Page may be out of date
This page has not been updated in the last 5 years. The content on this page may be incorrect. If you have any questions please contact the web team.

10 Rules for Creating Hacker-Resistant Passwords

Passwords are frequently the only thing protecting our private information from prying eyes. Many web sites that store your personal information (for example web mail, photo or document storage sites, and money management sites) require just a user name and password for protection. Some sites, such as online banking and brokerage accounts, may provide additional protection through “secret questions” or additional authentication techniques.

Password-protected web sites are becoming more vulnerable because often people use the same passwords on numerous sites. One study by Sophos, a security firm, found that more than 30% of users recycle the same password for every site that they access. In one recent, well-publicized account, a hacker infiltrated a Twitter employee’s account to access confidential business documents. Twitter did not blame the dubious practice of storing confidential information online. Instead, they stressed the importance of maintaining adequate security, including strong passwords.passwords2

A strong password can help individuals protect themselves against hackers, identity theft and other privacy invasions. The strength of a password is a measurement of its effectiveness in guess resistance and attacks. It estimates how many trials an attacker who does not have direct access to the password would need, on average, to correctly guess it. The strength of a password is a function of its length, complexity, and randomness.

Want to develop tough-to-crack passwords that resist infiltration? Follow these 10 rules:

1. Avoid using dictionary words. These passwords are easy for hackers to figure out using an electronic dictionary.

2. Don’t use personal information. Any part of your name, birthday, Social Security number, or similar information for your loved ones is a bad password choice.

3. Avoid common sequences, such as numbers or letters in sequential order or repetitive numbers or letters.

4. If the web site supports it, try to use special characters, such as $, #, and &. Most passwords are case-sensitive, so use a mixture of uppercase and lowercase letters, as well as numbers.

5. Passwords become harder to crack with each character that you add, so longer passwords are better than shorter ones. A brute-force attack can easily defeat a password with seven or fewer characters.

6. To help you easily remember your password, consider using the first letter from each word in a sentence, a phrase, a poem, or a song title as a password. Be sure to add in numbers and/or special characters.

7. Create different passwords for different accounts and applications. That way, if one password is breached, your other accounts won’t be put at risk too. Do not use the same or variations of the same password for different applications.

8. Despite admonitions to the contrary, one easy way to remember your passwords is to write them down and keep them in a securely locked place. Never leave them on a Post-It note on your monitor, in an address book, in a desk drawer, or under your keyboard or mouse pad (or any other obvious place).

9. Consider using a secure password manager. The Firefox browser has a password manager already built in. The Firefox password manager and 4 others are reviewed at http://lifehacker.com/5529133/five-best-password-managers.

10. If you have already established a password that is weak, change it! Web sites have a variety of procedures that govern how you can change your password. Look for a link (such as “My Account”) somewhere on the site’s homepage that goes to an area of the site that allows password and account management.

The Backdoor to Your Password

Many sites offer a password reset or recovery system if you should happen to forget your password. While a useful feature, this may offer an additional opportunity to compromise your password. Be cautious when you  choose the site security questions and answers that will be used to authenticate you if you forget your password. Be sure that you don’t pick a question which can be answered by others. Many times, answers to these questions (such as a pet’s name or where you went to high school) can be ascertained by others through social networking or other simple research tools. In fact, this was the method recently used to infiltrate a Twitter employee’s account.

‘Til Death Do Us Part

While the integrity of your passwords is important to maintain your privacy, it is also important to consider what can happen when you pass away. You may have bank statements, bills, and other important papers that are only accessible online. Your heirs may not be able to access this information without a potentially lengthy and costly court proceeding ordering the website to release the information. You may wish to provide it to your attorney or another trusted individual.

Additional Resources

Once you have established strong passwords and site security questions, make sure they do not get compromised by spyware or phishing attacks. See http://www.privacyrights.org/fs/fs18-cyb.htm . Click on “Illegal Activity and Scams.”

Courtesy of PrivacyRights.org