Passwords

Before you start building out your online presence, think for a moment about the use of your passwords. That’s plural. You do use multiple passwords, right? Oh, you don’t? Too hard to remember, is it? Let me guess, is it “password”?

But seriously, you need a decent password policy. Think of the different web applications you encounter online. Internet banking, email, instant messaging, blogging, social networks,… Each serve a different purpose. Each will have their own password policy. They will require you to use a password of minimum 4 to 8 characters long, and up to (or as short as) 10 to 30 characters long. But some will only allow regular characters, while others will require stronger password. Some websites will even mail you your password as a reference. Not good practice but something you need to keep in mind, as your password may be viewable by all (if people read along over your shoulder)!

What makes a password strong? Or, to turn it around, what makes a password weak?

  • A weak password is less than 15 characters long.
  • It contains a word which can be found in a dictionary.
  • It contains a commonly used word, as for example:
    • Names of family members, pets, friends,...
    • Names of locations (cities, employer,...)
    • Birthdays, address information, number plates, your email address...
    • Common letter or number combinations like qwerty, 1234567890, abcdefg,...

So the longer a password, the better. At least 8 characters long at any time (even for less valuable passwords, only good for temporary passwords), but better starting at 10 or even 15 long. Use a combination of letters in lower case and upper case as well as numbers, and at least one punctuation character like !@#$%^&*()_+|~- =\`{}[]:”;’<>?,./) Don't use a single word in any language, or slang, or dialect.
Better yet, don’t just use a “word”, but use a phrase, a passphrase! Especially for financial information like your internet banking or PayPal account. But use something you can remember.
"DonteatSh@rkmeats0up", "Br1ngTwinPeaksB@ck" (oh, don't use these, get your own!).

And then for each web application, or at least for each web application category, create a unique password, which might sound daunting. For example you can use a single password for all low security applications, such as reading on-line newspapers and accessing entertainment web sites. But use another one for messaging and blogging, and then yet other ones for each financial application you register for. To make the password unique, you could incorporate (part of, like a couple of letters) the domain of the web application into your password.
But since your email address is probably used by all online applications, you should have a single unique password for your email account, totally different from any of the other passwords! Lots of password retrieval methods involve sending you the password (or temporary password) to your email account, and you don't want any of the online applications (and the people behind them) given access to your email account which would contain references to any of the applications your subscribe to.

And of course, don’t share your passwords, write them down, and stick them to your monitor, or keep them in your desk drawer. Don't give out your password over email. Don't type your password on devices you don't control, like public computers at the airport, library, internet cafe, kiosks,.. They might contain keyloggers, logging your username and password.

You can test out your password's strength over at Microsoft's Password Checker.

Reference:
SANS Password Policy http://www.sans.org/resources/policies/Password_Policy.pdf
Wikipedia http://en.wikipedia.org/wiki/Password_policy
GetSafeOnline http://www.getsafeonline.org/
Bruce Schneier http://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300