Movies like to show hackers breaking passwords with fancy software and ludicrous gadgets. The reality of busting passwords open is much more mundane. Simple as it may sound, most passwords are broken purely by guesswork. Check out this infographic from ZoneAlarm, as well as this list from the Wall Street Journal of the fifty most common passwords gleaned from the 2010 Gawker hack. If your password is on one of those lists, you need to change it. Right now.
Even if you're savvy enough to be using something other than "password," you need to scrap any passwords based in personal info. Lots of people like to use names of kids, significant others or pets. Birthdays and anniversaries are commonly used as well. That might not seem like such a big deal. You might be thinking, "That's not an issue. How would a stranger know any of that about me?"
I invite you now to hearken back to the 2008 US presidential election. Do you recall when Sarah Palin's email was hacked? It wasn't a hack, really. The whole to-do was caused by somebody who looked up a few details about her personal life in order to fake their way through Yahoo!'s password recovery steps. I imagine the entire process didn't take more than ten minutes, tops.
Now, granted, most of our lives are much more private than that of the average politician. But are you on Facebook? Twitter? Do you have a blog? Chances are that your personal info isn't too hard to find, either.
When it comes to keeping your accounts secure, nothing beats alphanumeric passwords. The safest way to go is to have an entirely random string of numbers and letters, but unless you're some kind of android, remembering a meaningless string of numbers and letters is going to be tough. My recommendation is to choose a memorable, non-obvious word and then get creative with your spelling.
What do I mean by a non-obvious word? Well, take the common variation "passw0rd." Replacing one letter in the most easily-guessed password ever is hardly going to do the trick. When choosing a new password, I like to start with a word that describes something that I can see from my desk. Let's put one together right now.
First things first, we'll throw some capitals in there. I'll use P and C, because they sound most like my initials.
Next, let's swap out a few letters.
And for the icing, we'll toss in some special characters. Now, not all sites will accept special characters, but it's always worth a shot.
Not bad, huh?
Random objects are just the tip of the iceberg. Acronyms are pretty solid, too. For example, "I Love Super Secure Computer Passwords" becomes "ILSSCP" (or "iLsSCp," or "1ls$cP"). If you want something easier to remember, think outside the box. Instead of your spouse's name, create a password based on your first date or an old inside joke. As long the end result can't be found in a dictionary, you're good to go.
...that is, you're good to go for your first password. Having one password for everything is risky business. Imagine if somebody gained access to something fairly inconsequential, like your reader account on a popular blog. If you use the same password for everything, they'd have access to your email, your bank, your credit cards. That's why using multiple passwords helps to keep the rest of your accounts safe in the event of an isolated security breach. I've got one password for my email, one for my bank, one for my web host, and a handful that I swap around for my other online accounts. I change them all every six months or so.
Some folks understandably have a tough time in remembering multiple alphanumeric passwords. Writing yourself notes is okay, but be smart about where you store them. Don't leave them lying around on your desk, especially in a shared office. Tearing them up after you've memorized your passwords is always a good idea. Whatever you do, don't keep a master list of your passwords in your email, on your computer, or on an online storage service.
One of the best methods I've seen for keeping safe records of passwords comes from a former co-worker of mine. Every time she changed passwords, she printed out a spreadsheet of them. The spreadsheet file was immediately deleted from her computer. The physical copy was locked in a safe. It may sound like overkill, but I honestly can't think of a safer method.
If remembering passwords really isn't your strong suit, you might be interested in a program called 1Password. 1Password creates random passwords, stores them for you, and fills in login pages on your behalf. I haven't used 1Password myself, but all the users I know have nothing but good things to say. Feel free to chat about it in the comments if you've got any feedback.