Like a lot of people, I cycle through a small collection of passwords that I have been using for a decade or more. This is not the greatest security practice, I admit, but the world is so riddled with requests to log-in in different places and so many of them are so not very important (did you hack my IMGUR account? Oh gee! Did you post something I didn’t really say on that Star Wars newsgroup? Heavens!). Security is important, but I get where the guy who posted all his passwords online is coming from.
That said, we understand poorly how vulnerable we are, as two nice guy hackers recently demonstrated to a volunteer grandmother who thought she was too off-line to get hacked. Incorrect.
Err on the side of security. I make passwords that will crush your puny decryption programs, and here’s the truth: it’s not hard. Most of the advice out there isn’t very helpful, though. It makes coming up with passwords sound complicated. “Use four upper-case letters with three lower-case following them and symbols on every third Tuesday.” Amirite?
That’s intimidating. My tips get you there much more easily.
You have information in your head that easily converts to really strong passwords. You just need to look in the right places.
Here’s some examples of stuff you know already that easily converts to strong passwords that you can remember (because you’ve known it for years):
- Addresses. Most modern people move homes and move jobs and therefore have a bunch of old addresses in their heads. Addresses make for very robust passwords (just don’t use your current one, obviously). Try old work addresses or the place you grew up. If you lived in an apartment, even better. “646 7th Street #203” would make for a great password. Even better, put two in a row.
- Song lyrics. This won’t work for those problematic services that require such specific guidelines that they make guessing passwords easier, but lyrics do make for nice long passwords that are really hard to bust (because longer passwords are more secure than complex ones). I got this idea from a buddy of mine that had a Talking Heads lyric from a favorite song as his wifi password. The first line from one of my favorite Decemberists songs would be pretty decent: “Billy Liar’s got his hands in his pockets.” It’s even got a symbol in it naturally.
- Nerd references. We all have our geeky interests and many of them have great combinations of letters and numbers. Love the Red Sox? How about a password from a great series: “2007RedSoxIndians4-3.” Love Spider-Man? How about his first appearance in comics: “AmazingFantasy#15.” Love movies? Combine a favorite actor with a favorite film: “MichaelJ.FoxBackToTheFuture1,2,3.”
- Old phone numbers. Not your phone number, but one from your past that you can’t forget but that no one else would know. I can remember several phone numbers from my childhood, none of which are even still in use any more. “Jessica316-231-5703” would make for a solid password. You won’t even find that in my phone, but it’s a series of digits I will never forget. If you don’t have a number like that, use an old office number or your parents’ number, combined with their full names.
- Important dates combined with places. Your wedding day and your birthday are no good, but what if you add in some other information? For example, a wedding and a place: “St.Matthew’sChurch9/14/2011.” You could also combine two graduations, such as high school and college: “ColumbusHigh2000OhioState2004.” Those are nice and long, with lots of complexity.
- Biographical series. Put chains of basic facts of your life in order. For example, I could do all the Philadelphia neighborhoods I have lived in: “Fairmount>Fairhill>Newbold.” You could do a string of cars, significant others, cities or pets.
Any of these ideas make for memorable passwords that will protect you better than “12345” or “password.” And while I want to encourage you to use biographical information, ask yourself whether or not it could be easily discovered by looking at your LinkedIn or Facebook profile. Don’t use your kid’s name, your spouse’s name, your birthday, your anniversary or your kid’s birthdays.
Also, apparently a lot of you are using “iloveyou.” Seriously: how do you live with yourself?
Another helpful property of biographical passwords is that you can write down hints somewhere in ways that you’ll know what you mean, but would still make it hard for an adversary.
Take the last example. Your reminder for an account could be a clue like “Graduations.” Someone might be able to work it out from there if they were really determined, but it would take time.
For really important accounts, though (your bank accounts, Paypal, Google, Apple, etc.), opt-in to two-factor authentication. Two factor authentication combines your password with some other piece of information that is sent to you. Google has an app for it. Paypal and banks like to shoot you texts or emails. Apple has built it into its latest operating systems, but you need to turn it on (so, turn it on).
I have a confession to make: I once fell for a phishing attack on my Paypal account. I realized what I’d done it as soon as I finished doing it, but it was too late: The hackers got my password. As savvy as I am about these things, sometimes you get caught on a bad day, and you do dumb things.
It didn’t matter, though. I’d enabled two-factor authentication on my Paypal account. So, when they did try to get in, they didn’t have access to my mobile and couldn’t see the code Paypal sent me. They got nothing.