It wasn’t that long ago that most people had a very few passwords. Now most people have many, many passwords. From your office computer’s login to online legal research to all sorts of online sites that require registration, you may have dozens of passwords. And many of you have passwords that are woefully insecure. You may think you are being clever to use the word "password" as your password, but thousands of others have thought the same thing and it would be in anyone’s Top Ten list if they were trying to crack your system. Others would include repeating the login name for the password, any variation of your name or a family member or pet’s name, or the local sports team nickname. (I can’t imagine how many in my state use Sooner or Sooners for their password.)
Let’s discuss briefly selecting and securing your passwords. First of all, your password should never appear in the dictionary. You cannot just use a word. You must have at least one number or typographical character in your password, and more than one is preferred. Although it may be unlikely you would be subjected to a brute force cracking attempt where hundreds of common words or passwords are attempted one after another, it is better to have a universe of possible characters that is larger than just 26 letters. Of course, you can still create an insecure password using numbers if you choose something obvious like hal9000 or john316.
It is critically important that you do not use the same password for everything. If your network login password is compormised you don’t want to give access to your online banking and brokerage accounts as well. I do slightly disagree with the experts who say every password must be unique. I think if you have several online accounts that never involve money, are primarily a "read only" registration access and could be easily replaced without harm, it is OK to use one "throwaway" password for all of them. So it doesn’t bother me if your New York Times, NewsOK.com and Salon passwords are all the same. But if you value your reputation in online communities, you would want to have a more secure password so a password cracker couldn’t post slanders in your name.
This post was inspired by a LifeHacker post "Ten Passwords to Avoid." That post links to a British list of the ten most common passwords. But of greater importance is an older LifeHacker Post on how to formulate rules for all passwords. This is really good reading on how to formulate a rule that incorporates some things you remember with some you apply from the website for some pretty good passwords. Of course some sites will have rules that won’t allow some of these.
Everyone says do not write down your password. But what they mean is do not write it down and keep it at your desk near your computer. I have to write down my cable modem password because I never use it unless there is trouble. But writing it down and sticking it in a file drawer in a file labeled "old bankruptcy research" on the third page of a four page document is pretty secure as far as I am concerned.
There are password managers like Roboform and KeePass. Just make sure you don’t forget those passwords or you will be locked out of everything. I learned from a comment posted to one of the above sources that some uber-geeks use leet for their password language.
What should be your most secure and longest passwords? Obviously those to online banking and brokerage accounts or those that you have allowed to remember your credit card information. (Call me old-fashioned. I still type in credit card info each time.) But one of the most important is any e-mail account, especially web-based e-mail. Why? Because if one cracks that, they can use the "forgot your password" feature to send many of your other passwords there!
Dennis Kennedy noted the Lifehacker post as well and linked to one of his earlier articles on password security that is well worth reading.
Do you get tired of registering with sites you will likely not visit again just to read one article? Norman attorney Kurt B. Pfenning deserves the credit (or the blame) for directing me to BugMeNot, a site for "bypassing compulsory registration." This site is a database of usernames and passwords from those who have already registered and will let you use their info to save yourself the trouble. Needless to say, the sites that want you to register will sometimes disable these accounts. Then new ones will be posted. It is a little online exercise in civil disobedience.
A surprising number of people use vulgarities for their passwords, but that can be embarrassing when you have to call tech support or the guy at the Bar Center for assistance.
Well, that’s enough for today. I hope you have decided to go improve some of your weak passwords.