Six tips to bombproof your password

secure passwords headerMajor password breaches are so common they’re becoming like storms and traffic jams: One day you hear about tens of thousands of Twitter users compromised or several million at LinkedIn, the next it might be upwards of 50 million at Evernote or LivingSocial.

But despite their fallibility, passwords won’t be replaced any time soon. Two-factor authentication technologies using our mobile devices and even biometrics can help keep us secure, but so far none are foolproof, and precious few are even convenient.

How can we make our passwords more hack-resistant and manage all the passwords we need?

Entropy is your new best friend

Most attackers don’t break passwords by going to Gmail or Facebook and making guesses; that’s slow, and most services block access after a few failed attempts. However, if attackers steal account data through a security hole, they can make thousands, millions, or even billions of guesses per second offline using their own computers. If that sounds outlandish, consider that Stricture Consulting Group last year showed off a small computer cluster made from off-the-shelf components that could test as many as 350 billion passwords per second. Some password-cracking operations harness hundreds (or thousands) of computers via botnets or legitimate cloud-computing platforms, while others just use everyday PCs. They’re fast too.

The quality of a password doesn’t matter if a service stores your password as plain text and an attacker steals it. (Don’t laugh: it happens.) If passwords are encrypted, however, size and randomness are two factors that determine a password’s strength or entropy — basically, a measure of the possible combinations a password can have.

“The higher the entropy, the longer it will take, on average, for a brute-force attack to succeed,” noted Joe Kissel, author of the ebook Take Control of Your Passwords. So, all things being equal, you want a high-entropy password.”

The benefit of a password’s size is obvious: More characters means more possible combinations. The benefit of randomness is less subtle. A password like YesThisIsMyGreatNewRandomPassphrase wins points for size — 36 characters! — but loses points for randomness, since it’s just upper- and lower-case letters. (It’s also less random because it’s in English: Attackers try to take advantage of common letter patterns.)

Something like *5FRRcr62{d~OkP!{AKaxzevQZb6L{~S1F~b would be more secure — it’s both big and highly random. Unfortunately, it’s almost impossible for most people to remember…but it’s easy for a computer to remember.

Ways to make strong, memorable passwords

There’s no magic formula for making passwords both very strong and easy to remember. However, here are some ideas:

Size matters — In statistical terms, memorable passwords aren’t very random, but you can make them stronger with sheer size. These days, I consider 14 to 15 characters a minimum for a random password. For a password based on words or phrases, a realistic minimum might be 20 characters. When in doubt, go big.

Use combined terms — Grouping a three to five unrelated words together can be a great basis for a long password. Something like TurquoiseGullGrapeDiner creates a sizable password (23 characters) but only requires you remember four things.

Use groups of symbols and numbers — The example above won’t work if a system requires numbers or symbols. However, if you accent it with a small group of special characters, like (3*^, it can be used almost anywhere as TurquoiseGullGrape(3*^Diner. Here’s the trick: Come up with two or three sequences of symbols and numbers like that, then re-use them to both add entropy to your longer passwords and meet password requirements. Just consider symbols carefully: diacriticals and symbols (like €, ™ þ «) might be easy on a computer keyboard, but on phones even shifting between upper and lower case can be annoying.

Avoid 1337 speak — Don’t use common symbol substitutions like @ for a, 3 for E, 5 for S, [) for D, etc. Those are some of the first things password crackers attempt — and remember they can attempt millions (or billions) of combinations per second.

Improve entropy with random passwords — Several services like Random.org and WhatsMyIP.org will generate random passwords of any length, with options to avoid similar-looking characters (like 1 and I). These are hard to remember, but if you use a password management system (see below) you might not care.

Never reuse passwords — It’s tempting to make a single strong password and use it everywhere. Don’t do it. When attackers steal passwords, they often get information like names, email addresses, billing details, and even security questions or password hints along with them. If attackers crack your password on one service they can quickly try the same password with your name or email address on other services. If you never reuse passwords, damage from a cracked password is already contained.

Managing passwords

Making a strong password for every service means most of us will be swimming in passwords—and we’ll never remember them all.

… An ounce of prevention — say, 16 random characters — can be worth a pound of cure.

Password management programs like 1Password, RoboForm, Clipperz, and LastPass are possible solutions. Each have their pros and cons, but the basic idea is similar: They remember your passwords and try to automatically log you into sites and services once you enter a master password or PIN code. Some have features like random password generators and support for USB keys. Users only need to remember a single master password for day-to-day stuff, and the programs are just as proficient at storing long, incomprehensible passwords (like Qz!~WEpmm[z|5!6UYa#xPJ#e) as brain-dead passwords you should never use (like “password”).

The password managers above (and others) are available for most desktop and mobile operating systems, and can synchronize passwords between phones, tablets, and computers (1Password relies on Dropbox, for instance). That’s tremendously handy if you create a website password on your PC, then need it later on your iPad.

“If you’re going to use a password manager, it makes sense to pick something that will sync securely across all your devices,” noted Kissel. “Usually syncing involves the cloud, although some sync directly over Wi-Fi. As long as the data is encrypted, which it always is, cloud-based syncing isn’t riskier, but it is more convenient because your devices don’t have to be on the same network.”

Trusting password managers can have drawbacks. For instance, LastPass stores everything in the cloud, which is great until you don’t have Internet access or the service goes down. Similarly, a software incompatibility could make your passwords inaccessible — maybe on just one device, but maybe everywhere.

The upshot is that you will almost certainly need to memorize a handful of passwords. The most likely candidates are:

  • Your computers and devices
  • Your password manager
  • Critical online services (like email, Google account, Apple ID)
  • Online banking
  • Sync services (like Dropbox)
  • Social media

Not all of these apply to everyone. Most people will only need to memorize four or five passwords. Almost everything else can be trusted to a password manager.

Finally, consider recording your most important passwords on paper in a safe place. That’s not a notepad next to your keyboard, but perhaps a safety deposit box or an obscure location in your home (like, inside a CD of Aerosmith’s Greatest Hits). The list isn’t so much for you, but for anyone you might need to access your devices or accounts in an emergency.

Better safe than sorry

These steps may seem like overkill. Why would an attacker care about your Pinterest account or Facebook page or email? Unless someone wants to besmirch your online reputation, they probably don’t. However, even our seemingly innocuous accounts can be stepping stones to PayPal, Amazon, iTunes, credit cards, bank accounts, and identity theft — and those are precisely what serious attackers want. With so much of our day-to-day lives now online and password breaches becoming so commonplace, an ounce of prevention — say, 16 random characters — can be worth a pound of cure.

Gaming

Still trying to unlock your main in 'Super Smash Bros. Ultimate'? Try these tips

Super Smash Bros. Ultimate is Nintendo’s biggest entry in the series to date with over 70 characters to unlock, but the process can feel tiresome. Here are our tips to unlock your roster as quickly as possible.
Mobile

How to switch from iPhone to Android: The ultimate guide

If you've decided to bridge the great tech divide and leave Apple's walled garden for the unknown shores of Android, then you'll find all the tips and advice you need to begin switching from an iPhone to an Android device.
Gaming

Grabbing a Switch for the holidays? Here's what you need to know to play online

If you want to play online multiplayer on Switch, you'll need a Nintendo Switch Online subscription. Here's what you need to know about Nintendo Switch Online, from price to features to the awesome library of NES games.
Gaming

Apple Mac users should take a bite out of these awesome games

Contrary to popular belief, there exists a bevy of popular A-list games compatible for Mac computers. Take a look at our picks for the best Mac games available for Apple fans.
Computing

You can now get a Surface Laptop 2 for $800 at the Microsoft Store

Along with deals on other variants, starting configurations of Microsoft's Surface Laptop 2 are now going for $800 online at its retail store, cutting $200 from its usual $1,000 starting price. 
Computing

Need a monitor for professional photo-editing? These are the very best

Looking for the best monitor for photo editing? You'll need to factor in brightness, color accuracy, color gamut support and more. Fortunately, we've rounded up the best ones for you, to help you make an educated purchase.
Computing

Canada’s winters inspired a startup to warm homes with cryptomining heat waste

Cryptomining may be the key to untold riches and the future of currency, but it’s also an environmental nightmare. Heatmine, thinks it has the answer, but it could mean bolting a mining rig onto every home and business in the country.
Computing

HDR monitors are beginning to have an impact. Here are the best you can buy

HDR isn't the most common of PC monitor features and is often charged at a premium, but the list of available options is growing. These are the best HDR monitors you can buy right now.
Computing

You’ll soon be able to scribble all over PDFs on your Chromebook

Chrome OS users may soon be able to doodle all over their PDF documents with the possible addition of a new feature in Chrome OS' PDF viewer. The annotation feature is expected to allow users to hand draw or write over their documents.
Virtual Reality

Oculus Rift vs. HTC Vive: Prices drop, but our favorite stays the same

The Oculus Rift and HTC Vive are the two big names in the virtual reality arena, but most people can only afford one. Our comparison tells you which is best when you pit the Oculus Rift vs. HTC Vive.
Computing

Microsoft’s Windows 95 throwback was just an ugly sweater giveaway

Microsoft's "softwear" announcement wasn't what we had hoped for. Thursday's announcement was not the new line of wearable tech or SkiFree monster sweater we wished for. But it did deliver the 90s nostalgia we wanted.
Home Theater

Confused about LED vs. LCD TVs? Here's everything you need to know

Our LED vs. LCD TV buying guide explains why these two common types of displays are fundamentally connected, how they differ, what to look for in buying an LED TV, and what's on the horizon for TVs.
Deals

The best MacBook deals for December 2018

If you’re in the market for a new Apple laptop, let us make your work a little easier: We hunted down the best up-to-date MacBook deals available online right now from various retailers.
Computing

How to connect AirPods to your MacBook

If you have new AirPods, you may be looking forward to pairing them with your MacBook. Our guide will show you exactly how to connect AirPods to MacBook, what to do if they are already paired with a device, and more.