The most commonly used password in 2013 was 123456. That’s a change from the previous most commonly used password, which was… password. Facepalm? You bet!
Long before the Snowden revelations, I was always fascinated by the issue of internet security. I also have several close friends who work in the field. Most of them are pretty cutting about not only the average web user’s lack of awareness of the problems of safeguarding data, but also the reluctance of executives in industry, including banking, to get serious about data protection.
The Heartbleed vulnerability, while not necessarily an immediate threat to any of us, does raise the risk that one or more of your inline accounts will be hacked. Some accounts are more important than others. If your Goodreads or NYT account gets compromised, it isn’t the end of the world, but someone getting access to your banking, email, or Facebook page can wreak havoc.
The ease with which a hacker can get into 99% of people’s accounts is hard to believe—we’re talking seconds and minutes. Even if your password is a bit better than those mentioned above, a great many people use easily researched and identifiable personal data, such as their birthday, wedding anniversary, kids’ names, etc…many of which can be conveniently found on, say, your Facebook page. And people often use a single password across several accounts, resulting in a nice domino effect bonanza for someone who gets hold of it. Two-thirds of internet users only use one or two passwords across dozens of accounts.
There are services now that will manage your passwords for you, typically using the cloud—which is fine except that if they suffer a breach, you’re in trouble. Biometric data, such as fingerprint ID (Apple and Samsung are using them, and apps are out there) are more secure, but the stakes, should they be compromised, are huge—you can’t change your fingerprint or iris.
At its worst, someone getting into your key accounts can ruin your life.
The good news is that it’s actually not hard to secure your major accounts without having to remember many complex and meaningless alphanumeric and symbol combinations: think in terms of passphrases. While a “brute force” or “dictionary” attack—a computer crunching every possible combination or trying the most common words—can crack many passwords in minutes or days, a passphrase comprised of three common words like, say, one happy camper, will take in the order of centuries to break using these methods—and you can remember it far more easily than, say, J_15v0*As2, as pointedly and memorably illustrated in the classic xkcd cartoon, “Password Strength”.
A passphrase, as the word implies, is more than a single word—it’s a string of them, a short sentence. Here are some easy rules:
- Don’t use obvious ones (iloveyou was the 9th most popular in 2014; letmein was #14)
- Don’t include personally identifiable data (birthday, pet’s name, etc.)
- Don’t use keyboard patterns (e.g., qwerty)
- Use at least three words
- Do pick a phrase that has meaning to you, but that even someone who knows you wouldn’t automatically associate with you
- Don’t put capital letters at the beginning
- Incorporate some numbers and at least one symbol
- Use a phrase that you can easily associate in memory with a site or adapt to different sites
Let’s look at this last item, which is especially important and interesting, and generate some examples.
To create a strong passphrase for an email account, you might start with an idea like, cursive is lost—there’s the association with writing, but it’s not a phrase with meaning to anyone else, or a common one; yet it’s super easy to remember. Remove the spaces (most sites don’t allow them) and you have cursiveislost.
Now start to adapt it to meet common system requirements. Put in a capital or two (not in the obvious place), so we have cursiveISlost. The trick is to create a rule and stick to it—in this case, caps will always be used for my middle word.
Add in a symbol or two…hey, you could even use an emoticon that connects with how you feel about the passphrase! If I think of the loss of cursive (or “joined-up-writing”, as we called it in the UK), that would be an unhappy face. Now you have cursiveISlost:(
Finally, most sites will require a number. Pick a favourite; more than one would be great, but this passphrase is already complex enough that a single numeral would do, maybe your lucky number, or something that has meaning to you. So we’re now at cursiveISlost:(9. A bit more complicated…but if your email account doesn’t require symbol or numerals, you could dispense with these and your passphrase will still be very strong.
And guess what—you’re done with your email passphrase. Type it a few times and think about it for a few moments, retracing the reasons you chose each item, and you’ll never forget it.
Now move on, using a similar process for your banking password. Here you could begin with, say, if i were a rich man; first lose the spaces, then proceed as above.
Another, easier still, strategy is to use a single phrase but have a way to customize it for different sites.
So I could begin with a line from a song—I fear earthquakes and lightning would work; but it’s a little long to type, so I might pare it down to earthquakes and lightning…it’s still three words not commonly used together. I add in my caps, numbers and symbols and get to 9earthquakeSandlightning! (notice a new rule…I put the capital at the end of the first word. Again, create a rule and stick to it for easy retention).
To modify that passphrase for different sites, you could do something as simple as take the first letter of the site name (say, “B” for your Bank of America account) and add it to the end of your passphrase. Your BoA passphrase is now 9earthquakeSandlightning!B. The same phrase applied to, say, Facebook, would now be 9earthquakeSandlightning!F. This simple rule—on which you’ll create your own variation—makes it possible to adapt the same passphrase across a variety of accounts.
Now, although it’s true this violates the “domino effect” advice above, the chances of the original phrase being cracked are so remote as to vanish. But passwords don’t have to be hacked; they’re typically simply stolen or intercepted. So let’s add in one extra tweak. Instead of using the first letter of the account site for your variant, use the second.
If you’re thinking, “this is so complicated”, trust me that it’s not, and here’s why: because when you create your own ruleset and passphrase following the methods outlined above, it’ll have personal meaning to you, and will be easy to remember. Again, make up a system and rules that have meaning to you. Try it—you’ll be surprised. Just set a rule, be consistent, and do change your passwords for key accounts once every few months.
And—if you have a really rotten memory and all else fails—you can always make a paper note of the core phrase(s) and your rules, and keep it somewhere far from your smartphone and computer!
Dario Ciriello 