For passwords that are not sensitive, use of a reputable password manager is a reasonable option. Password managers commonly come in either desktop, online or USB versions and there are many different vendors offering them. Ideally though, some passwords should be memorized. An individual’s primary email account and online banking are two of the most critical passwords. The password to the password manager is another password to remember. And people who have just a few passwords might not want to be bothered with a password manager.
According to Dr. Markus Jakobsson, the most reasonable way to manage passwords is to divide them into at least three groups — financial, email and other. Jakobsson (www.markus-jakobsson.com) is a security researcher with interests in applied security, ranging from device security to user interfaces. He is currently focusing his efforts on human aspects of security and mobile security.
“It’s common that people have these groups of passwords — financial, email and other. Unfortunately, it’s also common that people have just one password,” Jakobsson advised. “If a person uses the same password for email and banking, that is not a good idea. Why? Because a person may be very cautious about the Internet connection used to go to an online banking account, but that person might not be equally cautious in logging on to an email account. The minimum requirement for using the segregation or grouping method for passwords is three different groups. If you choose weak passwords for any of these, then those passwords are useless and your accounts are very vulnerable.”
What is a weak password? It’s a password that is easily guessed. This could be because many people use that same password or because it’s something in regards to yourself that is known by anyone — your name for instance.
Among the most common passwords are the words, “password” and “security.” It’s possible to see groups of common passwords by typing “most common passwords list,” into any search engine. Hackers try these passwords first when breaking into an account. When crooks steal 10,000 passwords by breaking into a large corporate database, they can see which ones people prefer and those will be used to break into other accounts. So choosing a single dictionary word or a common phrase as a password isn’t smart.
“One approach that I have developed in creating passwords that has benefits in terms of security and ease of recall is to choose three words for a story,” explained Jakobsson. “First, think of a story, something that happened to you, something memorable. Write it down as three words. Those words will become your password. If a person chooses just one word, that’s easy to guess, but three words makes it implausible that an attacker will guess that combination. We’re talking about not being an easy target. There is always the chance that an attacker could get access to your account by exhaustively trying all possibilities, but that would take a hundred years. The length of a password is very important because the shorter it is, the easier it is to guess.”
Here are some examples of Jakobsson’s method:
Story: When I was a kid, I dreamt about going to the moon. Password: KidDreamMoon
Story: The proudest day of my life was my college graduation. Password: ProudDayGraduation
Story: We are planning to go on a vacation to Hawaii this summer. Password: PlanningVacationHawaii
Please don’t use these examples as your password. Think of your own memorable story and create your own password. Also, don’t pick three words from a song or a common phrase such as, “I love you.” Choose three words that create a unique, memorable story.
If the service or application requires a password with letters and at least one number, then Jakobsson suggests inserting a portion of your telephone number into the password. For instance, K547idDreamMoon. Include the number(s) in a way that’s memorable for you. Bad strategies for including a number in a password are to put the number one at the end of a word, to replace the letter “I” with the number one or replace the letter “E” with the number three. These are such common strategies that attackers know about them.
“I feel that it is very, very unfortunate that the general public is given the blame for security failures when they aren’t given the guidance for what to do — or what to avoid,” said Jakobsson. “Banks and service providers have a hard time advising people how to create good passwords. When a bank does provide an example of a great password, people tend to just adopt that password as their own. Of course that defeats the purpose of convincing the bank’s customers to choose individual passwords that are hard to guess.”
A password created by someone else will be hard to remember, too. So construct your passwords based on your preferences and your life experiences — what you like and what you know. That way your passwords will be easy for you to remember, but hard for a stranger to guess.
If you frequently enter passwords with a mobile phone or other input-constrained device, try Jakobsson’s technique called, “Fastwords,” which makes it easy to create and enter great passwords from any device. Check it out through www.fastword.me.
