Following the hack of Zappos.com and 6pm.com there are probably quite a few of you looking for a way to create strong passwords and also remember them. Back in December, our safety-conscious friends at Consumer Reports ran a guide to creating strong passwords that are also easy… well, easier, to remember. Here it is.
You can create strong passwords that don’t make you memorize a cryptic string of letters, numbers, and punctuation symbols. Here are three techniques:
Use a sentence. It’s easy to remember the first letters of the words in a sentence. For example, children have used this sentence to remember the names of the nine planets: My Very Excellent Mother Just Served Us Nine Pickles. You could use the first letters of those words to generate this strong 9-character password: m*Emjsu9p, where Venus (the morning or evening star) is represented by *, the letter for Earth is capitalized, and nine is a numeral. In practice, it’s best not to use such well-known sayings to generate acronyms.
Use a pass phrase. Several words mixed with numbers and punctuation symbols is known as a pass phrase. For example: stitch9clock^handsapplausE. The longer the pass phrase, the more secure it is, though you’ll be limited by the maximum length the site allows.
Growing the haystack. Developed by security expert Steve Gibson, president of California-based Gibson Research, growing the haystack takes advantage of the ways hackers crack passwords. “The first thing they’ll try is the well-known dictionary of most common passwords,” Gibson says. “Then, if they know something about you, they will try to guess things from your life.”
To foil that part of the process, Gibson suggests starting with a phrase that’s short but not a common word. That forces the hacker to resort to the slower brute-force approach by trying every combination in existence, which is like looking for a needle in a haystack.
Once you’ve accomplished that, “the length of the password matters more than its absolute complexity,” Gibson says. In other words, make the haystack larger by padding the password with numerous easy-to-remember symbols. For example, the password “c – @T – – 9 – – -” is 10 characters long and is probably not in any dictionary, but it’s not very hard to remember.
A caveat: Don’t use any of the above examples as actual passwords. Now that they have been widely published, hackers might add them to their dictionaries.
Or just do like xkcd does.
I now know my new universal password. Thanks!
I wonder what my bank would say if someone tried to log into my bank account with 1000 guesses/sec?
Oh, I know — “your account has been locked after 3 incorrect login attempts”. This is pretty much the same policy at every financial or important website I visit. So, good luck Mr xkcd-inspired Criminal with that 3 day window on my “easy to guess” 11-character password.
The problem comes when you use the same password/login for multiple sites. If they guess your password by using a brute-force attack on a low security site, they don’t need 3 attempts on your banking site.
Most brute force attacks are against the password hashes that have already been retrieved from a compramised system, whether that be the windows SAM file, or your firefox/IE password store…
No worries about locking the account at that point. Very few, if any hackers these days brute force a live system.
Seriously, the longer the better.
becausethispasswordistotallymoresecurethanmostotheronesoutthere
ETRADE, which I have to use for stock options at work, has an 8 character limit on its password. STUPID.
I thought of xkcd when they first said use a sentence, instead of using first letters.
My password security is even better still. I type using the Dvorak layout, something like “correct battery horse staple” turns into “isoodik nakkdot jso;d ;karpd”
Step 1 – check the site’s password policy.
It’s no good coming up with a fancy password if you suddenly find the site won’t accept special characters or has upper or lower limits on the number of characters.
This is the most annoying part… some sites require certain characters – other sites don’t allow those same characters.
I HATE that! Also hate the different requirements for usernames – some require a capital letter or number, others forbid them.
I had one the other day that had a cap of 8 characters and no special characters were allowed.
Up until a few years ago my bank would only accept passwords of 8 or less characters.
Pluto isn’t a planet?
My Very Evil Mother Just Served Us Nothing?
First the brontosaurus, now Pluto. My childhood is a lie.
At least we still have the triceratops buddy!
The Land Before Time taught me that all triceratops are dickish…I don’t even have those D:
Bad news on triceratops, maybe. Apparently science says they might just be a bunch of baby Torosaurus — A similar, bigger dinosaur. Cliffs notes of the argument is that they hang out in the same place in terms of geography and history, but the smallest Toro skeletons are all about the size of the biggest Triceratops skeletons, and the big Triceratops skeletons have thin spots in their frills that match the holes in the Toro frills…
Nooooooo!
And it’s pizza dammit, Nine Pizzas! Not pickles.
And then find out that the site doesn’t accept your really, really good password because it’s too long, doesn’t have capital letters, doesn’t have something else stupid that the site wants, etc.
That drives me crazy! I try to make a secure password with tricks I remember only to have the site inform me it can’t be more than 10 or 12 characters. Bah.
American Express is like that.. or at least was like that for a long time, could not use any special characters.. wtf!!
Still is, unless they’ve changed it since PSN was hacked and I changed all my passwords. Discover Card doesn’t allow anything but numbers and letters either. Most sites won’t let you put a space in either.
Yes. The requirement for a letter and a capital drives me bonkers!
I have been meaning to redo my passwords for awhile – the zappos breach got me motivated and I spent yesterday changing 60+ passwords. Took the whole day – each site is different and has different requirements – ugh.
I just write down all my passwords and tape them to the bottom of my Sega CD…I know no one will ever steal that.
What if a burglar really wants that copy of Ecco the Dolphin you’ve got?
I keep Ecco the Dolphin and Lunar hidden in a safe…the only games next to the Sega CD are Night Trap and Sewer Shark. Crisis averted.
Spoony, is that you? :O
This is why I like Lastpass. I create one super strong password that I remember, and the software tracks a bunch of unique passwords for the 50+ sites I visit. It also makes it easy to remember all the sites you have passwords to, and manage them. Of course there is the terrifying prospect of them getting hacked….(and there was a scare last year, where they thought they may have been).
I don’t think I could trust my password list to a company like that. The downside is so big for me if they have a security breach.
I would not really worry too much about sites like lastpass and such, they store your password in such a way that without the master password (part of the cryptographic process to decrypt the encrypted hashes), the hashes are essentially useless, even if they have the password encryption/decryption algorithms.
I forgot my LastPass password. For real.
I decided I don’t like them, though, because I don’t remember all my passwords anymore since they are stored in LastPass, and if I’m on a PC that doesn’t have the app installed, it’s a pain to go to their site and look it up.
I use them too. I don’t keep any of my super important password on there though. Like banks, etc. It does help keep all my other site straight though which is really nice.
LastPass encrypts your passwords with hashing and can’t access them themselves. It’s one of the most secure password tools that exists. You can have it think of insanely complicated passwords that are not likely to be cracked. Then you just have to remember the one semi-complicated password for LastPass.
If you have a LastPass premium account ($12 a year), you can buy a YubiKey and add two factor authentication.
This is fun.
KeePass is a very good, very easy to use, free, open source, password manager, that will easily handle all your fancy hard to remember passwords.
If you use more than one computer, how do you move you Keepass file between them and keep everything straight?
Use Dropbox or some kind of other similar service/mechanism to synch. The password database is encrypted, so you’ll be cool as long as your password on it is strong.
1. 2. 3. 4. 5.
That’s amazing! I’ve got the same combination on my luggage!
This is, disturbingly, one of the 500 most common passwords.
I created my strong password by deciding that I wanted to do it one day and then randomly starting clicking a string of letters and numbers together in rhythm according to a little finger dance on my keyboard. Once I found something that felt fun and good, I repeated it about 30 times and it was committed to memory.
What gets me is some sites require a non numeric/alpha character, while most prevent you from putting one in your password. In addition, some other sites require a caps, while others have a max/min amount of characters that can be used. This is the frustrating part.
I thought about using the common theme of changing a few letters somewhere in it, so that it was unique for each site, but seriously it’s a little too much.
I did that back in the 90’s. Now, trying to enter those passwords on my smart phone, xbox, and playstation has reverted me back to “do a passphrase”.
I use unique passwords for “important” sites. Banking, credit card, student loan, etc. PSN kicked me into high gear when I realized that my email and PSN password would get someone into most of my important accounts.
I might have some overlap and weaker passwords for the login I created at some online shops I rarely visit and don’t store CC information on.
Of course, that means I have passwords in a PW protected file (Word actually allows a strong PW) because they are not easy to remember with so much variation.
I will ask this again. What difference if I choose wazoo as a password as opposed to kjFbTg4632$#)kjhf!! when they are hacking into the system that is STORING said password and stealing the whole database?
These people are not trying to crack individual passwords. They are stealing an entire database of millions of passwords at a time.
Good point. Of all the password “thefts” in the past year, I’d say the majority seem to be Sony, Steam, etc getting hacked. Although the Microsoft one seems to be an instance of easy passwords getting cracked.
…because if the passwords are encrypted, your former example is pretty unbreakable, whereas your latter example would be broken in seconds.
Oops. Reversed it.
…because if the passwords are encrypted, your latter example is pretty unbreakable, whereas your former example would be broken in seconds.
Because wazoo is an actual word, nonsensical as it may be, it is still a word.
There is a database of password hashes out there for anyone to download called rainbow tables, rather then brute forcing the password which was the traditional way, they now just compare the hashes of passwords in the database to the rainbow table, it is actually quite quick.
The other password would have to be brute forced, and the longer you make the password, the amount of time taken to brute force increases exponentially, throw in special characters, numbers and upper case, and instead of a simple 5^26, you end up with 5^88 (and that is just for a 5 char password, and does not include spaces).
So yes, there is a huge difference.
This is why this article should state you should use a different password for each site you visit. Although i am guilty of not following my own advice. The best way to keep and remember passwords is to use a randomly generated password at each site and store them in a password application.
Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute-force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.
Sorry about the multiple posts. The computer kept locking up after submitting the comment.
Sorry about the multiple posts. The computer kept locking up after submitting the comment.
Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute-force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.
I think the lock-out should be maybe 5 attempts, and the lockout should be for maybe 30 minutes, and that it should notify you if there are any failed attempts.
Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.
Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.
Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.
Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.
Back in the olden time many sites did this – 3 unsuccessful login attempts in a row and the account was suspended for 12-24 hours or it took a phone call to the help desk to reset the password.
Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.
Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.
Could you repeat that?
Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.
yeah…I heard.
Wait, what?
Any website that allows comments should only allow three duplicate comments so we avoid a clusterfuck like this :-)
There appears to be alot of misinformed comments in here.
First things first, people do not brute force passwords on live hosts. Why
1) most sites have a lockout policy varying from 3 to 5 attempts.
2) performing brute force on sites that do not have a lockout policy, would take forever, even on simple passwords as you would likely only be able to attempt 5 to 10 passwords at a time (assuming your using a script and not the sites interface), that might not result in a locked account, but it would result in significant load on the servers and the back end database that stores the password, that would get the attention of network and system engineers, and also leave a crap tone of logs.
Most brute force is performed against password databases that have been retrieved from a compromised site (hopefully they use decent encryption, and not just std non cryptographic hashing), this gives them all the time in the world, and can run the hashes against rainbow tables prior to brute forcing, which would result in the very easy passwords being cracked almost instantly to however fast the persons hard drive is to parse through the approx 8G sized rainbow table db.
Sites where passwords were compromised, usually did not store them encrypted, very stupid, or worse, the sites compromised DB also included the security challenge questions and answers to reset the passwords (your few questions that they ask you so you can reset the password). Also very stupid, but all to common.
Now, as for creating good passwords, I have a different password for most sites, it comprises of 3 random words that have no association, and the sites name as the 4th word. example
cat mrfusion kitchenaid consumerist
The password would be “C@t, MrFusion, Kitchen@id, C0nsumerist” When changing the password, I rearrange the order of the words, but keep the same words, also change the punctuation.
for a different site, say cnn.com it would be
cat mrfusion kitchenaid cnn
The password would be “CNN, C@t, MrFusion, Kitchen@id”
Again, the word order would be changed for each site, as is the punctuation.
ps, no those are not my chosen words.
For sites that use password size limits, cut down on the number of words, but the mechanism remains the same. And they are extremely difficult (if not impossible) to brute force.
Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.
Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.
Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.
Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.
RELOAD THE PAGE IF YOU ARE GETTING ANY ERRORS. STOP POSTING.
We get it, we get it.
If you post it 1000 times, it becomes law!
Any web site that allows posting should only allow three identical attempts to enter before locking out the site.
Here’s a cool site to test passwords: http://howsecureismypassword.net/
The most important thing to do is to not use the same password for every site so when one gets compromised, all are not compromised. I recommend making up a a base password that you can remember and use a variation for each site. The xkcd http://xkcd.com/936/ advice makes a good base password, then add something unique from each site.
For example: correcthorsebattery + ist (consumerIST.com) = correcthorsebatteryist
Again, correcthorsebattery + gle (gooGLE.com) = correcthorsebatterygle
My pattern for users – two or three random objects on their desk along with a number and special characters.
For example, from my desk – trackball!super68glue
I just use my social security. number. No ones knows that right???
Most important- don’t use the same password everywhere.
The microsoft hack is a beast that is for sure, since it seems like there are a couple things going on there
1. Users are being hacked because of FIFA 12, hackers purchase a family gold pack and whatever else they want then they buy massive amounts of digital trading cards in FIFA and transfer those to their own account.
2. Users are being hacked so their accounts can be sold on third party websites, the accounts with payment information and large amounts of MS points on them that is.
The ultimate way to keep yourself from having problems with the MS hack is to not store any credit card information with MS and don’t leave large amounts of MS points in your account. Some people that have been hacked had 6000 or more points in their account, unspent. Even if the hacker gets your password they won’t want your account because it has nothing to offer them. If you buy a points card and redeem it make sure you spend at least the majority of it right away.
Moreover don’t use your credit card with any prepaid type of service, my iTunes account was hacked, for $5 in gift cards I had on there. I had no credit card on there so no damage was done. This could have been disasterous had a hacker gotten access to my credit card. Apple also refunded the money. I did notice that after the hack I had to create a new password Apple had much stricter guidelines on passwords than when I first created the account.
You covered this in April.
Good lord. Use a run-on sentence you’ll remember and be done with it.
I just use an algorithm that generates a password based on some characteristics of the particular website. It gives me a different password for every website while still only requiring me to remember one simple thing. Plus, it’s a convenient way to avoid the “we should share passwords” thing that comes up in relationships. “We should share passwords!” “Great, it will take just a few minutes to explain my algorithm. Good luck remembering it!” “Never mind.”
I just use an easy to remember word or phrase and then shift the letters to the right one space on the keyboard, so “cupcake42” would become “vi[vslr53”
I just use an easy to remember word or phrase and then shift the letters to the right one space on the keyboard, so “cupcake42” would become “vi[vslr53”
You could have the most elaborate password ever and not have it cracked but that does zero good when a company makes you change it when they suffer a security breach.
You’d rather they didn’t make you change it? Really?
Sadly most banks don’t support passwords that are too long or complex. Out of all the sites I visit, my bank has the worst/easiest password.
One trick that I’ve found works out really well is to take part of the sites name, say “consumerist” and add something that you can remember to the beginning or end of it. So say your password could be “consum1234” or “0987Consumerist”…you get the idea. This is the trick I’ve found that works pretty globally.
Pluto isn’t a planet.
Yes it is!
And get off of my lawn!!
Use a different password at each site, but use the same algorithm to create that password so that you’ll always remember it.
For example:
Site = The Consumerist
Username = Tinyhands
Seed = Blue#3 (can be anything but it’s the same everywhere)
Date of last p/w change = January 17 (helps you remember to change it often)
Algorithm = Site(4)+Uname(4)+Seed+Date (your algorithm may be in a different order)
Thus, my password = “TheCTinyBlue#3Jan17”
Another thing, answer the wrong hint questions for password retrieval.
If it is “What is your mother’s maiden name?”, use Sailor Moon
“What is your favorite TV show?”, say Denton, Texas
“Where were you born?”, go with Miss Smith.
If you have trouble remembering dozens of passwords, here are a few other ideas.
The xkcd link is a good idea; however I make my own such passwords at home without the help of a website.
* Alternate letters and numbers. If your wife’s name is Amy and her birthday is 8/11, use “A8m1y1” – not “Amy811”.
* Use the first letters of a web site name in front of the base password (consumerist: COMA8m1y1). If you want to get really anal retentive, use military letter verification (CharlieOmegaMaryA8m1y1) – just keep in mind many web sites limit the length of a password to as few as 14 characters.
* Pick something personal – a fetish only you could ever guess. I assure mine is not “300#USSRWoman”.
This is how I create strong passwords.
http://www.passwordcard.org/en
You print it out and then put it in your wallet. All you have to remember is a colour and a symbol, and you go from there.
BOGUS!!
All these articles that keep making the same suggestions over and over are useless. I have over 75 accounts, between shopping, credit, investments, blogs, etc. Am I going to come up with that many unique phrases? And then start muttering to myself over and over as I try to remember which characters were substituted for what and what the first letters are??
I tried using Keepass and flash drive, but I got paranoid about losing that drive. Keeping multiple data copies on multiple machines doesn’t work because of synchronization problems. Using an Internet file service like Dropbox doesn’t work because my employer blocks these services. And what do I do when I go to a strange computer?? Install Dropbox there?? The answer is to use an Internet-based service, like Lastpass. One very strong password to rule them all.
I would always generate passwords by putting catnip on my extra keyboard, and pick out a random stretch of the data entered.
I got the idea from Freakazoid!