An unofficial blog that watches Google's attempts to move your operating system online since 2005. Not affiliated with Google.

Send your tips to gostips@gmail.com.

March 3, 2007

Keeping your Passwords Secure

Many people think it's hard to have a good password because it should be complicated and, as a result, hard to remember. When you create a new Google account, you can read some nice tips that prove you can create a strong yet memorable password.
* Include punctuation marks and/or numbers.
* Mix capital and lowercase letters.
* Include similar looking substitutions, such as the number zero for the letter 'O' or '$' for the letter 'S'.
* Create a unique acronym.
* Include phonetic replacements, such as 'Luv 2 Laf' for 'Love to Laugh'.

And some things to avoid (that could be summarized as: don't use passwords that are easy to guess).
* Don't use a password that is listed as an example of how to pick a good password.
* Don't use a password that contains personal information (name, birth date, etc.)
* Don't use words or acronyms that can be found in a dictionary.
* Don't use keyboard patterns (asdf) or sequential numbers (1234).
* Don't make your password all numbers, uppercase letters or lowercase letters.
* Don't use repeating characters (aa11).

And, of course, the obvious: "never tell your password to anyone (this includes significant others, roommates, parrots, etc.), never write your password down, never send your password by email."

So, the next time when you create a new passwords, think of a quote you like, an old saying (maybe not in English or your native language), use punctuation and replace some letters with similar digits or other characters. You can also use short forms for some of the words.

There are many places where you can test show strong a password is. One of them is available if you go to Google.com, sign out and then click on "sign in". Choose "create an account now" and type your password. Google will indicate you if your password is strong, fair or weak. Then you can use the password wherever you need it.

If you can't come up with a new password for each new site you sign up, at least try not to use the same password you have for your mail account (many people sign up using the email address: myemail@yahoo.com and choose the Yahoo password). If that site has security problems and your account is compromised, your Yahoo account will be compromised as well.

Also, be aware that most browsers offer to store your passwords, so they can auto-complete them. Many times they are not stored securely and anyone who has physical access to your computer can find the passwords (for example, go to Firefox > Tools > Options > Security > Show passwords > Show passwords again). That's why it's a better idea to use password managers like Password Safe, KeePass, RoboForm, that store your passwords securely and can manage any kind of password. In Firefox and Opera you could also use a master password, but there are commercially tools that can recover master passwords.

A small summary and some other tips:
* create strong passwords that mix digits, punctuation, capital and lowercase letters by thinking at a memorable quote and making some replacements or using acronyms
* don't share your passwords with anyone
* don't use the same password for all your accounts
* try not to use the built-in password managers from your browser. Use safer tools, if you really need a password manager.
* change your password from time to time
* try to stay away from sites that don't use secure authentication (look for https in the address bar)
* sign out when you finish a session

Do you have other ways to keep your passwords secure?

18 comments:

  1. One thing you can do is mix a word with numbers. For example, if your name is Joe, you could go, j12o34e56, better yet, you could capitalize some of the letters.

    ReplyDelete
  2. I use a random combination of letters and numbers because people are always looking over my shoulder and trying to make sense of it.

    My passwords are great because even if they do manage to watch me type it in, they wont remember it, and they always think I am typing a word or a birthday or something.
    Nope. It's Random. I made sure it was random because I made a web page that makes random characters.
    Ne0nguy's Secure Password Generator

    I agree that the best passwords should have nothing related to you in them.
    Something randomly generated and over 8 characters makes the best password on the net because it is harder to crack.

    ReplyDelete
  3. My passwords are easy to remember AND secure.

    Take a phrase, something like "I bought 42 pairs of shoes today." (Heaven forbid)

    ib42post

    It may seem odd, but if you think of the phrase while typing it, it will be it loads easier. After a while, you'll get used to it and type it without thinking about it (:

    ReplyDelete
  4. A technique I have used is to make your password for a particular site be derived from that site's name.

    For example let's say you want to choose a password for Google. Your formula might be something like:

    $site?tjuf

    .. where 'site' is the first 4 letters of the site name and tjuf is the text 'site' with each letter advanced by one alphabetically.

    So for Google you'd get $goog?hpph ... for Yahoo, $yaho?zbip .. etc.

    Note this particular formula is probably too obvious (one site's owner might be able to infer your formula). But this basic idea can be extended to give you a unique, hard-to-guess and non-obvious password for each site, without having to remember anything unique.

    ReplyDelete
  5. http://labs.zarate.org/passwd_new/

    I use (the old version of) this tool to generate all my passwords. I enter my master password (it's a strong password by the standards above) and the script produces a password by randomizing my password based on the domain of the site I'm on.

    My master password is *never* sent to a server; the script is run locally.

    ReplyDelete
  6. I'd be interested to see how you guys manage your passwords. I am subscribed to upwards of 240 different web services that demand athentification (between work, news sites, alumni organizations, banks, wireless networks, web 2.0 sites, etc..).
    Although maybe I should, I cannot sustain 240 different combinations of login/passwords while keeping up with the standards describe above.
    I still probably have 20 to 30 different passwords, most of which are strong. But their algorithmic strength starts to be worthless once passwords are shared among many services, or when you have to keep them all listed somewhere just to remember which one is for what.

    I could see someone starting a bogus web2.0-like attracting site for a few months, collect people's login information and use that to see whether they are using the same combinations to log into their banks, emails, paypals, etc...

    ReplyDelete
  7. If you are going to use (as you should) multiple strong and complex passwords you definitely need a password manager.

    Software products like Roboform and Keepass are certainly an option, but I think you could also consider the alternative provided by online password managers.

    (I know, I'm a tad biased since I'm the co-founder of Clipperz ...)

    At www.clipperz.com you can do much more than simply storing your passwords. Give it a try and let me know your impressions.

    Regards,
    Marco

    ReplyDelete
  8. I've got a problem,with the Google Tool bar =for Mozilla Firefox I go to my Bookmarks eg Major Newspaper and attempted log in after entering my User Name and Password I keep getting a Pop up requesting my Master Password My Problem "Ive forget the Password. How can I rectify this problem?

    ReplyDelete
  9. I saw a very useful and attractive password protection schemes in many companies they normally use special characters instead of common letters like instead of "e"they use 3,for "a"they use @ and so many combinations.

    ReplyDelete
  10. As i see it one of the most important thing is"don,t use the same password over and over again for every thing" meaning if one of your password is disclosed each and every one is disclosed.

    ReplyDelete
  11. The best password is the combination of "letters"+"numbers + ",". there is no need to make a password that is hard to remember for your own self.

    ReplyDelete
  12. Talking about passwords, don,nt write your passwords and Pins in your diaries. also try to avoid using insecure and unknown websites because they might collect a lot of others personal data and sell it to others.

    ReplyDelete
  13. for online passwords i usualy use an regular word (like chair, table or something like that) and make a md5 hash of it.
    For example: lol => 9cdfb439c7876e703e307864c9167a15
    downside.. some sites have a max length for passwords

    ReplyDelete
  14. My passwords are great and strong because i use mix digits, punctuation, capital and lowercase letters by thinking at a memorable quote, i do follow instructions as mentioned .I am secure. This service i like it very much.

    ReplyDelete
  15. Usually google doesn't accept simple password as - john or 1234 it will ask you to alphanumeric word. So its safe moreover never go for easy option as birthday, anniversary, wife/child name etc. Password should be unique so that you could be safe.

    ReplyDelete
  16. I like using german words for passwords, like Rasenmäher, Motorsäge and stuff, you can use them relating to what site it is for

    ReplyDelete
  17. I only use passwords with numbers. Often i use my mobile number in combination with my phone number at work. I hope you like my password tip

    ReplyDelete
  18. I always use a combination of alpha-numerics for my passwords it lowers the chances of my account getting hacked. For wrost passwords you can refer to my link.

    ReplyDelete