Most of us have multiple sites we visit which require logins. So many, in fact, that it's tempting to use the same username/password combo for all of them. Don't. Otherwise, it takes only the compromise of a single site's credentials to have a toppling domino affect on the security of all your online assets.
It's also tempting to just let your browser's autocomplete feature deal with it, remembering not only your usernames and passwords, but also all the personal information you repeatedly enter into forms. Again, don't. Doing so just makes it that much easier for malware and attackers to obtain your credentials and personal information.
- How to Disable AutoComplete in Internet Explorer
- How to Disable AutoComplete in Mozilla Firefox
- How to Disable AutoComplete in Netscape Navigator
Creating unique passwords
Before you begin creating strong passwords, you need to consider the use of those passwords. The intent is to create strong passwords unique to each account, but easy enough to memorize. To do this, first begin by splitting the sites you frequently login to into categories. For example, your category list might read as follows:
- social networking sites
- auction sites
- ecommerce sites
- email accounts
- banking sites
- forums
A word of note here about forums. Never use the same password for a site's forum as you would for logging into the site itself. Generally speaking, the security on forums is not as strong as it is (or should be) for the regular site and thus the forum becomes the weakest link in your security. This is why, in the example above, forums are split into a separate category.
Now that you have your categories, under each appropriate category, list the sites to which you must log in. For example, if you have a Hotmail, gmail, and Yahoo account, list these under the category 'email accounts'. After you've completed the list, you're ready to begin creating the strong, unique, and easy-to-remember passwords for each.
Creating strong passwords
A strong password should be 14 characters. Each character less than that makes it a little easier to compromise. If a site absolutely won't allow a password that long, then adapt these instructions accordingly.
Using the 14 character password rule, use the first 8 characters as the common portion to all passwords, the next 3 to customize by category, and the last 3 to customize by site. So the end result ends up like this:
common(8)|category(3)|site(3)
Following this simple rule, when you change your passwords in the future - which, remember, you should do often - you'll only need to change the first common 8 characters of each.
One of the commonly recommended means of remembering a password is to first create a passphrase, modify it to the character limit, then begin swapping characters for symbols. So to do that:
- Come up with an 8 letter passphrase that is easy to remember.
- Take the first letter of each word to form the password.
- Substitute some of the letters in the word with keyboard symbols and caps (symbols are better than caps).
- Tack on a three letter abbreviation for the category, also replacing one of the letters with a symbol.
- Tack on a site specific three letter abbreviation, again replacing a single letter with a symbol.
As an example:
- In step 1 we might use the pass phrase: my favorite uncle was an air force pilot
- Using the first letters of each word, we end up with: mfuwaafp
- Then we swap some of those characters with symbols and caps: Mf{w&A5p
- Then we tack on the category, (i.e. ema for email, and swap out one character of ema: e#a
- Finally, we add the site abbreviation (i.e. gma for gmail) and swap out one character: gm%
We now have a password for our gmail account of Mf{w&A5pe#agm%
Repeat for each email site, so perhaps you end up with:
Mf{w&A5pe#agm%
Mf{w&A5pe#aY%h
Mf{w&A5pe#aH0t
Now repeat these steps for the additional categories and sites within those categories. While this may look hard to remember, here's a tip to simplify - decide in advance what symbol you will equate with each letter. As an example, always use & for the letter a in all of your passwords, { for the letter u, etc. But if you do that, make sure you pick a passphrase that doesn't have a lot of repeating characters. For example, had we used that method in the above example, we would end up with Mf{w&&5pem&gm& - this is too many of the same symbol so it no longer is considered a strong password.
Another tip, try to avoid l33t ch4nges that h4x0rs can easily detect. Use symbols that you can remember, but aren't already widely used as character substitutes.
Remembering passwords
A common and dangerous myth about remembering passwords is that they should never be written down. This is patently false. In fact, you are far less likely to be compromised by physical access. And frankly, if someone does have physical access to your computer, it doesn't really matter whether you've written down your passwords or not - you've already lost the security battle.
Of course, this doesn't mean the passwords should be jotted on a sticky note and stuck to the monitor or under the keyboard. That's a definite no-no. Instead, keep the password reminder list in a locked file cabinet, safe box, or similar secure container.
You can even maintain the list on the computer itself, provided the file containing the passwords is encrypted with a strong password itself. And by creating passwords based on category, you've eased the need to revisit the list constantly, since you only need to remember the first 8 characters, the category abbreviations, and then the specific site abbreviations. Though that may still sound hard to remember, in practice it's much easier.
And remember, the more we're forced to memorize, the stronger our brains become. So managing such a password system isn't just healthier for your security, it may be healthier for your brain!
Worth noting: Jimmy Kuo (now Senior Virus Researcher for Microsoft, formerly a McAfee fellow) has a different - and compelling - idea for remembering passwords. For details, see: "I Hate the Password Policy!"
Also see: Tips for Keeping Passwords Safe
