http://www.slate.com/toolbar.aspx?action=print&id=2223478
A technique to better secure your computer, e-mail, and bank account.
It's tempting to blame the victim. In May, a twentysomething French hacker broke into several Twitter employees' e-mail accounts and stole a trove of meeting notes, strategy documents, and other confidential scribbles. The hacker eventually gave the stash to TechCrunch, which has since published notes from meetings in which Twitter execs discussed their very lofty goals. (The company wants to be the first Web service to reach 1 billion users.) How'd the hacker get all this stuff? Like a lot of tech startups, Twitter runs without paper—much of the company's discussions take place in e-mail and over shared Google documents. All of these corporate secrets are kept secure with a very thin wall of protection: the employees' passwords, which the intruder managed to guess because some people at Twitter used the same passwords for many different sites. In other words, Twitter had it coming. The trouble is, so do the rest of us.
Your passwords aren't very secure. Even if you think they are, they probably aren't. Do you use the same or similar passwords for several different important sites? If you don't, pat yourself on the back; if you do, you're not alone—one recent survey found that half of people online use the same password for all the sites they visit. Do you change your passwords often? Probably not; more than 90 percent don't. If one of your accounts falls to a hacker, will he find enough to get into your other accounts? For a scare, try this: Search your e-mail for some of your own passwords. You'll probably find a lot of them, either because you've e-mailed them to yourself or because some Web sites send along your password when you register or when you tell them you've forgotten it. If an attacker manages to get into your e-mail, he'll have an easy time accessing your bank account, your social networking sites, and your fantasy baseball roster. That's exactly what happened at Twitter. (Here's my detailed explanation of how Twitter got compromised.)
Everyone knows it's bad to use the same password for different sites. People do it anyway because remembering different passwords is annoying. Remembering different difficult passwords is even more annoying. Eric Thompson, the founder of AccessData, a technology forensics company that makes password-guessing software, says that most passwords follow a pattern. First, people choose a readable word as a base for the password—not necessarily something in Webster's but something that is pronounceable in English. Then, when pressed to add a numeral or symbol to make the password more secure, most people add a 1 or ! to the end of that word. Thompson's software, which uses a "brute force" technique that tries thousands of passwords until it guesses yours correctly, can easily suss out such common passwords. When it incorporates your computer's Web history in its algorithm—all your ramblings on Twitter, Facebook, and elsewhere—Thompson's software can come up with a list of passwords that is highly likely to include yours. (He doesn't use it for nefarious ends; AccessData usually guesses passwords under the direction of a court order, for military purposes, or when companies get locked out of their own systems—"systems administrator gets hit by a bus on the way to work," Thompson says by way of example.)
Security expert Bruce Schneier writes about passwords often, and he distills Thompson's findings into a few rules: Choose a password that doesn't contain a readable word. Mix upper and lower case. Use a number or symbol in the middle of the word, not on the end. Don't just use 1 or !, and don't use symbols as replacements for letters, such as @ for a lowercase A—password-guessing software can see through that trick. And of course, create unique passwords for your different sites.
That all sounds difficult and time-consuming. It doesn't have to be. In Schneier's comment section, I found a foolproof technique to create passwords that are near-impossible to crack yet easy to remember. Even better, it'll take just five minutes of your time. Ready?
Start with an original but memorable phrase. For this exercise, let's use these two sentences: I like to eat bagels at the airport and My first Cadillac was a real lemon so I bought a Toyota. The phrase can have something to do with your life or it can be a random collection of words—just make sure it's something you can remember. That's the key: Because a mnemonic is easy to remember, you don't have to write it down anywhere. (If you can't remember it without writing it down, it's not a good mnemonic.) This reduces the chance that someone will guess it if he gets into your computer or your e-mail. What's more, a relatively simple mnemonic can be turned into a fanatically difficult password.
Which brings us to Step 2: Turn your phrase into an acronym. Be sure to use some numbers and symbols and capital letters, too. I like to eat bagels at the airport becomes Ilteb@ta, and My first Cadillac was a real lemon so I bought a Toyota is M1stCwarlsIbaT.
That's it—you're done. These mnemonic passwords are hard to forget, but they contain no guessable English words. You can even create pass phrases for specific sites that are coded with a hint about their purpose. A sentence like It's 20 degrees in February, so I use Gmail lets you set a new Gmail password every month and still never forget it: i90diSsIuG for September, i30diMsIuG for March, etc. (These aren't realistic temperatures; they're the month-number multiplied by 10.)
How many different such passwords do you need? Four or five at most. You don't have to keep unique passwords for every single site you visit—Thompson says it's perfectly OK to repeat passwords on sites that don't need to be kept very secure. For instance, I can use the same password for my accounts at the New York Times, the New Republic, The New Yorker, and other online magazines, because it won't hurt me too much if someone breaks into those. (My mnemonic is, I like to read snooty publications quite often.)
You should probably use different passwords for each your social networking accounts—someone can do real damage by breaking into your Facebook or Twitter, so you want to keep them distinct—but you can still come up with a single systematic mnemonic to protect them: Twitter is my second favorite social networking site, MySpace is my third favorite social networking site, etc. Reserve your strongest, most distinct passwords for the few very important services that, if cracked, could do the most damage—your bank account, your computer, and most of all your e-mail, which often contains the keys to everything else in your life.
To be sure, this is more of a hassle than what you're doing now—but what you're doing now is going to come back to bite you. These days, we're all dishing personal information all the time; you may think that your password is totally unguessable, but your Facebook makes clear that you're a huge U2 fan and you graduated from college in 2000. Achtung2000, eh? Just go ahead and make some new passwords right now. Trust me, you'll feel better.
Converse
Good ideas steph! My password isn't quite that good, but it follows most of those rules so I think I'll keep it.
1Great information. Something else to add of my things to do list!
2I have to work on mine phrase - I changed my password on one site, and still only got a 'medium' rating for it.
--------------------------
3Health Surtax: “No, it’s not punishing the rich. If I can afford to do a little bit more so that a whole bunch of families out there have a little more security, when I already have security, that’s part of being a community."
mine phrase??
--------------------------
4Health Surtax: “No, it’s not punishing the rich. If I can afford to do a little bit more so that a whole bunch of families out there have a little more security, when I already have security, that’s part of being a community."
Oh I like this...now the hard part will be picking a sentence I can remember!
5Great article, i'm guilty of many of the bad things they mentioned that people do.
I'll be thinking of my sentence today! 
~~~~~
The man who speaks to you of sacrifice, speaks of slaves and masters. And intends to be the master.
6And if you can find a sentence in Aramean, it's even better cuz no one speaks it anymore. Well, except for Mel Gibson. But why would he hack into your FB account if you don't have Jesus or booze in it ?
PS / I'll start thinking of my sentence right away ! Thanks, Steph !
7Oh, and another good way to protect yourself. Don't have a FB or a Twitter account. It's that simple !
(I used to have FB and then deleted it when it became clear that Zuckerberg was an @ss)
8One summer my job involved managing part of the company's website, and I was really surprised that I was able to see what people had chosen as their log in passwords. I mean, I bet there's a lot of little sites like that where some lowly summer staff can see your password, and it's not very protected. So, since I could see people's emails and the password they chose for the site, I'm sure for a lot of those users I had their email and their email password.
I have three levels of password. One is a hard combo of numbers and letters that doesn't mean anything (for email, etc) one is the password Manfriend and I share for joint accounts (our joint flickr, joint bank account, etc) and then one is just silly for stuff like sugar sites, shopping sites, stuff where honestly I wouldn't really care if someone guessed it.
9Hmm...this is interesting to think about, but still seems a bit difficult for me. I've tried this method before, though, and I couldn't for the life of me remember any particular sentence I created, much less the proper acronym and substituted symbols.
This sentence really caught me though:"First, people choose a readable word as a base for the password—not necessarily something in Webster's but something that is pronounceable in English. Then, when pressed to add a numeral or symbol to make the password more secure, most people add a 1 or ! to the end of that word."
I know people have said that before, and I've taken this to heart in other ways not mentioned in the article.
1. I made a point to learn Spanish, some French and Japanese, even Latin. Using English words translated into other languages is a bit easier to remember, but the varying letter combinations for sounds unique to non-English languages are a little trickier for someone else to figure out.
2. I don't use number substitutes for similar-looking letters, like "1" for "l" or "@" for "a". Add or intersperse the digits of a number that's important to you to the end - NOT a number that has significance, like birthdays or SSNs or account numbers or anything like that. Somebody I know has used the numbers they enter in the state lottery every week interspersed in a short sentence.
I've used some of those tricks on Gmail and other places, and it says that my passwords are pretty hard. I also have various levels of passwords, depending on how secure the service I'm using needs to be. I've never been hacked.
Also, if you have to request a password or a service you use sends your user info to you email inbox - take down the info on paper, or store it in a locked file on your computer - THEN DELETE THE EMAIL.
10I usually try not to put any personal information that could be used against me on the internet, but those are really good suggestions anyway! I've never gone as far as making an acronym, but I'll take words and switch the spelling around. For instance (this is an old one
),
what I was on a huge Lord of the Rings kick, I took the word elvish, and changed it to elphish, then added a few numbers to it.
11Whenever I try to get clever with a password, I forget it within a week.
12--------------------------
Health Surtax: “No, it’s not punishing the rich. If I can afford to do a little bit more so that a whole bunch of families out there have a little more security, when I already have security, that’s part of being a community."
Good post. Now only if I could create a memorable complex password.
13Post A Comment
To post comments, please log in or register.