Six tips to bombproof your password

secure passwords headerMajor password breaches are so common they’re becoming like storms and traffic jams: One day you hear about tens of thousands of Twitter users compromised or several million at LinkedIn, the next it might be upwards of 50 million at Evernote or LivingSocial.

But despite their fallibility, passwords won’t be replaced any time soon. Two-factor authentication technologies using our mobile devices and even biometrics can help keep us secure, but so far none are foolproof, and precious few are even convenient.

How can we make our passwords more hack-resistant and manage all the passwords we need?

Entropy is your new best friend

Most attackers don’t break passwords by going to Gmail or Facebook and making guesses; that’s slow, and most services block access after a few failed attempts. However, if attackers steal account data through a security hole, they can make thousands, millions, or even billions of guesses per second offline using their own computers. If that sounds outlandish, consider that Stricture Consulting Group last year showed off a small computer cluster made from off-the-shelf components that could test as many as 350 billion passwords per second. Some password-cracking operations harness hundreds (or thousands) of computers via botnets or legitimate cloud-computing platforms, while others just use everyday PCs. They’re fast too.

The quality of a password doesn’t matter if a service stores your password as plain text and an attacker steals it. (Don’t laugh: it happens.) If passwords are encrypted, however, size and randomness are two factors that determine a password’s strength or entropy — basically, a measure of the possible combinations a password can have.

“The higher the entropy, the longer it will take, on average, for a brute-force attack to succeed,” noted Joe Kissel, author of the ebook Take Control of Your Passwords. So, all things being equal, you want a high-entropy password.”

The benefit of a password’s size is obvious: More characters means more possible combinations. The benefit of randomness is less subtle. A password like YesThisIsMyGreatNewRandomPassphrase wins points for size — 36 characters! — but loses points for randomness, since it’s just upper- and lower-case letters. (It’s also less random because it’s in English: Attackers try to take advantage of common letter patterns.)

Something like *5FRRcr62{d~OkP!{AKaxzevQZb6L{~S1F~b would be more secure — it’s both big and highly random. Unfortunately, it’s almost impossible for most people to remember…but it’s easy for a computer to remember.

Ways to make strong, memorable passwords

There’s no magic formula for making passwords both very strong and easy to remember. However, here are some ideas:

Size matters — In statistical terms, memorable passwords aren’t very random, but you can make them stronger with sheer size. These days, I consider 14 to 15 characters a minimum for a random password. For a password based on words or phrases, a realistic minimum might be 20 characters. When in doubt, go big.

Use combined terms — Grouping a three to five unrelated words together can be a great basis for a long password. Something like TurquoiseGullGrapeDiner creates a sizable password (23 characters) but only requires you remember four things.

Use groups of symbols and numbers — The example above won’t work if a system requires numbers or symbols. However, if you accent it with a small group of special characters, like (3*^, it can be used almost anywhere as TurquoiseGullGrape(3*^Diner. Here’s the trick: Come up with two or three sequences of symbols and numbers like that, then re-use them to both add entropy to your longer passwords and meet password requirements. Just consider symbols carefully: diacriticals and symbols (like €, ™ þ «) might be easy on a computer keyboard, but on phones even shifting between upper and lower case can be annoying.

Avoid 1337 speak — Don’t use common symbol substitutions like @ for a, 3 for E, 5 for S, [) for D, etc. Those are some of the first things password crackers attempt — and remember they can attempt millions (or billions) of combinations per second.

Improve entropy with random passwords — Several services like Random.org and WhatsMyIP.org will generate random passwords of any length, with options to avoid similar-looking characters (like 1 and I). These are hard to remember, but if you use a password management system (see below) you might not care.

Never reuse passwords — It’s tempting to make a single strong password and use it everywhere. Don’t do it. When attackers steal passwords, they often get information like names, email addresses, billing details, and even security questions or password hints along with them. If attackers crack your password on one service they can quickly try the same password with your name or email address on other services. If you never reuse passwords, damage from a cracked password is already contained.

Managing passwords

Making a strong password for every service means most of us will be swimming in passwords—and we’ll never remember them all.

… An ounce of prevention — say, 16 random characters — can be worth a pound of cure.

Password management programs like 1Password, RoboForm, Clipperz, and LastPass are possible solutions. Each have their pros and cons, but the basic idea is similar: They remember your passwords and try to automatically log you into sites and services once you enter a master password or PIN code. Some have features like random password generators and support for USB keys. Users only need to remember a single master password for day-to-day stuff, and the programs are just as proficient at storing long, incomprehensible passwords (like Qz!~WEpmm[z|5!6UYa#xPJ#e) as brain-dead passwords you should never use (like “password”).

The password managers above (and others) are available for most desktop and mobile operating systems, and can synchronize passwords between phones, tablets, and computers (1Password relies on Dropbox, for instance). That’s tremendously handy if you create a website password on your PC, then need it later on your iPad.

“If you’re going to use a password manager, it makes sense to pick something that will sync securely across all your devices,” noted Kissel. “Usually syncing involves the cloud, although some sync directly over Wi-Fi. As long as the data is encrypted, which it always is, cloud-based syncing isn’t riskier, but it is more convenient because your devices don’t have to be on the same network.”

Trusting password managers can have drawbacks. For instance, LastPass stores everything in the cloud, which is great until you don’t have Internet access or the service goes down. Similarly, a software incompatibility could make your passwords inaccessible — maybe on just one device, but maybe everywhere.

The upshot is that you will almost certainly need to memorize a handful of passwords. The most likely candidates are:

  • Your computers and devices
  • Your password manager
  • Critical online services (like email, Google account, Apple ID)
  • Online banking
  • Sync services (like Dropbox)
  • Social media

Not all of these apply to everyone. Most people will only need to memorize four or five passwords. Almost everything else can be trusted to a password manager.

Finally, consider recording your most important passwords on paper in a safe place. That’s not a notepad next to your keyboard, but perhaps a safety deposit box or an obscure location in your home (like, inside a CD of Aerosmith’s Greatest Hits). The list isn’t so much for you, but for anyone you might need to access your devices or accounts in an emergency.

Better safe than sorry

These steps may seem like overkill. Why would an attacker care about your Pinterest account or Facebook page or email? Unless someone wants to besmirch your online reputation, they probably don’t. However, even our seemingly innocuous accounts can be stepping stones to PayPal, Amazon, iTunes, credit cards, bank accounts, and identity theft — and those are precisely what serious attackers want. With so much of our day-to-day lives now online and password breaches becoming so commonplace, an ounce of prevention — say, 16 random characters — can be worth a pound of cure.

Mobile

Having trouble logging in? Here’s how to reset your Apple ID password

To use any of Apple's services, you need to have an Apple ID and know your password. Thankfully, there are ways to deal with forgotten passwords and regain access to your account. Here's how to reset your Apple ID password.
Computing

Reluctant to give your email address away? Here's how to make a disposable one

Want to sign up for a service without the risk of flooding your inbox with copious amounts of spam and unwanted email? You might want to consider using disposable email addresses via one of these handy services.
Computing

Secure your Excel documents with a password by following these quick steps

Excel documents are used by people and businesses all over the world. Given how often they contain sensitive information, it makes sense to keep them from the wrong eyes. Thankfully, it's easy to secure them with a password.
Computing

Protecting your PDF with a password isn't difficult. Just follow these steps

If you need to learn how to password protect a PDF, you have come to the right place. This guide will walk you through the process of protecting your documents step-by-step, whether you're running a MacOS or Windows machine.
Computing

Stop your PC's vow of silence with these tips on how to fix audio problems

Sound problems got you down? Don't worry, with a few tweaks and tricks we'll get your sound card functioning as it should, and you listening to your favorite tunes and in-game audio in no time.
Computing

Yes, Android apps can run on your PC, and it's easier than you think

Wish you knew how to run Android apps in Windows? It's easier than you might think and there are a number of different ways to do it. In this guide, we break down the steps so you can follow along with ease.
Computing

Chip off the auction block – Intel’s i9-9990XE may be sold to the highest bidder

Intel's alleged Core i9-9990XE may only be sold at auction to OEMs, meaning that only a few of the 14-core, 28-thread, 5GHz CPUs will ever see the light of day in specific devices and systems.
Computing

Don't spend hundreds on Pro Tools or Logic. Try one of these free alternatives

Believe it or not, Pro Tools isn't the only digital audio workstation worth your time. Check out our picks for the best free recording software, whether you're looking for a lightweight app or a full-blown audio workstation.
Computing

How to share an external hard drive between Mac and Windows

Compatibility issues between Microsoft Windows and Apple MacOS may have diminished sharply over the years, but that doesn't mean they've completely disappeared. Here's how to make an external drive work between both operating systems.
Computing

Should you buy the affordable MacBook Air, or is the MacBook Pro worth the price?

Though they both share Retina Displays and similar keyboards, there are still some specs differences and other changes that differentiate the new 2018 MacBook Air and MacBook Pro. In this guide, we stack the two up against each other.
Android

Mobile World Congress (MWC) 2019: Complete Coverage

There's no bigger show for mobile tech geeks than Mobile World Congress in Barcelona, Spain: where flagship phones are born and intriguing new wearables shine. And this year, where foldable phones and 5G are likely to dominate the news. For…
Computing

Google is giving its G Suite web apps new touches of visual improvements

Your G Suite applications will soon have a different look. Several of the web apps are getting updated with subtle visual improvements inspired by Google's Material Design guidelines. 
Emerging Tech

CES 2019 recap: All the trends, products, and gadgets you missed

CES 2019 didn’t just give us a taste of the future, it offered a five-course meal. From 8K and Micro LED televisions to smart toilets, the show delivered with all the amazing gadgetry you could ask for. Here’s a look at all the big…
Computing

Hackers are scoring with ransomware that attacks its previous victims

Computer viruses are always evolving. In a new one, dubbed "Ryuk," hackers are targeting PCs with ransomware that scours an infected network in order to pinpoint and attack and enterprises with big money.