Most accounts today are protected by passwords.

Passwords are tricky. We love them, we hate them. They are hard to remember, so we pick one password and use it everywhere. Sometimes we pick funny ones, and then we have to tell people about them. In fact, a lot of people, as reported, are willing to tell complete strangers their secret password in exchange for … chocolate. (Whether people actually gave their real passwords and not fake ones, we will never know.)

The truth is, passwords aren’t very good, and there’s a few things you should remember.

• Most passwords are insecure. In fact, if you’re using a password like “john316″, please know that this is the 39th most common password, as taken from several lists of common passwords.
• Many sites store passwords in plain text. This means, that if they ever get stolen, your account details and passwords will soon be listed in public listings available from a torrent tracker near you. It also means that unscrupulous people may simply look up your password in their company’s database, and try it on other sites.
• Computers are extremely good at guessing passwords. In fact, my computer can guess over 100.000 passwords per second. If you think a 4-digit PIN number is good security, remember that a normal PC computer can crack between 10-20 of these per second, by sheer brute force.

General recommendations for choosing a password

When choosing a password, I use the following guidelines:

• Passwords must always contain uppercase letters, lowercase letters, and numbers.
• They must be at least 7 characters – preferably longer.
• Do not base them on typical words – many cracker programs use word lists to speed up the process.
• Do not use personal information, such as name, phone numbers, social security, the name of your dog or anything related to you.

Examples of really bad passwords:

• secret – only lowercase, based on word, most common password in the world
• 123456 – short, only numbers
• jesus – only lowercase, name, very common
• love – only lowercase, 4 letters, can be cracked in no time

These will probably be among the four first that any hacker will try.

Examples of better passwords:

• 977Ratnik
• TikTok25
• MichiGan66

A good question to ask yourself is: What does the password protect, and how valuable is that to me? The more valuable, the longer and more complicated password you will need.

A few different classes of passwords

I have standard passwords – I don’t care enough to use separate passwords on every site. But I vary them a little.

• I have a standard password I use for “throwaway” sites. I use the same password on all these sites. It’s reasonably complicated – but if it gets hacked, I don’t worry too much.
• For more secure sites, like facebook, amazon, etc, I have a different password. It is more complex. I usually trust these companies with their password policy – still, you never know. If you feel unsure, use a different password for each one of these – especially if they’re webshops (and especially if they store your credit card number!).
• I have yet another, different password for my email accounts.
• For sites handling financial transactions, like PayPal, I have a very complex password, on the form of “h4#Fr9?gLF5″. Please note: This is not my PayPal password. Notice that I’m also using puncuation marks – it adds also to the complexity of the password. I do this because the most valuable thing I have to protect online, is my money.
• I don’t like banking websites who use passwords at all. I don’t trust them – but I understand that many American banks do. If at all possible, use a bank who doesn’t use passwords, but rather hardware solutions or certificates.

I also use a very secure, password management program called Password Safe. It’s got very good reputation, uses professional and good cryptography, and it is open source.

Which means I only need to remember a very good, long password, like “I Have #396 Good Flowers!” – or similar, as my master password, and all the others are written down in there.

And I never, ever, ever tell anyone any of my passwords. And neither should you.

And what about security questions?

If you forget your password on a site, there is usually a “remind me function”, that emails you a new password. You can use this function, but remember that this means that your email account is really important.

Some sites ask you “what was your mother’s maiden name?” or “what is your favorite animal?”. Unfortunately, this is all too easy to look up online (and that is why Sarah Palin’s account got hacked). I recommend instead that you use specific phrases, that are factually incorrect. For instance, on the question “what is your favorite animal”, your standard response could be “snickers bar” or “chevy camaro”. Write these typical questions & responses down in your password management program. And don’t tell anyone.