The recent hacking of celebrity photos has drawn increased attention to the importance of online passwords and how many people don't approach them seriously.
The main issue with passwords is balancing security with convenience. The most convenient option is to use the same password for all of your sites and make that password easy to remember by choosing a simple word. This, of course, is the least secure option.
There's a list that circulates among hackers of the 500 most commonly used passwords, which include "password," "123456," "abc123," "letmein," and "iloveyou."
More websites these days require you to create passwords that are at least eight characters long and that include at least one capital letter and one number. This is good practice with any site.
Here's other frequently offered - but frequently ignored - password advice:
- Use symbols as well as upper- and lowercase letters and numbers. The more types of characters you include, the more difficult your password will be to crack.
- Don't use as passwords your birth date, the name of a relative, or a dictionary word. Some password-cracking programs simply run through all of the words in a particular dictionary.
- Use longer rather than shorter passwords. Eight characters should be the minimum, but 12 characters are even better. Some "brute force" password-cracking programs on heavy-duty hardware can run through every possible eight-character combination in a matter of hours.
- Use a "passphrase" instead of a password. A short sentence, such as "Go forth 4 ever&more," can be easy to remember, not too difficult to type, and very difficult to crack.
- Don't use the same password or passphrase with multiple sites. Periodically, high-profile sites are hacked in which thousands of users' passwords are breached. If a hacker discovers a password of yours this way or by using a password-cracking program and
- you use the same password for other sites, this makes it easy to break into your other sites.
- Instead, consider making each passphrase a variation, changed in a standard way based on the site you're connecting to. For example, within the passphrase, you could include the first three letters of the site's name but move each letter forward by three letters (so GOO becomes JRR).
Use dual-factor authentication, sometimes called two-step verification, whenever it's available, particularly with financial or other sensitive sites. Dual-factor authentication requires you, when gaining access, to provide along with a password a second piece of information, such as answering a security question or returning a code that's texted to you.
When choosing security questions, select ones whose answers can't be easily guessed by hackers or found from information publicly available online, such as the city where you went to high school. With some of the recent celebrity cases, it's believed this is how hackers gained access to victims' accounts.
- Use a password management service or otherwise hide your passwords. Some people write their passwords on a piece of paper, even taping the paper to their computer or desk. The obvious downside to this is the risk of someone, from a nosy babysitter to an office adversary, coming across it.
A password management service lets you use one password for it and fills in your passwords, automatically and behind the scenes, for sites you visit. Two recommended password managers are Lastpass and KeePass.
It's still a good idea to keep a separate record of your passwords, in a word processing or spreadsheet file, for instance, and to keep this list encrypted. Alternately, keeping such a record and accessing it when needed can be a way to access sensitive sites.
Basic file encryption is built into various versions of Microsoft Windows and the Mac's operating system. You also could use a third-party encryption program or an archiving program that includes encryption as an option, such as 7-Up (7-zip.org). Back up any encrypted file on which you store passwords to multiple backup sources in case of hard disk crashes or other problems.