Let’s talk about one of the least thoughtful yet most important decisions that you will make in your online existence. Your choices about this issue will substantially influence the likelihood of your being a victim of a financial crime or worse. You probably don’t want to think about it. You likely don’t want to change the status quo, and if you’ve got any “computer people” in your life you have no doubt been berated about it before.

We have reached a time when more and more of our lives take place digitally, and we interact with services and people online as much (or more) each day than we might physically. We’ve become dependent on computers and networks, as a global society, to act not only as our tools for communication, but also the medium and archive of that communication. The Internet acts simultaneously as our modern cave wall, the paintbrush in our hand, and the cave painting itself that we’re all creating together. Therein lies the problem.

Your password is terrible. I know this because I know you. I know you are lazy and forgetful and just want your logins to work without needing to think about it too much. I know that you use the same password everywhere, or very nearly so. I know that your password is likely a common word, spelled in all lower case, and hasn’t changed in years. I know that your password probably has something to do with a pet or a family name, football team or hobby. I know that you think you are too unimportant, uninteresting, and unknown to ever catch the attention of a thief. I am going to try to convince you otherwise, because the risks incurred by not taking proactive action are too great in this day and age.

Why is your choice of passwords so important?

A recent survey conducted by RSA Security determined that, on average, a typical internet user maintains 20 online accounts at any given time. These are sites that require you to register and log on for access each time. Human nature being what it is, most people will use the same password on every one of those 20 sites, which may include their bank, online shopping, email accounts, discusson forums, work accounts, online games, streaming video and any number of other public and private websites that we use regularly to conduct our business. If you are as predictable as I believe you are, exposing your password to any of those sites will expose your password to all of them. Your email account is particularly sensitive, as your emails sent and received contain information about all of the other accounts and relationships you have. Once your email account has been breached, you are in serious danger of identity theft leading to financial theft.

Another often overlooked but equally critical password is your broadband wireless (wi-fi) network password, which people are often flippant about choosing, setting, changing and sharing. Why is this dangerous? A homeowner in Buffalo was recently raided by a heavily armed SWAT team who accused him of being a pedophile and pornographer because someone within range of his unsecured wireless router had downloaded child pornography over his residential internet service. The neighbor who did this was eventually caught, but not before the man lost his computer (now evidence) and spent three days defending his innocence. This is far from an isolated incident, either. Similar things have happened in Sarasota, Florida and North Syracuse, NY. According to a study commissioned by the Wi-Fi Alliance, an industry trade group, 32% of adults have admitted accessing others’ unsecured wireless networks, while 40% say that they would be more likely to give someone their own house key than their wireless password.

How are passwords cracked?

Keeping your password secret is paramount. It should exist nowhere but in your head. That means no writing it down on a post-it note and sticking it to your monitor where anyone who walks by can see it. In addition to secret your password must be long and strong, so that it cannot be guessed or otherwise determined by those who would do you harm. Here’s how they do it.

Asking: Believe it or not, the most common method that criminals use to determine people’s passwords is simply to ask them. This is referred to as social engineering, where a criminal will present themselves as a bank employee, technical support person, or in some other way misrepresent who they are in order to allay your natural suspicions and gain access to your login credentials. No doubt you have received in your email many ham-fisted, amateurish attempts to trick you into revealing your login password. This is referred to as phishing and believe it or not, still regularly catches gullible people in the wide net that the spammers and scammers cast. The same RSA Security survey showed that more than 70% of people would reveal their computer password in exchange for a chocolate bar. It also showed that 34% of respondents were happy to give out their passwords without any enticement whatsoever. People often tell their passwords to colleagues, friends and family. Do not do any of this.

Guessing: The second most common method is making guesses based on information known about you, most often information that you yourself have shared. A different experiment found that 79% of people unwittingly gave away information that could be used to steal their identity when questioned, such as their date of birth and mother’s maiden name. You also give away clues about yourself and your password in online social netwoks. In January 2011, a California man admitted using personal information he gleaned from Facebook to guess his way into 172 women’s e-mail accounts. He then scanned the women’s email folders for nude and seminude photos and videos, and forwarded any he found to all the women’s address book contacts. In one case even posted them to her Facebook profile for all of her 1500 ‘friends’ to see. He also coerced at least one woman into sending him more explicit photographs by threatening to distribute the pictures he already had. This problem can only be solved by choosing a password with no relation to you as a person.

Brute force attack: Computers are very good at doing the same thing repeatedly and fast, such as listing every iteration of a sequence of characters. For example, let’s say that your password is “key”. A hacker will use an automated program to try signing into your account using “aaa, aab, aac, aad … kew, kex, key (MATCH)”. A computer can make thousands of tries in a matter of seconds. The only thing that stops a brute force attack is higher complexity and longer passwords, making the time required to try every iteration prohibitively long even at computer speeds.

Common words: A simpler form of the brute force attack is to try to login to your account using a large list of common words as passwords. It is unfortunate but not surprising that this method works a majority of the time. Your password should not be an english word.

Dictionary attacks: This is the same concept as the common word attack, but on a much larger scale. Entire dictionaries are used as a pool of potential passwords (there are about 500,000 words in the English language) and the likelyhood of guessing your password goes up. An uncommon or long single english word is still not a good password. However there is a caveat to this rule we’ll discuss in a bit.

What makes a good password?

If you follow the underlined guidelines ending the previous 5 paragraphs, the rest is very simple. What makes password good is making it time prohibitive for a computer program to guess. You do this by increasing the number of possible character combinations. For example the simple password “key” has 17,576 possible combinations, since there are three characters each chosen from a set of 26 lower case alphabet letters. Since each character could potentially be any of those letters, you have 26 x 26 x 26 = 17576 (or 26³) possible unique 3 letter passwords. Even for a relatively slow web application that could not accept more than 100 sign-in requests per second, that password could be guessed in under 3 minutes. How much time is enough for a password to be considered secure?

• A password that can be hacked in under 10 minutes is useless. It’s like locking your front door and leaving all of your windows open. There is no real security, just the illusion of it.
• 1 hour – Still not good enough. Do you want your bank account to be 1 hour away from empty at all times?
• 1 day – This is starting to be reasonable. The probability that a criminal will have a program running for an entire day to steal your password alone is rather low.
• 1 month – This is something that only a dedicated hacker with an interest in you specifically would do.
• 1 year – It is unlikely that you would ever make the sort of enemy with both the ability and desire to spend a year cracking your password. For all intents and purposes, this is 100% secure with today’s technology.

Choosing a memorable, yet secure password

As you’ve seen, the trick is to use a large pool of as many characters as possible, and then make the longest possible password that isn’t an english word. Ideally you want your password to contain at least one character from every set of possibilities on your keyboard. That means

26 = ABCDEFGHIJKLMNOPQRSTUVWXYZ
26 = abcdefghijklmnopqrstuvwxyz
10 = 0123456789
28 = ` ~ ! @ # $ % ^ & * ( ) – _ = + [ { ] } \ | / ? . > , <
_____
90

You’ve got 90 possible password characters on your keyboard, and you should use at least one from each of the 4 sets above. Now, how do you make it something memorable that looks like random gibberish? One of my favorite mnemonic tricks is to use lyrics from favorite songs, that remind me of what the password is to be used for. For example, I like the Beatles and the song “We All Live In A Yellow Submarine.” That sounds very friendly and community minded, so perhaps I want to use that as my Facebook password. * Many web applications will allow you to use a complete sentence as a password, and given the chance go ahead and do that! The prohibition against using a single english word doesn’t apply to sentences. Remember, there are 500,000 english words in the dictionary. In order to crack a 7 word sentence like above, that would require 500,000⁷ guesses, or 7812500000000000000000000000000000000000 tries! That is secure forever.

However lets assume that we can’t use spaces or that we have a 10 character limit, which is common. We can still make a great password out of this song lyric. First I’ll just take all of the initial letters from We All Live… “WALIAYS“. Next I’ll capitalize and punctuate like a normal sentence, adding a period to the end “Waliays.” Now I’ll replace the lowercase ell “l” with a one “1″. Wa1iays. There finally is a password that uses both upper and lower case letters, numbers, and puncutation characters. It is not an english word, and I will not forget it! It is 8 characters long from a set of 90 possible characters, meaning it would take 90⁸ guesses for a computer to crack it. That’s 4304672100000000 possible iterations. At 100 tries per second, that would take 1,365,002 years to crack, give or take a few. Now it’s your turn. Go make yourself a safe password!