Cybersecurity writer Nicole Perlroth has a list of suggestions for devising passwords that will discourage hackers. Her NYTimes article acknowledges that "Chances are, most people will get hacked at some point in their lifetime. All it takes is clicking on one malicious link or attachment. The best they can do is delay the inevitable by avoiding suspicious links, even from friends, and manage their passwords. Unfortunately, good password hygiene is like flossing ~ you know it's important, but it takes effort. How do you possibly come up with different, hard-to-crack passwords for every single news, social network, e-commerce, banking, corporate and e-mail account and still remember them all?"
To answer that question, Perlroth consulted with two experts ~ a former hacker turned security tech officer, and a cryptographer. Here is a summary of their ideas ~
- Forget the dictionary ~ hackers often test passwords from a dictionary. Your password should not appear there.
- Never use the same password twice ~ once a hacker cracks your password at one site, she/he will see if it works at other sites on your computer.
- Come up with a passphrase ~ longer is better, preferably 14 characters or more. Rather than use recognizable words strung together, choose a phrase from a song, movie quote, or poem, then use only the first letter or two from each phrase word to construct your passphrase.
- Or just jam on your keyboard ~ randomly hit letters and numbers, inserting the odd Shift and Alt strike. Then copy the result into a text file stored on an encrypted, password-protected USB drive. You won't have to remember the random set ~ you can access it on the USB.
- Store your passwords securely ~ which means not in your inbox or on your desktop. Store your password file on an encrypted USB drive. Alternatively, simply write your password file on a piece of paper (or better yet, write password hints) kept in your wallet.
- A password manager? Maybe ~ some password protection software allows you to store usernames and passwords in one place. Professionals avoid this approach, for two reasons ~ the software still lives in your computer, and if your computer is stolen, your goose is cooked. Secondly, even protection cryptography can be hacked.
- Ignore (or sidestep) security questions ~ the limited set of answers to generic questions like "what is your favorite color?", or "what is your mother's maiden name?", can be found online. Hackers can use the information to reset your password and access your account. Better to enter a password hint that has nothing to do with the security quuestion itself. For example, if the security question asks for the city in which you were born, establish a non sequitur response such as the phrase "your first pet's name".
- Use different browsers ~ "Pick one browser for 'promiscuous' browsing ~ online forums, news sites, blogs ~ anything you don't consider important. When you're online banking or checking e-mail, fire up a secondary Web browser, then shut it down. That way, if your browser catches an infection when you accidentally stumble on an X-rated sited, your bank account is not necessarily compromised. As for which browser to use for which activities, a study last year by Accuvant Labs of Web browsers ~ including Mozilla Firefox, Google Chrome and Microsoft Internet Explorer ~ found that Chrome was the least susceptible to attacks."
- Share cautiously ~ whenever possible, do not register for online accounts using your real e-mail address. Instead use 'throw-away' e-mail addresses like those offered by 10minutemail.com . Once users register and confirm an online account, the false e-mail address self-destructs.
There's an old cautionary warning to the effect that you should say or do nothing that you wouldn't want to see as a headline in the NYTimes. Similarly, recognizing that you will almost certainly be hacked (and probably already have been), don't record anything personal online that you don't want falling into the wrong hands.