Our world is turning into one big password: We have computer logins, e-mail accounts, online access for our bank and credit card accounts, ATM PINs, codes for our voicemail and home burglar alarms, and even secret words that a person can use to pick up our children from day care.

What steps should you take to pick a good, solid password? Should you use the same password for as many things as you can? And how are we supposed to remember them all?

If you’re not cynical about hackers and fraud, you should be. According to the Computer Emergency Response Team/Coordination Center, a federally funded organization based at Carnegie Mellon University in Pittsburgh, about 80 percent of all computer security problems are caused by bad passwords.

People have an average of 20 to 25 passwords and PINs. Some may not be very important; others may control your life savings or all of your investments.

Maybe you doubt there are actually thousands of hackers who sit around at their computers and start guessing at usernames and passwords and strike gold. You’re right. They don’t just sit around and punch keys. Instead, they’ll use an automated program that can try thousands of combinations per minute. Some studies show that the typical password can be broken in less than two hours.

Here are some suggestions – some obvious and some more sophisticated – to help you make your password-protected world more secure:

Don’t use any names or numbers that can be connected to you, said Linda Foley, executive director of the Identity Theft Resource Center in California. Ever.

This means the names of spouses, children and pets, phone numbers, important dates or years, the name of your high school, the model of your car and so on. While these are easy to remember, they’re also easy for someone to guess. And these are the first pieces of information that bad guys try.

Even if you think you’re being creative by using a variation, you’re not. Don’t ever create a password combining your children’s names (as a friend of mine did) or a home burglar alarm code that is the numeric part of the address backward (as the previous owners of my house did).

These pieces of information are the first things that a would-be identity thief will use, Foley said.

Don’t use any information that can be obtained through any public record, such as maiden names, names of streets you lived on before or the year you were married.

Don’t repeat characters or letters in sequence on the keyboard, said Cindy Spitz, spokeswoman for KeyBank in Cleveland.

It’s amazing, however, that 12345 and qwerty (the left-hand keystrokes) are among the most common passwords nationwide.

The best passwords don’t contain real words because they can be guessed or hacked with programs that can blow through the dictionary in hours or days.

But nonsensical strings of letters can be a pain to remember.

The best advice: Think of a sentence that you can remember, but not a common phrase (such as “I pledge allegiance to the flag …”)

Maybe your sentence will be “My sister Deborah is an emergency room nurse who works 12-hour shifts.” If you use the first letter from each of those, it’s “msdiaernww12hs.”

Use a combination of upper- and lower-case letters, and not just at the obvious places. If your password is “msdiaernww12hs,” make it “mSdiaernWW12hs.”

A seven-character password with only lowercase letters and digits could be hacked in less than two days, while using both upper- and lower-case letters increases that to 23 days.

Make your password as long as you can while still being able to remember it, said Ellen Johnson, vice president of consumer online services at Huntington National Bank in Columbus, Ohio.

Eight characters should be the minimum. Passwords with only five letters and numbers can potentially be hacked in two minutes, according to LastBit Corp., a New York security and software company.

Passwords with six characters can be hacked in just over an hour; ones with seven characters can be violated in less than two days. An eight-character password, however, takes 65 days because of the exponentially increasing number of combinations.

The best passwords are more than 14 characters, according to Microsoft.

A 15-character password is about 33,000 times more secure than an eight-character one, Microsoft says.

The California Credit Union League, while recommending that longer is better, notes that some systems allow passwords up to 128 characters. With that, however, your session might be timed out before you got signed in.

Use letters and numbers, at a minimum. It’s better if the site you’re logging into will accept symbols too, like $.

A password with eight letters can be breached in four days; a password with eight letters and numbers takes 65 days. A password with eight letters, numbers and symbols takes 463 years.

Don’t think you’re being smart by using a variation of a real word. The hacker programs that use the dictionary also try words spelled backward, common misspellings and all sorts of slang profanity that you wouldn’t find in the dictionary.

Be careful where you use your password. If you come up with a good, solid password, you should feel free to use it for any secure financial site, said Foley of the Identity Theft Resource Center. Such businesses as banks, credit card companies and investment firms have top-notch security and encryption, she said.

(OPTIONAL TRIM BEGINS)

Further, these sites don’t store your passwords anywhere, and they can’t be obtained or looked up by any employee.

It’s a different story with online shopping sites or passwords that you need to access your utility account by phone. These companies may not necessarily store your information securely, and it may be able to be accessed by employees. So you should never use a certain password for a bank account and then use the same one when you’re ordering that cool poster online from somewhere in Canada.

Ideally, it would be nice if you could remember your passwords and pass phrases without writing them down. But if that’s what it takes for you to create strong passwords, then do it. Just don’t carry them in your wallet or purse or tape them to your computer. Keep them in a secure place at your home, and that means away from people like baby sitters or friends of your children.

A good rule of thumb: Don’t leave your passwords anywhere that you wouldn’t leave the information they’re protecting. Maybe you can get by with just writing down a hint that only you would understand, such as “My sister Deborah …”

“I would caution people against writing passwords down anywhere,” said Johnson of Huntington. But she acknowledged that some people may have too many to manage – particularly if different sites or companies require different minimum or maximum lengths.

But don’t do what one misguided consumer did a couple of years ago. Johnson recalled a guy who became the whipping boy of the bank security industry when it was discovered he created a Web site – with links and everything – listing all of his online accounts and passwords.

(OPTIONAL TRIM ENDS)

Never provide your password to anyone, except your spouse or someone who shares the account. This includes the company itself. A reputable company will never ask for your online password by phone or e-mail, said Jennifer Semo, a business analyst with Huntington.

Consider changing your passwords from time to time. It depends on how good they are and how long they are. A password that is fewer than eight characters should be considered good for only a week; a password that is 14 characters or longer – containing numbers, symbols and upper- and lower-case letters – can be good for several years.

Don’t type your password on any computer you don’t control, such as those at computer labs, coffee shops or airport lounges. Identity thieves can buy keystroke logging gizmos cheap and install them in a couple of minutes. These contraptions harvest all the information typed on the keyboard.

Create a password that can be typed as quickly as possible, to make it more difficult for someone to steal your password by shoulder surfing.

Don’t let others know where you have financial relationships, said Johnson of Huntington. You shouldn’t tell co-workers or friends such details as where you bank or where you have investments.

And Johnson said you should arrange to get statements and other information online instead of by mail, which can be stolen or advertise to acquaintances the places where you have accounts.

CM END MURRAY

(Teresa Dixon Murray is a reporter for The Plain Dealer of Cleveland. She can be contacted at tmurray(at)plaind.com.)

2007-03-14-PASSWORDS-TIPS

AP-NY-03-14-07 1317EDT