There are a number of way in which your Internet passwords can be stolen. Some of the methods used to steal passwords are: monitoring unencrypted network traffic; tricking a user into entering a password on a bogus web site or even giving it to someone on a phone call; looking for a password among written notes; guessing simple passwords such as names of people or pets; and plain old brute force attempts. A brute force attempt is simply guessing all possible passwords until the correct one is found. Some sites are secure enough to foil brute force attempts by locking accounts after a number for failed login attempts, but it is your responsibility to create a strong enough password that make brute force attempts more difficult.
In theory, the brute force method of password cracking tries all possible combination of characters in order to arrive at the correct password. In practice, this could take an incredibly long time. To speed things up, password crackers rely on the fact that most users do not use strong passwords. Many users create passwords of seven characters or less, and often use actual words or names. Dictionary attacks leverage this fact and limit the brute force guesses needed to a pre-arranged list of words (including foreign languages). This will vastly reduce the amount of time it takes to crack a password assuming the password is not a strong one.
So, what makes for a strong password?
- Do NOT use actual words or names
- Use eight characters as the minimum length (longer is better)
- Passwords should be a mix of capitalization, numbers and special character (!, @, #, $, etc)
- Do not repeat characters too often
- Do not assume simple, obvious substitutions are enough (M@ryJ0nes instead of MaryJones)
- Change your password on a regular basis
If you require a very secure password, you may want to consider using an online password generation site. Here is a list of a few.
http://www.pctools.com/guides/password/
http://www.goodpassword.com/
https://www.grc.com/passwords.htm
There is a problem with these sites, however. Although it makes it almost impossible for a password cracking program to guess your password, it also makes it almost impossible for you to remember it. Now that is secure!
Creating your own passwords makes it much easier for you to remember them, but you have to be vigilant about making sure they are strong enough. You can employ some simple cryptography methods to help strengthen up you passwords. For example, you can use both substitution and transposition.
Take a compound work like: Football
Substitute in numbers and special characters: F00tb@ll
Then mix the order up: t00Fbl@l
Better yet, start with a short phase: To each his own
Mix it up a little and remove spaces: each_to-his_own
Substitute in CAPs, numbers and special characters: e@ch_2is-Ho#n
Using this method, you just have to remember your original word or phrase and how you changed it. After creating your password, check its strength online to see that it is strong enough:
http://www.passwordmeter.com/
Most of us have several accounts that we need passwords for. You could use the same strong password for all of your accounts, but not all sites are as vigilant with security as they should be. You would not want someone logging into you online bank account because you use the same password for the cooking blog you posted recipes to. It is better to have unique passwords for each site. If you have more than a handful of accounts, you may want to look into using a tool to help you organize your passwords.
For my job, I currently have 813 passwords to manage. I have an additional twenty to thirty personal accounts to manage as well. I have downloaded a free application called Keepass which allows me to manage all of these accounts easily. Not only does this program allow you to organize all of your accounts, it can also generate strong passwords for you and auto-type your user ID and password when you connect to sites. Now I just have to remember one strong password to log into Keepass, and the application remembers all of the super-strong passwords for my accounts. You can get Keepass at:
http://keepass.info/
Remember, there are a number of ways the bad guys can get your password, and a strong password is no protection if they know what it is. With that said, the first step to a good online password is to make sure it is not easy to guess.