By Vanessa McGrady and Zhenia Vasiliev
As you sit and try to remember what the new password is for any of your online accounts, chances are, a hacker already knows what it is.
Because so many people use the same combination of words or similar logic to create passwords, about 90 percent of them are predictable—thus hackable.
In some cases, it may seem like a weak password is no big deal and someone can only do so much harm logging into your Facebook account. But that website may reveal clues that can help someone crack into more critical accounts, like your financial institutions, health care, or email. Or it could enable someone to hijack your email and social media accounts and wreak havoc to your networks under your name
Password expert Lorrie Faith Cranor is a professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University, where she's the director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program. She says that in general, the longer the password, the better—and better still is if it has elements of randomness.
“It's more of a spectrum than a hierarchy. Fifteen random characters is good and 18 is even better, and 25 is even better, but the longer you go, the more annoying it is to use the password," she says.
The inherent trouble with a long and complicated password is that it's harder to remember. Cranor suggests a couple tricks to come up with something original and memorable that a computer program running trillions of guesses might miss. The first is to crack open a book and pick three words from different pages and string them together. Another is to think of a sentence —but not something as common such as song lyrics or your favorite sports teams cheer—and use first one or two letters of each word in the sentence. Add some capitalization and punctuation, but not in the obvious places, so don't put your capital letter as the first letter. Instead, put it somewhere in the middle. A sentence like, “She has flowers on her dress!" would translate to sHhaFl0nheDr!
Cranor warns against using the same password for every account. “Save your really good passwords for the important accounts," she says. And hopefully, your home and business network are secure too, so even if they do get hacked, you're not making it easier for someone to steal your information.
Last year, Sony was victimized by a large hacker attack, and accused of having weak network security. Once the hackers got in (and it's still unclear exactly how), they found unencrypted files that led to employee passwords and other vulnerable information like credit card numbers, salaries, performance reviews, confidential emails, and home addresses. One “don't" you usually hear from your IT person at work is to never write down your password —but actually, that's OK, says Cranor. Just don't put it on the computer or in an obvious place, like on a Post-It on your monitor.
You can also use one of several digital password managers on your computer to help keep track. “The only people who are going to be able to get your password if it's written down are people who have physical access to wherever you wrote your password down," Cranor says. "All the attackers on the internet, they're not going to be able to access your written-down password."