I’ve never actually used): “open_sesame.” A phrase, not just one word, and easy to remember.
Substitution 1: Capitalize the first two letters or the first letter of each word: OPen_Sesame.
Substitution 2: Substitute easily remembered numbers or signs for similar letters: @ for “a”; 0 (zero) for “O”; 1 for “L” or “i”; $ for “S”; 3 for “E”. So you might wind up with 0P3n_$es@me. It looks completely incomprehensible, but isn’t. That number of substitutions is probably overkill, but you get the idea. Note that this may not be totally adequate to counter increasingly sophisticated hacking algorithms, but to my mind it is a good tradeoff.
Substitution 3: Add a sign (!, @) to the end of the password or between the words. Add a number that means something to you but increase each digit by 1. Thus, if your birthday is April 21, you might start with “2104” (with European-style order, date then month). But instead, increase each by 1, so you wind up with “3215.” So you could wind up with the password: 0P3n_$es@me!3215. This has the added advantage that anyone who sees it written down or hears it is not going to remember it because they don’t know the base from which you are starting. In addition, if you are forced to change the password you can easily increase the last number by another digit: from 3215 to 4326.
An alternative method is to get a password program that generates and tracks random passwords for all your sites. However, if you use multiple computers/laptops, etc. keeping the different machines in synch can also be problematic.
There is no perfect solution, but a minimum effort can go a long way, not to mention complying with ethics rules about protecting client data!