The photo above is from a poster I see around Ohio State once in a while. The caption reads, “Someone stole my password… now I have to rename my dog.” I think it is an elegant way to state what is a very important message: choose a strong password.
What is a strong password? One that cannot easily be guessed. It’s easy to find lists of the most common passwords used online and, invariably, password and 123456 (or similar) is at the top of every list. When I see this, I’m reminded of the movie Spaceballs, which was released in 1987. In one scene from this Star Wars parody, Dark Helmet learns that the combination to the air shield around planet Druidia is 12345, which Dark Helmet observes is the kind of thing an idiot would have on his luggage. The punchline, below, occurs when the air shield’s combination is revealed to President Skroob (Mel Brooks).
Besides being a chance to insert a gratuitous Spaceballs clip, what is the point? Well, even before we’d ever heard of email, 12345 was a bad password. Adding a 6 didn’t make it much better.
But even the brightest among us — celebrities — haven’t learned this lesson. It seems like every couple of weeks, there is a story about how Paris Hilton’s phone, Sarah Palin’s email, or Lindsay Lohan’s MySpace, Blackberry, and Gmail accounts have been hacked. All of these attacks were due to weak passwords, or easy-to-guess password reset questions (according to Wired, Tinkerbell – password reset answer, Wasilla High – password reset answer, and 1234 – password, respectively.) Startlingly, trying the top 10 or 20 passwords (and their variants such as 123, 1234, 12345, etc.) could unlock as many as 20% of online accounts, according to John P. on One Man’s Blog.
So, maybe you’re not Lindsay Lohan, but you probably still have information you want to protect. And gaining access to one account can probably lead to access to all of them. So even if your Facebook isn’t important enough to warrant a strong password, what information in that account could be used to access your email and then your online bank account?
What makes a strong password? When students set up their OSU email accounts, I direct them to OSU’s password policy, which requires passwords to be at least 8 characters and some combination of alphabetic, numeric, and punctuation characters. Also, an OSU password cannot contain the same character three times or more in a row, fewer than four different characters, or easily guessed phrases and words. You can even rate your new password at the top of the page to see if your password is acceptable. 1234 returns the message “Unacceptable – Your new password is too short.” (Sorry, Lindsay Lohan.)
Still having trouble? John P. has some good tips in his article. One approach is to substitute numbers and punctuation in place of some letters in a word. This can make your password exponentially tougher to crack. For example, gobuckeyes could become g08uck3y3$. But even a n00b knows we could do better. Instead of starting with a word, consider taking the first letter of each word in a phrase or song to create an easy to remember, but seemingly random string. For example, the first letter from each word in the first two lines of Carmen, Ohio would give us oclsopastamr. Now substitute numbers and symbols for a few of these letters and you have a pretty robust password: 0c1$0p4$t4mR.
(Incidentally, I wouldn’t recommend using that or any of the passwords you read here because any one of the tens of people who read this could then guess your password, but you can see how a strong password could be generated.)
Not feeling creative enough to make your own password? Another approach is to use one of several password generators available online. For example, grc.com has a page that generates strings of random characters each time the page is loaded. Take as many as you need to create a strong password. Another resource is onlinepasswordgenerator.com which generates 10 passwords at a time and can be configured to include numbers, punctuation, and capital letters, depending on your needs.
One final concern is having to remember passwords for so many different accounts. Consider creating a simple algorithm that will alter the password slightly for each account. For example, once you’ve committed 0c1$0p4$t4mR to memory, you could use 0c1$0p4$t4mRe for your email account, 0c1$0p4$t4mRb for your bank, and 0c1$0p4$t4mRfb for your Facebook account. By adding the letters to the middle of the word and including the number of letters in the name of the account, each individual password would seem even more random, but all of them would be easy for you to remember.
I hope this post helps to make the internet a safer place for you. If you recognized any of the passwords I’ve included here (especially the ones near the top), go update your accounts. Or, change your dog’s name.
2 responses to “How Safe Are You?”
These are some great tips! I love the suggestion to use simple variants to the same password.
Thanks, Megan. It’s my own innovation, though I’m sure others have stumbled on to it, too. The only drawback would be if the algorithm you use is as simple as the one above (i.e. add a b for bank, e for email, etc.) all of your accounts could be less secure because if someone has one password and figures out the algorithm then they all get hacked.