You told someone else your password? Yikes! I’ve seen more accounts get stolen by that one simple act than by any other single cause. I sure hope you know what you’re doing – most people that have told a friend their password have come to regret it.
So what’s a bad password? One that someone could easily guess.
A good password? One that’s hard to guess, of course.
The problem is that people are way better guessers than you think. And it gets worse if the guesser starts using a computer to do the “guessing” for them.
Become a Patron of Ask Leo! and go ad-free!
What’s a bad password?
A bad password is any password composed of common words or names, particularly if the password is short. For example, “iLoveMikey” is a bad password. “mydogspot” is a bad password. “GeorgeInParis” is a bad password. All are simply combinations of words or names. On top of that, many people choose bad passwords that express information that someone who knows you might be able to guess. If your boyfriend’s name is “Mikey”, your dog’s name is “Spot”, or you met someone named “George” during a trip to Paris, these are all things that people who know just a little about you can use to start making some educated guesses as to what your password might be.
And as I said, people can be really good guessers.
The irony is that the people who know you the best – your friends – are the ones who can probably make the best guesses and are the most likely to guess your password if it’s a bad one.
Another problem with passwords made up from words and names is that it’s really easy for a determined hacker to set up a computer with a dictionary of words and names and have it start trying combinations until something works.
What’s a good password?
A good password is a long random sequence of characters – letters, numbers and any “special characters”. “qicITcl}” is a good password. “rAg2imWOIgIf47IM24busml6kpetPF9UGRpPAFBMCoSmSTptbDcOxwcG3aPoa79” is a great password. The best passwords are made up of completely random characters and as long as you can make it.
You can see the problem – great passwords are impossible to remember. So if you can’t remember it, what good is it?
The solution is either a compromise, or the use of some technology.
The compromise I use works like this:
- I never include full English words or names – instead I use misspellings or phonetic sound-alikes
- I always include a mix of uppercase and lowercase letters and numbers
- I always make sure the password is at least eight characters long, preferably longer
So, for example, while “Macintosh” is bad, “Mac7T0sh” might be good and probably easier to remember. “HondaPrelude” is bad, but “Pre7ood6” is much, much better.
The bottom line for this compromise: pick a random looking password that YOU can remember but that “they” would never guess – and as I’ve said a couple of times, always assume that “they” are always really great guessers.
Never, ever, write your password down on a piece of paper near your computer. Paper is definitely not the technology I’m talking about. It’s amazing how many passwords are stored on sticky notes right on the monitor, under the mouse pad or in a desk drawer. It’s not that hard for the motivated to go searching and find all that.
My old approach was to use an Excel spreadsheet with all account names and passwords – in fact I still do for much of my sensitive information. By itself, that’s incredibly insecure and dangerous. Anyone who can get a hold of that spreadsheet has everything. Other people use simple text files that suffer from the same fundamental flaw – it’s the moral equivalent of a sticky note. Anyone who has access to the file has all the passwords.
The solution is to encrypt the file. I’m not talking about the encryption built into applications like Excel – which I’m led to believe is reasonably easy to defeat – but an “industrial strength” encryption solution such as VeraCrypt. Using VeraCrypt you can control exactly when the information is actually visible, and the rest of the time it remains safely encrypted.
My current approach for website logins is to use Lastpass. Lastpass captures passwords when you enter them as you visit websites requiring login and then remembers them for you in an encrypted database. When you return to that site, RoboForm makes the login available for you automatically. It includes a handy random password generator. Since RoboForm remembers passwords for you, you can use completely random strings – the most secure passwords possible, as I described earlier.
But – be aware that Lastpass and the VeraCrypt-style of encrypted solutions both require one thing: a password to decrypt the database of passwords. That password needs to be something you can remember, yet something secure. However, remembering that one password then opens up the vault to your entire set of accounts and passwords.