After about 3 years of using the same password I decided it was about to create a new one. I simple don’t think my password is secure enough. But how do you make a secure password?
Common guidelines:[1]
- Keep the password at least 8 characters long.
- Use mixed case letters and mix in numbers. Include special characters if possible.
- Use different passwords for different sites.
- Change passwords every 3 months.
- Do not include personal information.
- Do not include sequences or repeated characters.
- Do not include dictionary words, abbreviations or common misspellings.
- Do not write your password down (or at least keep it inaccessible for unauthorized people).
I will admit that I use the same password everywhere and I do not think it is feasible to have a separate password for each site. Since you have to create logins for about every site out there, you easily end up having to remember 20-30 passwords. To have a separate password for each site you easily end up making a list of them which is potentially unsafe. And then you have to change all the passwords once in a while which is honestly a pain to do.
Avoiding security
It is near impossible to keep security to a maximum everywhere you go, so why even try? Actually, wouldn’t it be better to avoid the need of having security at all?
How many of the 20 to 30 accounts are actually important to keep safe? I tried making a list and I would say I only have one, my “NemID” account which gives access to banking accounts and services by the government.
So what makes an account important? The importance of an account is equal to the loss you experience when it is hijacked. Based on this I make three categories of web-accounts:
- Sites dealing with money (banks, stores, casino)
- Personal content (personal websites, blogs, YouTube)
- Social networking (Facebook, chats, forums)
Minimizing loss
Instead of just accepting how important an account is it is much better to actively make it less important, in order words, minimizing the loss in the worst case scenario.
With sites dealing with money, to the greatest amount as possible, make sure they are only dealing with an account which can’t be overdrawn and only have a small amount of money in that account at a given time.
If the site contains personal content like WordPress, YouTube, and deviantART, always keep a local backup so you can create a new account and restore the content. You might lose ratings and similar it is still the content which is important.
My plan
Important accounts will have a strong password and is changed every 3 months. (Actually, the only account in this category is my bank account.) Passwords will be automatically generated.
Semi-important accounts like my WordPress and SourceForge accounts will have a single medium-strong password which will rarely be changed. Backups will be taken of personal content. The password will most be an obfuscated passphrase which is easy to write.
Unimportant accounts (which are about 75%) will just use the old password.
October 16th, 2011 03:07
Great post! What I do is make a random one for each website (either just randomly hit the keyboard or whip something up on robotc) and then save them all to a word file with a password I change about every month.
November 21st, 2011 09:12
See http://xkcd.com/936/
A cleverly crafted revelation for many people. ;)
Of course, my password is 30 characters of gibberish, and I have another one I have been planning to deploy soon. (The new one is 20 characters of gibberish, and much more practical.)
More security related comics: https://sites.google.com/site/anintroductiontocryptography/resources/comics
November 21st, 2011 11:32
Yeah, I know that one. The second link is a nice collection though, haven’t seen them all : )
I do not believe pass-phrases is the solution though. A fully random password which is 11 characters long would be ~66 bits. At least for me it is not that difficult to remember a 15-20 characters long password consisting of random characters…
Anyway, if any web-service allows you to do 1000 attempts a second, there is a good chance they are also storing the passwords in plain text anyway…
We can never fully secure ourselves, so that is why I propose that we minimize the need for security too.