Is your password …?

Is your password …? a reader asks…

Hi Chris, I just found your website, what a jewel! A quick lookthru got me a little scared. I’m embarrassed to say I use the same password for almost everything, and I’m now sure it’s easy to be guessed. And haven’t thought much about the whole security thing. I’ve been lucky so far, but know I need to fix some things. I’m going to take your advice about LastPass, and start changing passwords. Is there anything I should know about what kind of passwords to use or not use?

Thanks for the compliment! If you read nothing further, please read this: the longer the password, the better. If you’re gonna read further, read two more tips:

1. Don’t use words in any language, or consecutive or repeated words, letters or numbers, and
2. Use all the type-able characters on your keyboard you can. In addition to both uppercase and lowercase letters and numbers, that’s ones like: ! @ # $ % ^ & * ( ) – _ + = { [ ] } \ | < > ? /

Do I have you hooked? Keep reading! It all comes down to math. There are about 88 type-able characters on your keyboard you can realistically use to create a password (some special characters are forbidden by some websites). For each character you add to your password, you multiply the potential combinations by 88. So:

• a six-character password has over 450 billion potential combinations
• a seven-character password has over 40 trillion potential combinations

Please note that both these are easy for a hacker to crack. At this point, anything less than 13 truly randomized characters is hack-able within hours or a few days. Hackers use souped-up computers with off-the-shelf hardware that lets them guess hundreds of billions of passwords per second. They also use lists of fairly common passwords, word lists, and other tools (such as ‘Markov Chains’) easily found on the internet. A white-hat hacker recently was able to crack any number-only password from 1-12 digits in length in less than four minutes just by using brute force.

Prescription: Make or use no password less than 13 characters, make sure it’s made up of all type-able character types, and make sure it’s random. You can try to get cute with an acronym or something to help you remember, but please, forget it. Just use a password manager, and its built-in password generator. If you’re using LastPass, this is as easy as choosing to allow all character types and checking off all the boxes for character types in the advanced options of the password generator.

You should use the password generator anytime you make a password change or create a password for an online destination. I like LastPass because it’s fairly low-cost yet full-featured. I know it’s drudge work to go to every online destination and change your password, so don’t try to do it all at once – pace yourself. If you devote a little time each day, and change the password any time you visit a website where you’ve got a user account (and haven’t already changed the password), LastPass will keep track of it all for you. In a short while, you’ll be very much more secure in your digital life. Note: I reserve the right to increase my recommendation over 13 characters as more powerful computing capabilities appear.

Earlier I mentioned that hackers have lists of passwords. These are quite extensive, and hackers can get into about 80% of online accounts on the internet pretty easily. That’s because most people (I’m no longer talking about you, congratulations!) use really stupid and/or short passwords. For example, the recent Adobe hack of over 130 million users resulted in a list of 100 of the most common passwords that Adobe users used. Here’s 99 of them (I won’t put objectionable language on my website):

123456, 123456789, password, adobe123, 12345678, qwerty, 1234567, 111111, photoshop, 123123, 1234567890, 0, abc123, 1234, adobe1, macromedia, azerty, iloveyou, aaaaaa, 654321, 12345, 666666, sunshine, 123321, letmein, monkey, asdfgh, password1, shadow, princess, dragon, adobeadobe, daniel, computer, michael, 121212, charlie, master, superman, qwertyuiop, 112233, asdfasdf, jessica, 1q2w3e4r, welcome, 1qaz2wsx, 987654321, fdsa, 753951, chocolate, soccer, tigger, asdasd, thomas, asdfghjkl, internet, michelle, football, 123qwe, zxcvbnm, dreamweaver, 7777777, maggie, qazwsx, baseball, jennifer, jordan, abcd1234, trustno1, buster, 555555, liverpool, abc, whatever, 11111111, 102030, 123123123, andrea, pepper, nicole, killer, abcdef, hannah, test, alexander, andrew, 222222, joshua, freedom, samsung, asdfghj, purple, ginger, 123654, matrix, secret, summer, 1q2w3e, snoopy1

Please don’t let your password be one of these, or one of the millions of other equally bad passwords being used today by naive internet users.