The Sad State of Passwords

image of random password

Here’s the hard truth: your password, well, it’s no good.  Does it include a word found in the dictionary, a name, a date, or even numbers that look like letters (e=3, I-1, o=0, etc.)?  Yup, no good.  Do you use the same password for some or even all your websites?  Tsk, tsk.  The practice of password cracking has never been easier thanks to a number of landfall events for hackers, namely the release into the public of numerous huge password databases from hacked websites and the development of more advanced and specialized tools. What’s worse, the security of your password isn’t always wholly dependent on you but on the websites you use.  I know it’s hard; you have trouble remembering your passwords, etc., and I’m sorry, but in today’s world those excuses just aren’t acceptable.  Practicing good password hygiene isn’t a suggestion if you want to survive online, it is now a requirement.  Please read on!

First of all, let’s talk about constructing better passwords.  As I mentioned above, if there is anything even remotely machine-recognizable about your password, it needs changing, particularly if it is for a website that stores your financial information.  Here are the criteria you should use for picking a new password:

  1. Find out what the maximum length a password can be for a particular website and match it or at least come close: eight characters should be your absolute minimum length;
  2. Use a random or seemingly random password that includes mixed-case letters, numbers, and if the site will allow it, special characters;
  3. Do not use the same password for any other website you belong to;  
  4. Change your passwords on a regular basis, at least two or three times a year; the more frequently you change them, the better.  

The two big problems here are creating these passwords and then remembering them.  To create passwords, I use a random password generator such as  But that’s not the only solution for creating seemingly random passwords.  You can custom-build your own password cypher, which can actually be a good bit of fun as you come up with its rules. You’ll feel like a spy.  Here’s an example:

  1. Come up with a series of words that you can easily remember, like a bunch of family members’ full names or a quote that you particularly enjoy.  For this example I’ll use one of my favorite Groucho Marx quotes, something I can recall instantly: “Outside of a dog, a book is a man’s best friend.  Inside of a dog it’s too dark to read.”
  2. Let’s take the first letter of every word; if you like you can use the second letter or third, skipping those words that aren’t so long.  So we come up with “ooadabiambfioaditdtr.”
  3. Now shift every letter one place to the right in the alphabet: ppbebchbncgjpbehueus.
  4. Now do some simple letter/number substitution: ppb3bchbncgjpb3hu3u5
  5. Finally, capitalize every third letter: ppB3bcHbnCgjPb3hU3u5.  

That’s just one way to create a password cypher.  You can make up your own rules using words or names that are easier for you to remember.  Then with that cypher in mind, your password hints can be the source of the words being used.  

Whether you randomly generate your passwords or create a cypher to better remember them, it can still be daunting trying to keep track of them all. I don’t know about you, but I log in to at least five different sites daily and frequently more. Many people let their browsers remember their passwords for them, but why any Web browser still offers this option is beyond me since it is a point of extreme vulnerability, especially for a shared computer.  No, what you need is a password manager.  

A lot of people I know rely on LastPass, a very nifty free tool for password management if you use it correctly.  LastPass works by requiring a master password to protect all your other passwords.  With this in mind, you need to create as secure and complex a master password as you can possibly remember and change it regularly.  I love LastPass because you can install it on your computer, and it will keep track of your passwords for all of your Web browsers simultaneously; so if you login to Amazon using Chrome, LastPass will remember that information and later if you login to Amazon using Firefox or Internet Explorer, it will take the information from Chrome and apply it to your current browser.  To use LastPass in the most secure manner possible you need to require your websites to prompt you for your master password each time you login to a website.  Otherwise LastPass will auto-login to a site no matter who’s sitting at your keyboard.  To do this always tell LastPass to Require Password Reprompt when logging in for the first time, as displayed below:

LastPass is a great password management solution, but I’m a little more paranoid than the average bear, so my process is more complex.  You can follow my example or not, but here it is.  

First of all, I use a free, open source program called KeePass.  KeePass is less automated than LastPass, but a little more customizable. I like to store my KeePass database file in a DropBox (also locked with an extremely complex password); this means that any password changes I make to the database file are automatically pushed to all my other computers with the DropBox software installed.  When creating a KeePass database for the first time, you’re offered the chance to also protect it with a Key File which must be supplied at the time of logging into the database:

I carry this Key File with me on a flash drive and have it backed up in a few other places to be safe.  So anytime I want to login to my KeePass database I must have both the password and the Key File - one without the other is useless. That added layer of security makes me feel much better about my online identity.  

As I said in my introduction, taking steps like these is not a suggestion, it is a requirement if you want to keep your identity secure.  You might think I'm exagerating or just offering my opinion.  I'm not.  Most passwords are so ridiculously easy to crack it boggles the mind.  If I'm making you paranoid, good, I mean to.

However, even when we do everything right, we can still find ourselves in trouble through no fault of our own.  You might have heard in the news about lots of large, membership-based websites having been hacked and their password databases stolen.  This isn’t the end of the world if the website in question has been encrypting their password database properly, but quite a few of them have been storing their passwords in plain text, meaning that once the database has been stolen, all the passwords can be read without difficulty. Hackers like to share these databases online, making their passwords viewable by everyone, which is just one of the factors contributing to the advancement of password cracking.  This is why you absolutely must use a different password for every website you’re a member of: if your password is compromised for one website, it cannot then be used to steal information about you from any other website.

We’re working on our third decade of being on the Web and while our password strategies, if indeed they warrant the term, are largely the same, hackers’ tools are advancing daily.  It’s time to grow up and take full responsibility for our lives online!