How to choose a really, really good password

Russ Dillingham/Sun Journal

Central Maine Community College Network Security teacher Ashley Hayes works with one of her students, Bruce Soper, at the Auburn college.

AUBURN — Quick, think of an important date.

Russ Dillingham/Sun Journal

Central Maine Community College Network Security teacher Ashley Hayes at the Auburn college.

Russ Dillingham/Sun Journal

Central Maine Community College Network Security teacher Ashley Hayes at the Auburn college

More security tips

— Use unique passwords each time, for each site: That way, you don't lose everything if one password gets broken.

— If a service offers a two-step verification system, take itGoogle lets users set up their accounts so they receive a text message on their phone each time they type in their password. They need to type in a six-digit code from that text message to complete the log in, proving that they are who they say their are. Google's service is also used by DropboxWordPress and Amazon's Web Services. Microsoft's, Skydrive and and Yahoo's Web mail services also offer similar options and more are being added all the time.

— Create a secret recovery email account: Online services will email you a new password or a link to change your password if it happens to slip your mind. Hackers know this and try to trigger a reset and then intercept that email before you see it. One answer is to have those recovery emails sent to a secret email account that nobody else knows about and hackers won't know to break into.

— Get notified when log-ins are attempted: Many services will send you an email anytime you or anyone else tries to log in and fails. It won't stop someone from hacking you, but it might let you know that they're trying.

 Security housekeeping: It's a good idea to log in to the sites you use often and double check your security settings. You can see if anything has changed with the service and update your password while you're at it.

— Kill services you no longer use: You might have forgotten that languishing Myspace page but the Internet never does. It makes sense to just delete the account and associated security data. It keeps your forgotten information out of some creep's filthy hands and gives you one less password to forget.

Got one?

Well, if you do, it's a lousy password.

So is the name of your dog — alive or dead — your favorite beverage or a cool catchword from your favorite movie; each one is easier for a computer hacker to get past then an automatic door at Walmart.

Dates, individual names or any word you can find in the dictionary typically make rotten passwords. Ditto to names of friends, pets, high school mascots or anything else you might have talked about on Facebook or Twitter.

When it comes to passwords, size matters. If you use anything less than 10 characters long, you're fooling yourself, according to computer security experts.

"The worst thing people can do is think of a password as a word," said Ashley Hayes, who teaches network security at Central Maine Community College.

"People need to move to something else, if it's the first line of book or multiple words or phrases," she said. "They just need to get away from the minimums that administrators used to allow — the eight-character standards — and start using longer phrases."

There was a time when passwords made us feel secure. We'd type our secret code into our computer to get access to all of our best private goodies: pictures, videos, secret musings, messages from close friends and financial stuff.

They were simple codes for simpler times. Many people merely typed "PASSWORD" or its backward cousin "DROWSSAP" into the blank. Some used the name of the application they were using or the brand of the monitor sitting in front of them. Some even used their birth date.

Eventually, that stopped feeling secure. We started adding odd characters like &, # and @, mixing up spelling, fiddling with the case and replacing letters with numbers and symbols: "Password" became "9@$$w0Rd."

"If it's a trick you know, it's a trick hackers have tried and figured out," Hayes said.

Many modern password-cracking programs rely on a cryptographic process that uses complex algorithms to look for just those patterns and those substitutions to crack passwords. A computer program can crack a standard eight-character Windows password — with an average few billion possible patterns — in minutes.

"Many businesses still allow eight characters, mainly because it comes down to a matter of memory," Hayes said.

Longer passwords are safer. Any password longer than 15 characters should be safe for just about any purpose for now — as long as you can remember it.

That's the rub: The more complex and random a good password is, the more likely we are to fall back on some other method to remember it. We'll plug it into a database, create a memory aid or mnemonic or — Heaven forfend! — write it down someplace we think is secret.

"As an administrator you can come up with great policy: 12 characters, symbols and numbers and this that or the other," Hayes said. "Your users come up with this random thing that works to log in, but then they write it on a sticky note and put it under their keyboard or on their monitor."

There is no perfect answer at this point in our technology. It's a balance between security and convenience. So how do we cope?

We asked our readers and folks around the newsroom what they do.

One SJ writer said he keeps a faded notebook hidden in a corner of his home office and it contains every convoluted unbreakable password he's used in the last decade.

Most combine methods, using a name of a family pet, the date they met the love of their life, the license plate on their car and a random word.

Some have more convoluted processes: After the person has memorized a song, saying or movie quote, the first letter of each word becomes a character in the password. Sprinkle generously with symbols and numbers and it generates a nonsensical series of characters that can be called to mind just by humming the tune or recalling the movie.

And some rely on machine-generated passwords, like those created by the mobile app Lastpass or web services Roboform or Those tend to be the most complex and hardest to crack, but also the hardest to remember.

One suggestion from Hayes: "What you want to do is take a sentence, remove the spaces and change the spelling. Anything you can do to make the password longer is going to make it harder to break."

Conversely, "Anything you can do to make it shorter or easier to remember makes it less secure," she added. "It's just the way it goes."

Reader Chris Blake of Auburn said he relies on the method popularized by webcomic XKCD. Take four random words out of the dictionary, arrange them into a phrase and create a word picture in your head to help remember it. The result is a complex password with a minimum of 16 characters that's relatively easy to remember.

But Blake said his personal computer security routine uses a cascading strategy, with stronger passwords guarding the most important information.

Basic websites with no personal or financial get a simple, basic password. Online gaming sites and E-commerce sites like Amazon have stronger, unique passwords. And his bank is protected by the toughest code it lets him use.

"And I don't save bank card info there unless I know I'll be making several purchases over a short span," Blake wrote in an email. "After that, I delete the card info."

That's a good idea, too, according to Hayes.

"You always go back to: Don't tell people where your passwords are," Hayes said. "Even at home, don't make them too easy to find. Be careful what you share and where you share them. Just be careful."

What do you think of this story?

Login to post comments

In order to make comments, you must create a subscription.

In order to comment on, you must hold a valid subscription allowing access to this website. You must use your real name and include the town in which you live in your profile. To subscribe or link your existing subscription click here.

Login or create an account here.

Our policy prohibits comments that are:

  • Defamatory, abusive, obscene, racist, or otherwise hateful
  • Excessively foul and/or vulgar
  • Inappropriately sexual
  • Baseless personal attacks or otherwise threatening
  • Contain illegal material, or material that infringes on the rights of others
  • Commercial postings attempting to sell a product/item
If you violate this policy, your comment will be removed and your account may be banned from posting comments.



Jason Theriault's picture

I would argue

I would argue that they don't need to be 4 random words. Any attack on your password with a computer making guesses isn't going to be looking for a phrase or sentence. Most brute force attacks are going based on each character being random. If the attack assumes your using words( a dictionary attack), randomness of the words wont come into play.

PAUL ST JEAN's picture

The parrot's favorite

The parrot's favorite password is , "Open the %$#@^&*@ door".


Stay informed — Get the news delivered for free in your inbox.

I'm interested in ...