Like it or not, passwords have become a part of our lives. And with more and more of our personal information going online, it's more important than ever to protect it. Many people use online banking, have online frequent flier accounts, or have store accounts with online merchants that keep your credit card information online. Just being hacked at one of these sites can result in ID theft and hours upon hours of getting your credit rating fixed. The likelihood of this happening can easily be reduced if you just take a few minutes of your time to implement a sensible "personal password policy".

You see, there are two types of passwords in this world - strong passwords and weak passwords. Strong passwords are hard to "crack" using automated password guessing software and they are hard to guess using what someone might know about you. Weak passwords are typically short and are easy to guess. Whatever you do, NEVER use the following for any passwords, ever:

Any word that appears in a college-level dictionary in any major language: this is because there are programs out there that can be easily downloaded from hacking websites. These programs contain text files known as "dictionaries"; these files contain hundreds of thousands of words in most major languages like English, Spanish, French and German. The program will attempt to "brute force" your password simply by trying every single word in its dictionary (and will the move on to combinations of those words if that attack fails). So if you have a password as simple as "apple", you might as well not have one at all, because a hacker can crack that password in only a few minutes time. And "apfel" isn't the least bit more clever.

Anything personally identifiable to you: this includes your name or initials, your spouse's name, your kid's name(s), the name of your dog, your street address, your phone number, area code or zip code, your license plate number, the make and model of your car, etc. etc. This also includes things you are known to like such as favorite sports teams or hobbies. Since I am known as a Pittsburgh Steelers fan and a Madonna fan, you will never, ever catch me creating a password using anything to do with either. Ever. I can't tell you how many times in my desktop support career I went to someone's office or cube to fix a problem with their machine, only to find them at lunch or in a meeting. If the user was a female over 25, chances were great that she'd have her kid's crayon pictures hanging on the wall of her cube. If that was the case, I'd simply look for the kid's "signature" on the drawings - almost always, if the kid was named "Mandy", the password would be "Mandy" too. Guys were the same, only their office or cube was usually decorated in sports pictures. If I had a nickel for every guy whose password was "ROLLTIDE" or "GOHEELS" I'd have a billion dollars by now.

Any of the above reversed: You might think you're pulling a fast one on the hackers by changing "Steelers" into "Sreleets", but trust me: hackers thought of this already.

Any password from a movie, TV show or book: Yep, they've thought of this one too. After the movie Wargames came out, thousands of idiots changed their BBS passwords to "Joshua" (a key password used in the film). Much hacking came from that! This proviso especially applies to examples from computer security books; many IT newbies try to get a leg up by reading a book about Windows security and innocently use the book's example passwords. Yes, oh yes... hackers have thought of that one too!

Any "keyboard sequences": Don't use a keyboard sequence like "Qwerty" or "Zxcvbn" - they thought of that trick, too.

Anything short: Imagine that your company's accounting software only let you use UPPERCASE letters in passwords. Now imagine that your password is only a single letter long. A hacker would only need (at most) 26 tries to guess your password! Now imagine that your password has 2 letters. The hacker now has to try up to 676 combinations to figure out your password. Now imagine that your password consists of 3 letters; the number of possible passwords now jumps to 17,576. At 4 letters, the possibilities jump to 456,976. With 5 letters, the number of combinations jumps to 11,881,376. You see where I'm going with this? My passwords are typically around 14 characters long, so even with an "uppercase letters only" restriction, that still gives a whopping total of 95,428,956,661,682,176 possibilities!

A password consisting of all numbers or all letters: any password composed of only one kind of character is far easier to hack than a password composed of a mixed set of uppercase and lowercase letters, numbers and symbols.

*    *    *

So - now that you know what a bad password is... what is a good one? Well, in a perfect world, a password is a random mix of upper- and lowercase letters, numbers and symbols, like this:

8IeklU5I?cr$u5iu

Unfortunately, such passwords are hard for people to remember. The best compromise in my book is a "pseudo-random" password. Such a password would look like the password above to a machine (or to a hacker that doesn't know you), but yet retains some meaning for you and you alone. Think about some place or event in your life, one that won't make people think of you, but one that you can easily remember - perhaps the name of a restaurant you ate at on a vacation as a child, or some random place that you just happen to know the address of. Then figure out a way to add numbers to that thing, and then "randomize" it by swapping certain letters for numbers or symbols.

For example, for some reason I've always known that Lenox Square Mall is located at 3393 Peachtree Road in Atlanta. I can combine "Lenox" with "3393" to get this:

l3e3n9o3x

I can then swap around some of the letters (including cases), numbers and symbols:

!Ee3n903*

At this point, you *can* add additional dictionary words, because the first part of your password is secure (although you will still want to swap out letters and numbers as necessary):

!Ee3n903*h0M3

(BTW - the "o" in "h0m3" is a zero, not the letter "o".) So basically, your password is "l3e3n9o3xhome" with some obfuscation going on.

You can also try using the first letters from a line of a song, a poem or prose passage to generate a password (again though, make sure it's not a band you're obsessed about, as some might guess it):

"I have a fish nailed to a cross on my apartment wall"
(Throwing Muses, "Fish")

becomes

IHAFNTACOMAW

which, with obfuscation, becomes:

!h@Fn2*C0mAw

which is a damn fine password (note again that the "o" has been changed to a zero). You can use just about any method you want for generating a secure password, just remember to mix the characters up and not using anything that would be easily identifiable as "you".

*    *    *

So - what now? You've gotten yourself a shiny new password - how do you use it? Well, there are many "best practice" guidebooks out there that include rules like using unique passwords for each site, changing your password often and *never* writing your passwords down anywhere. Of all of these rules, the only one I follow is the last one: not writing a password down. You'd be shocked at how often people who should know better have their password written on a sticky note attached to the monitor or taped to the underside of their keyboard or to their desk under their mousepad. I'm talking about HR people, the upper echelons of finance... even IT higher-ups! In fact, in my experience, the higher up you go in a company, the more likely it is that the password is written down somewhere on the user's desk. Given the sensitive information these people have access to, you'd think the users would know better, but they apparently don't.

As for having a unique password for each website... I just don't think that that system works. Although "my" password system creates strong passwords that are somewhat easy to remember, I just don't think that most people can remember five or six different passwords that look like "!h@Fn2*C0mAw". In my book, it's better to have a "tiered system" of websites. In this system, the websites you visit are divided into "has private information" and "does not have private information". Any site that has private information gets one of the secure passwords, while a site that doesn't gets a much simpler password. Based on the number of "private information" websites you have, you can then create a pool of secure passwords that can be swapped around amongst the private sites. By swapping around the secure passwords, you're not really using 5 different passwords, you're using 1 group of passwords, and this makes memorizing them easy. On the flip side of this, feel free to use a single password for all your "does not have private information" sites. If someone figured out my "insecure" password, they'd have access to... a couple of free email accounts that I rarely use and access to several of the forums that I spend time in. There is absolutely nothing at any of those sites that points to me, so if I got hacked... big deal!

One last option is a program called a "password vault" that stores all of your passwords in an encrypted file. Here's one example, but it's hardly the only password vault out there - it's just the first hit from a Google search for "password vault". Anyway, password vaults let you have as many different and complex passwords as you'd like, since there's no memorization involved. Two things to consider though: you'd need a secure password for the vault itself (there's no sense in having complex passwords for all these sites if the vault's password is "password"!) and you might also need a "portable" vault that can run off a USB drive... unless you only access secure sites from home.