It seems like with the increasing level of access to technology on a global scale, there are increasing numbers of scam artists, hackers, pricks, punks, assholes, scumbags, etc. that try to find ways to make everyone’s digital life a bigger pain than it needs to be. There are many ways to fight scumbagism, but most of these ways are so complex and unrealistic that most of us just simply ignore them. So, I have decided to write up this article listing five simple-ish rules one can follow to have strong passwords and secure accounts. Living your digital life by the following the following five rules will not guarantee you are hacker proof, but it does greatly mitigate the likelihood of your accounts being hacked.

Make your passwords long

Remember back in grade school math class when you studied permutations? Remember how adding an extra digit to a number (i.e. going from four digits to five digits) greatly increased the amount of possible permutations of that number? Yeah, well, they didn’t just teach that in school to torture us; permutations have a real-life application.

You see most websites store passwords in an encrypted format; anyone who gets hold of the password database of a website can’t simply read everyone’s passwords. When this happens (when a scumbag can’t break password encryption) they apply a technique called brute force attack to try to hack your passwords. (Brute force attack does not require a scumbag to have the password database; it can be used at any time with or without the database. However, typically most websites have anti-brute force security measures in place that temporarily block access to an account if someone fails to login too many times in a short time period.) Brute force attack is the process of systematically trying password combinations until the correct password is found. There are two viable defenses that help protect against a brute force attack; one of them is password length (the other is password complexity – see next tip). The longer password you have, the harder it is for a hacker to get your password using brute force simply because the hacker has to try a greater number of possible passwords.

That said, exactly how long should your passwords be? Current industry standards say at least eight characters. However, personally, I recommend twelve characters or higher. Why? One word: Graphics. In a study conducted by Georgia Tech earlier this year, researchers were able to crack eight character passwords using graphic cards in two hours. Cracking twelve character passwords, on the other hand, was estimated to take over 17,000 years. Two hours vs seventeen thousand years, hmmm….

Now, does that mean all hackers will have the capability to crack eight character passwords in two hours? No. It takes a certain level of sophistication and technology to be able to do what the Georgia Tech researchers did and the average wannabe hacker isn’t at that level of sophistication. However it just goes to show you how important password length is.

Make your passwords complex

Building on the same idea of making passwords long, passwords should be complex. By “complex” I mean passwords should not just be lowercase letters and numbers. You should incorporate special characters (i.e. !, ?, @, #, $, %, ., *, etc.) and uppercase letters (when supported – not all websites support case-sensitive passwords) in your passwords. Think about it. If you use only lowercase letters and numbers, there are thirty-six possible characters your passwords can be comprised of (assuming you are using the English alphabet). In other words, there are 2,821,109,907,456 possible permutations if your password is eight characters long. Once you start mixing in uppercase letters, the number jumps up to 218,340,105,584,896. The possible passwords number skyrockets even higher once you add in special characters.

Using special characters and uppercase letters is not as complicated as it sounds. All you need to do is go through your password and replace letters with similar special characters and make some lowercase letters uppercase. For example, if your password is bullseyeathome you can make that password a lot stronger by using bu1L$eye@th*me. Not too hard to remember, is it?

Furthermore, having complex passwords is not only making sure you use a mix of lowercase letters, uppercase letters, numbers, and special characters. Complexity of a password also includes avoiding real words and popular phrases. Cracking a password comprised of real words or popular phrases is very easy using a dictionary attack. So instead of using real words or popular phrases, make up your own words or phrases. That does not mean your password can contain no real words or popular phrases. Rather, it means your password should not be all real words or popular phrases – throw in one or two figments of your imagination.

Have tiered passwords

Experts tell us we should have a different password for each and every login. While that is sound advice, even with a password manager it is insanity; who in their right mind could possibility have a different password for every single login? If you can successfully manage different passwords for every login you have, kudos to you. However, for the rest of us normal people a doable alternative to having different passwords for each login is having tiered passwords.

Tiered passwords is a simple idea of having a different password for each “group” of logins you have. For example, let’s say you have a login for your bank account, your main e-mail, a spam e-mail, and three websites you visit often. Applying the concept of tiered passwords, you may one password for  the bank account, one password for your main e-mail, and one password for the spam e-mail and website logins. Of course the split doesn’t have to be exactly that; it is up to you to decide the importance of each login and how you want to categorize it. The overall goal is not to make sure X type of login gets X password; rather the goal is to make sure your high importance passwords stay different from low importance passwords so if a low importance password ever gets compromised, you don’t have to worry about the high importance ones.

From a pure security standpoint, having tiered passwords is not as secure as having a different password for each login. However, it is is a doable derivative that serves as a good compromise between the two extremes of using the same password for all logins and using a different password for all logins.

Your username/login name is a security tool too!

When you login somewhere, are you ever allowed to login using just your password? Nope – you always need an accompanying username or login name (sometimes it is your e-mail address). So, then, why would you want to share that username/login name with someone else? Sure a username/login name may not be as big of a secret as your password, but to get into an account both a username/login and a password are required. Without one, the other is useless. Think about it this way. Your username is the door-handle lock on your front door while the password is the deadbolt. Anyone trying to get inside your home has to get past both the door-handle lock and the deadbolt; the deadbolt may be the one that is harder to break, but the door-handle lock nonetheless still plays a role in securing your home. So keep your usernames/login names secret! Of course this isn’t always possible; sometimes your username/login name is publicly displayed… such as on a website forum. However, when it is possible, you should be very frugal about giving out your username/login name because, as I already mentioned a couple of times, without knowing your username/login name, a hacker cannot get into your account… even if they know your password.

Avoid similarities between username and password

While this may seem like a no-brainer, it is surprising how many people use their username (or a variant of their username) as their passwords. You should never, ever use your username (or a variant of your username) as your password. The username and passwords should be kept as different as possible – preferably 100% different. This way if a hacker finds out your username or password, they can’t use it to help them determine the other missing piece.

Conclusion

Life would be grand if we didn’t have punks trying to access our accounts – either for fun or malicious purposes or whatever; but that just isn’t how it is. So, please, do yourself a favor and use strong passwords in order to keep your accounts secure.

Have any advice on how to have strong passwords and secure accounts? Share with us in the comments ^[1] below!

Originally posted December 13, 2010.