Recently in the news there has been a lot of talk about Sony’s security breach and the loss of many of its users and passwords, including contact information and credit card numbers. Their main suggestion is that people be skeptical of emails asking for account information and that people change their passwords. I thought today I would discuss what to change that password to.
Before I get to that thought, I want to tell you what NOT to change your password to. Some very popular passwords choices are:
- abc123
- password
- letmein
- 123456
Most online providers won’t even let you use these anymore, so it may be a moot point, but these will be the first ones tried by hackers trying to get into your password-protected account. Other obvious no-no’s are:
- Your First Name
- Your Last Name
- Your Birthday
These pieces of information can easily be gleaned from your Facebook page or other social media. Don’t use the same password for everything either. If you do and one password gets out, then a hacker can use that same password on other sites to gain access to other accounts.
The best kinds of passwords are random series of letters and numbers and characters that mean nothing. The longer the password, the better, also. This is because a common style of password cracking is a brute force style attack, in which a hacker tries every combination of every letter starting with shorter 6-8 digit attempts. The increasing power of computers makes it easy to do this, so try to make your passwords as long as possible.
I think a good way to come up with a pretty randomized password is to just think of a phrase, call it a mantra if you will, and turn it into a password by substituting letters for numbers. For example, let’s pretend that I’ve been having a hard time with my toothing 9-month-old son and his constant screaming in pain. This isn’t happening, but let’s consider the hypothetical. So I might pick the phrase:
- I love my son
The numbers that can easily be turned into letters are i, l, and o. I’s are obviously 1’s, as are L’s, and O’s become 0. Also combine the phrase into one word with no spaces (some password authentication won’t allow spaces) and make it:
- 110vemys0n
Does that mean anything to you? Does it mean anything to anyone? Probably not. But it is a 10-digit string of random letters and numbers that I think would make a secure password. You can do the same thing in a similar fashion to any phrase or sentence and make a darn good password with it.
Finally, I want to pitch a product that is near and dear to my heart: Roboform. This is a cross-platform cross-browser toolbar that stores all of your passwords in an encrypted form on the web behind a master password. I’ve used it for several years and continue to do so daily. Here is the url for the site:
Actually, ‘110vemys0n’ isn’t a very strong password. It only has about 45 bits of entropy, when you should really have at least 70, and probably closer to 100. Plus, if you’re using a password manager like you suggest, there’s really no reason to not use something absurdly complex, like 9dq`V.&ZoHs0b5fPE}O6v,znlcR-)#[7w2m(/]^U, which has 244 bits of entropy.
I’ve written up a more detailed explanation of what constitutes a good password at here if you’re interested.