January 11, 2013

How to Create a Secure Password

If your password is password, the two first names of your children or 222222, this blog post goes out to you.

Its hard to remember twenty different passwords for your bank, email, online shopping and every social network you belong. But the truth is, bad guys are crafty, free software cracking tools are widely available and today’s incredible computing power makes quick work of even moderately complex passwords. I’d be willing to bet my Lookout water bottle that your password could be stronger. To keep your phone secure, you’ll need to create (and remember!) secure passwords for both your lock-screen and the different accounts you use on the internet.

Here are a few tips we pulled together to help. Keep in mind, this alone won’t keep you secure — but its a step in the right direction.

Specific to mobile phones:

  1. Make sure your phone has a password-protected lock-screen. Password (alphanumeric) is the strongest on Android, but numeric PINs are better than nothing.
  2. Say yes to two-step authentication if its offered. Many mobile banking websites or apps will send a code to your mobile phone that is then entered when you access the account or app.
  3. Set your phone to automatically lock on sleep mode if it is idle for a few minutes.
  4. Encrypt the data on your phone so that its protected from snooping when powered off. iOS devices automatically encrypt and Android users can configure it in “Settings.”
  5. Turning off “Make passwords visible” is a good idea so that potential snoopers can’t easily read your password as you type it.

For Internet passwords (which are now often accessed on your phone):

  1. As much as possible, the passwords that you use on the Internet should be different from all the other ones you use. Reusing passwords across multiple accounts creates a single point of failure.
  2. Use different email addresses for different accounts. Have a separate “junk” email address for spam or free sites that require login.
  3. Don’t use dictionary terms unless you are stringing them together in some sort of unlikely phrase. JennaSurfsHamBoatsForChristmas > jenna123. (Neither of these are my passwords BTW). This XKCD comic offers a witty take on why this is the case.
  4. The longer and more uncertain/uncommon the combination of letters, numbers and symbols, the more computational power needed to crack the password. Therefore, the most secure passwords are random but don’t have to be unmemorable. Thieves already account for simple letter / number substitutions, like using 3 instead of E, or $ instead of S. So P@$$w0rd is really just as safe as the normal way.

For a more in-depth look at passwords and their pitfalls, we recommend reading Mat Honan’s Wired article.

  1. John says:

    Many thanks – good information

  2. Daryl McGinnis says:

    Great Info! I have a “bad” habit of making all my passwords the same so I won’t forget.Do you have any suggestions to make my passwords more secure without havning to remember a notebook full of words and codes?

  3. ShaugnD says:

    One simple tactic you can use is to develop a complex core password and commit it to memory. For example gU6w251#€

    This is an ok password, but it is a bit short. Now, make that password unique for each new web site login by applying some rule. For example, add the first two characters of the domain name to the beginning, and the second to last character of the domain name to the end. In this example, your password for mybank.com would be mygU6w251#€n but your password for hotmail.com would hogU6w251#€I .

    This example is very simplistic, just to explain the idea, but you can make it as complex as you like. Best of all, you only need to memorize your core pasword and the rule. If a site gets hacked, the hacker gets your password, but without the rule, which only resides in your head, they will have to do a lot of work to hack your other accounts. Nothing will stop the determined adversary with limitless resources, however, if you make sure you aren’t the ‘low hanging fruit’, they are likely to move on to an easier target.

    If you are in a crowd being chased by a lion, you don’t have to be the fastest runner in the crowd to survive. You just have to out run 1 or 2 people and look less tempting than them. The same principle applies to security.

  4. Scott Geiger says:

    I always recommend using diceware passphrases (and I use them myself) – http://world.std.com/~reinhold/diceware.html

  5. Richard Block says:

    Changed, hope I can remember the new Pword

  6. Ken Griffis says:

    You can never be to safe and these reminders to clean, change and modify our hand held or stationary technology is needed. We often get settled to our routine and forget how vulnerable we are to the ever changing ways people steal our identities and financial info. Thanks for reminding us to be safe.

  7. CAROL says:

    Really, Like Lookout, and continue to learn.Thank you!

  8. CAROL says:

    Thank you! Information Is very Helpful!

  9. Jerry Lee McKee says:

    Lots of great info

  10. Judy says:

    Just had my email co-opted. Thanks for the pw tips. Good to know!

Leave a comment