Repost (and Edited): Creating Good Passwords

This is originally a post I did back in 2008, which I have edited to tweak some of my original recommendations. This has become especially more important as sites like Facebook, Twitter, and online emails are becoming more the focus of online attacks.

Most companies and universities have password policies in place that enforce complexity requirements. But do you have a good policy you use for your personal accounts? You should create good strong passwords for any accounts you access – your email, Facebook, Twitter, eBay, online merchants, your personal finance file on your system, etc.

When creating your password, it should:

  • Be at least 10 characters long, but be easy to remember (more on this in a second).
  • Contain at least one capital letter, a digit, and a special character along with the lower case letters. Some web sites may not allow special characters (shame on them!!), so be creative with more digits (preferably) or capital letters.
  • Not be built from a dictionary word or any name – including character substitution!! For example, password is obviously a BAD password, but P@ssw0rd is also a bad password. Another example here would be something like Und3rd0g! or T0m&J3rry (guess I’m in cartoon mode here). Hacking utilities would have these figured out in very little time.
  • Not contain sequences, patterns, or repeated characters, for example 123, 111, qwerty, etc.

So I mentioned making your password at least 10 characters. I used to like to make them 8 characters exactly. Perhaps this is because of my past experience using UNIX systems, where the first 8 characters only were significant (standard UNIX at the time would ignore anything after 8 characters), but I also thought 8 characters would be easier for most to remember, although now I think 10 would be fairly easy, with time, to commit to memory. Once you get used to your new password, it will become second nature. What you don’t want is to have to write the password down and stick it to your monitor; it should be something you can commit to memory. If you must write it down initially, keep it in your wallet or someplace safe and not viewable, but DON’T write your username or what site or service it is for. Even then, only keep it long enough until you memorize, then shred it.

So given the rules, how to actually create a good password? Think of a phrase nine or ten words long, and then use the beginning of each word to make into your password, mixing up the capitals, symbols, and digits. If you use nine words, you can use punctuation as the last character. If you can easily remember a longer phrase and the password you create from it, certainly go for it. Some examples (don’t use these for yourself, though):

Phrase: I really found the Science Attic very useful today!
Password: Irft5@VuT!

Phrase: My new golden retriever Fido is the best dog ever
Password: MngrF1tBde

Phrase: Firefox and Chrome are great internet browsers everyone can use
Password: F&C@giB3cu

So you get the idea. And you can get really creative with this, so have a little fun with it. 🙂

There are password creators/managers, although I haven’t really evaluated any of them and I personally think the best password manager is the one between your ears. The idea is the same though – keeping your accounts that much more secure.

Sigh… Oh Facebook

I usually don’t like to post rants, but once again (and this is the reason for the “sigh” – the type of sigh that perhaps a parent gives a child for repeating the same thing to continually get in trouble), Facebook has forced upon their users “enhancements” that open up privacy concerns. This time though, US senators are weighing in. Now I usually do not have much faith in any government body to speak to technology issues adequately, but in this case, they echo the concerns many folks have. What I would hate to see though is government feeling the need to legislate regulations; instead technology companies should exercise some self policing and check themselves before doing something that their audience, or a good portion thereof, may take exception to.

So a couple of simple things that could have helped Facebook, had they thought of them, regarding these personalized site experiences that they are piloting.

1. It’s a pilot. Pilot programs do not place 100% of their users into the program, especially without their consent.

2. Any feature add that has the potential to broaden exposure of someone’s data needs to be OPT-IN. If the feature is that good, those people who want it will opt-in. Others simply don’t need to do anything and feel like nothing is being forced upon them. Let the features sell themselves.

There are plenty of privacy controls in Facebook, but in this case the opt-out process is multi-step and may not be all that intuitive for everyday users. As they add more partner sites with their respective applications, will one need to opt-out of each one individually? That would become quickly unmanageable.

Hopefully Facebook will slow down a bit, think about first, then execute their moves on their own – before others that we or they may not want to – do it for them.