The guide to password security (and why you should care)
Find out how your password security can be compromised, and how to create and manage secure passwords.
All too often, passwords are exposed. Instagram, Pinterest, Yahoo, and even Google accounts were compromised, rendering millions of online accounts vulnerable to third-party hacks. And that was only the most recent security breach.
Passwords -- especially those not supported by two-step verification -- are your last lines of defense against prying eyes. This guide will help you understand how those passwords are exposed, and what you can do to keep them locked down.
How are passwords exposed?
Before we dive into the how-tos of creating secure passwords, it's important to understand why you need a supersecure password to begin with. After all, you might be thinking, "Who would want to hack little old me?"
There are a few ways your account passwords can be compromised.
- Someone's out to get you. Enemies you've created, exes from your past, a nosy mother, an intrusive spouse -- there are many people who might want to take a peek into your personal life. If these people know you well, they might be able to guess your e-mail password and use password recovery options to access your other accounts. (Can you tell I'm speaking from experience?)
- You become the victim of a brute-force attack. Whether a hacker attempts to access a group of user accounts or just yours, brute-force attacks are the go-to strategy for cracking passwords. These attacks work by systematically checking all possible passphrases until the correct one is found. If the hacker already has an idea of the guidelines used to create the password, this process becomes easier to execute.
- There's a data breach. Every few months it seems another huge company reports a hacking resulting in millions of people's account information being compromised. And with the recent Heartbleed bug, many popular websites were affected directly.
What makes a good password?
Although data breaches are out of your control, it's still imperative to create passwords that can withstand brute-force attacks and relentless frenemies. Avoiding both types of attacks is dependent on the complexity of your password.
Ideally, each of your passwords would be at least 16 characters, and contain a combination of numbers, symbols, uppercase letters, lowercase letters, and spaces. The password would be free of repetition, dictionary words, usernames, pronouns, IDs, and any other predefined number or letter sequences.
The geeky and security-savvy community evaluates password strength in terms of "bits," where the higher the bits, the stronger the password. An 80-bit password is more secure than a 30-bit password, and has a complex combination of the aforementioned characters. As a result, an 80-bit password would take years longer to crack than a 30-bit password.
Ideal passwords, however, are a huge inconvenience. How can we be expected to remember 80-bit (12-character) passwords for each of our various Web accounts? That's where many people turn to password managers like LastPass, Dashlane and 1Password.
Creating secure passwords
In his guide to, Dennis O'Reilly suggests creating a system that both allows you to create complex passwords and remember them.
For example, create a phrase like "I hope the Giants will win the World Series in 2014!" Then, take the initials of each word and all numbers and symbols to create your password. So, that phrase would result in this: IhtGwwtWSi2014!
The next option is to use a password generator, which come in the form of offline programs and Web sites. The best choice here would be to use an offline generator, like the appropriately named Random Password Generator, so that your created passwords can't be intercepted. Many password managers like LastPass or Dashlane also have built in password generator tools.
While you experiment with different passwords, use a tool like How Secure is my Password? to find out if it can withstand any cracking attempts. This particular Web site rates your password's strength based on how long it would take to crack. If it's too easy, the meter will let you know what elements you can add (or remove) to strengthen it.
Any time a service like Facebook or Gmail offers "two-step verification," use it. When enabled, signing in will require you to also enter in a code that's sent as a text message to your phone. Meaning, a hacker who isn't in possession of your phone won't be able to sign in, even if they know your password.
You only have to do this once for "recognized" computers and devices. Here's how to set up two-step verification for many popular websites.
Keeping track of secure passwords
If you follow one of the most important commandments of passwords, you know that you absolutely must have a unique password for every service you use. The logic is simple: if you recycle the same password (or a variation of it), and a hacker cracks one account, he or she will be able to access the rest of your accounts.
Obviously, you can't be expected to memorize dozens of complicated, 16-character-long passwords.
thoroughly explores the different options for managing your passwords, including things like storing them on a USB drive, and even writing them down. Although it's ultimately up to you, for using the ol' sticky note method.
Using a password manager
Password managers store all of your passwords for you and fill out your log-in forms so that you don't have to do any memorizing. If you want supersecure passwords for your online accounts (which is recommended), but you don't want to memorize them all (also recommended), this is the way to go.
There are many options available, but a few crowd favorites are LastPass, Dashlane and 1Password. All three password managers essentially work the same way. There is a desktop program (or mobile app), which you'll use to manage your passwords. Then, there's a browser extension that automatically logs you into accounts as you browse the Web.
If you haven't yet started using one, let me preemptively say: you're welcome. Password managers are huge headache-savers, and you'll wonder how you ever commanded the Web without one.
The tiny caveat is that you'll still have to memorize one thing: Your master password. This unlocks all your other passwords. Make your master password extra-secure by composing it of at least 12 characters to ensure that it's not vulnerable to any brute-force attacks.LastPass and other password managers like Dashlane and 1Password also have mobile apps, so you can easily access your passwords when you're signing into accounts on your phone or tablet.
It's worth noting, however, that just like any software, password managers are vulnerable to security breaches., but users with strong master passwords were not affected.