10 Rules for Creating a Hacker-Resistant Password

Passwords are frequently the only thing protecting our private information from prying eyes.  Many web sites that store your personal information (for example web mail, photo or document storage sites, and money management sites) require just a user name and password for protection.  Some sites, such as online banking and brokerage accounts, may provide additional protection through “secret questions” or additional authentication techniques.

Password-protected web sites are becoming more vulnerable because often people use the same passwords on numerous sites.  One study by Sophos, a security firm, found that more than 30% of users recycle the same password for every site that they access. In one recent well-publicized account, a hacker infiltrated a Twitter employee’s account to access confidential business documents.  Twitter did not blame the dubious practice of storing confidential information online. Instead, they stressed the importance of maintaining adequate security including strong passwords.

A strong password can help individuals protect themselves against hackers, identity theft and other privacy invasions. The strength of a password is a measurement of its effectiveness in resisting guessing and attacks.  It estimates how many trials an attacker who does not have direct access to the password would need, on average, to correctly guess it.  The strength of a password is a function of its length, complexity, and randomness. 

Want to develop tough-to-crack passwords that resist infiltration?  Follow these 10 rules:

1. Avoid using dictionary words.  These passwords are easy for hackers to figure out using an electronic dictionary.
2. Don’t use personal information.  Any part of your name, birthday, Social Security number, or similar information for your loved ones is a bad password choice.
3. Avoid common sequences, such as numbers or letters in sequential order or repetitive numbers or letters.
4. If the web site supports it, try to use special characters, such as $, #, and &.  Most passwords are case sensitive, so use a mixture of upper case and lower case letters, as well as numbers.
5. Passwords become harder to crack with each character that you add, so longer passwords are better than shorter ones. A brute-force attack can easily defeat a password with seven or fewer characters. Microsoft has an online password strength checker at www.microsoft.com/protect/yourself/password/checker.mspx
6. To help you easily remember your password, consider using the first letter from each word in a sentence, a phrase, a poem, or a song title as a password.  Be sure to add in numbers and/or special characters.
7. Create different passwords for different accounts and applications. That way, if one password is breached, your other accounts won’t be put at risk too.  Do not use the same or variations of the same password for different applications.
8. Despite admonitions to the contrary, one easy way to remember your passwords is to write them down and keep them in a securely locked place.  Never leave them on a Post-It note on your monitor, in an address book, in a desk drawer, or under your keyboard or mouse pad (or any other obvious place).
9. Consider using a secure password manager.  The Firefox browser has a password manager already built in.  The Firefox password manager and 4 others are reviewed at http://lifehacker.com/5042616/five-best-password-managers.
10. If you have already established a password that is not strong, change it!  Web sites have a variety of procedures that govern how you can change your password. Look for a link (such as "my account") somewhere on the site's homepage that goes to an area of the site that allows password and account management.

The back door to your password.  Many sites offer a password reset or recovery system if you should happen to forget your password. While a useful feature, this may offer an additional opportunity to compromise your password.  Be cautious when you choose the site security questions and answers that will be used to authenticate you if you forget your password.  Be sure that you don’t pick a question which can be answered by others.  Many times, answers to these questions (such as a pet’s name or where you went to high school) can be ascertained by others through social networking or other simple research tools.  In fact, this was the method recently used to infiltrate the Twitter employee’s account.

‘Til Death Do Us Part.  While the integrity of your passwords is important to maintain your privacy, it’s important to consider what can happen when you die.  You may have bank statements, bills, and other important papers that are only accessible online.  Your heirs may not be able to access this information without a potentially lengthy and costly court proceeding ordering the web site to release the information.  You may wish to provide a list of important passwords that will be needed after your death to your attorney or another trusted individual. 

Additional resources.  Even if you follow all of our advice, experts warn that the security of passwords has never been weaker.  New hardware and techniques have contributed to a sharp rise in password cracking by hackers. Read more about these advances at http://arstechnica.com/security/2012/08/passwords-under-assault/.

Password managers can help make it easier for you to use unique and strong passwords for any website requiring a login.  You can read an analysis of the options available to you at http://lifehacker.com/5944969/which-password-manager-is-the-most-secure.

For additional information on protecting your privacy online, see our online privacy guide at http://www.privacyrights.org/fs/fs18-cyb.htm. 

For additional information on securing your computer, see our computer security guide at https://www.privacyrights.org/fs/fs36-securing-computer-privacy.htm.