How to choose a great password (that you'll still remember)
If you're using the same password for all your accounts, or haven't changed it in years, here's why (and how) you should.
Wed, Dec 11, 2013 at 08:46 AM
It's become common enough news: Large, popular website is hacked, passwords are stolen, online security is debated for a day or two, then the story disappears. But what can actually happen if you are one of the people whose password was stolen, and why is it such a big deal anyway?
It's because most of us practice poor password management. While it's generally not the hugest deal in the world if someone hacks a social media account — they could post something annoying or spam your friends — the problem is that if you are like most people, you use the same password for Twitter as you do for your bank. The idea is that hackers will use the password they now have for your username on Facebook and then try it with financial institutions. And it's not some guy in a basement, endlessly trying combinations, but sophisticated software that can test thousands of username and password combos an hour; those people who have the exact same passwords for their bank as their email account are basically unprotected.
The latest password theft included more than 2 million Facebook, Google, Yahoo and LinkedIn users' passwords — it began on Oct. 21, and may still be ongoing. And in case you were wondering, in most cases (including the most recent one), there's no good way to check to see if your computer has been compromised since the virus is designed to hide among your files and programs, but updating your virus software is always a good idea. However, changing your passwords — something you should do regularly — is a simple way to keep your identity safe.
You can also check a brand-new website to see if your email address has been compromised: Have I Been Pwned? searches its archives to check to see if the email address you enter on its site has been hacked, according to their records. (And no, that's not a type-o in the previous sentence: the word Pwn is legit. It comes from the verb own, as meaning to appropriate or to conquer, compromise or control.)
So, you're convinced: You need to (at the very minimum) change up all your bank and financial passwords — or any password that contains sensitive information behind it. But how to do it? The idea of using different passwords for all the sites you use seems daunting, but there are a few easy tricks that will allow you to have a number of different passwords, without stressing your brain.
First, let's eliminate some old favorites right off the bat.
Never use: Your phone number, your birthday, or family member's birthday as a password. And especially never use your social security number! This is actually very common, and not only is it not a secure password, it could lead to identity theft (your social security number should always be kept as private as possible). Also avoid using your name, short names or family names. As mentioned above, don't use consecutive alpahbetic letter or number chains, and for pete's sake never use "password" as your password. USA Today reports that according cybersecurity firm Trustwave, the most popular passwords from the stolen list were 123456, 123456789, 1234 and, yes, "password." Stop it! (But don't feel badly if you have a lame password. After all, it was just revealed that for 20 years, the nuclear launch code at U.S. minuteman military silos was 000000000.)
Check out the smart password basics in the video below:
Something long: “Studies have shown that length is better than complexity. It’s better to have 20 characters that make sense to you,” Michael Davis of Savid Security told a reporter for the Earthlink Security website. Longer passwords are better than shorter ones, and since most sites require you to have a password longer than six characters (and some ask for longer than eight) you should use as many as you want to or can remember.
Mix up your characters: Using a combination of letters (both upper and lowercase), numbers, and symbols is the best way to go as the more complex combination of characters won't be easy to guess. If you are afraid you won't remember a number, use the number 3 for E, 8 for B or 1 for I and so on.
Use a phrase, shortened: The could be something that just your family and friends know, a local saying, or even a well-known one. The trick is to use only the first letters of the phrase and/or one word, depending on the length of the phrase.
Combining the above suggestions, here's an example:
1. Phrase: The early bird gets the worm! (add an exclamation or question mark to the end, or a hashtag to the front)
2. Shorten phrase to first letters (but keep the last word to make it longer): TEBGTWorm! or maybe #TheEBGTW
3. Mix up Characters: T38gtWorm! or #The38gtW
4. That's a solid password, either way.
5. Now, to make it so it's different for each of your accounts, especially banking ones, add the first two letters of the site name to the password, front or back:
Ex. For a Citibank account, it could be CiT38gtWorm! Or it could be: T38gtWorm!Ci or #The38gtWCi
If you think you may have been the victim of a password hack, keep an extra-close eye on your transactions for the next few months. As soon as you see anything suspicious, give a call to the bank or credit card and check in; a few minutes is worth being on top of your private data. Here are a couple more ideas in the video below.
The main key is to spend a few minutes on this once, establish a system, and then change it up on a regular basis. It's worth the time and effort to avoid getting hacked. As grandmas like to say: An ounce of prevention is worth a pound of cure.
Related on MNN & TreeHugger:
17 ways to fix, hack and upgrade your gadgets with Sugru (On TreeHugger)