With announcements this month from popular Web sites LinkedIn, eHarmony, and Last.fm that a significant number of user passwords may have been compromised, it’s a good time to ask yourself, “How secure are your passwords?” It’s also a good time to change your passwords on these Web sites, if you haven’t done so already.
Microsoft generally recommends using strong passwords that are at least fourteen characters long, using a mix of uppercase letters, lowercase letters, numbers, and symbols. They also recommend not using the same password for everything. If you use the same password for multiple online accounts, then when one account’s password is compromised, your other accounts also may be compromised. The old adage that “a chain is only as strong as its weakest link” applies to your online accounts. Whitson Gordon posted an interesting article yesterday on Lifehacker explaining the different methods that online service providers use to protect user passwords, and there are significant differences in the level of security that these companies may use.
If you’d like to see an interesting example of how long it may take a hacker to guess your password, Gibson Research Corporation has a useful Web site that estimates the time to search through the possible password character combinations. There is a brief video explanation on their Web site too. For example, an eight character password consisting of only lowercase letters may take up to 2.17 seconds to guess using an offline system that can guess 100 billion passwords per second. Changing that to an eight character password containing an equal number of lowercase letters, uppercase letters, numbers, and symbols results in up to 18.62 hours to guess the password. Changing that to a twelve character password containing an equal number of uppercase letters, lowercase letters, numbers, and symbols results in up to 174,000 years to guess the password. Please note that these estimates are based on the time it would take to try every possible combination of characters, and the password may be guessed before running through every possible combination. These estimates also are based on the number of uppercase letters, lowercase letters, numbers, and symbols that you enter (e.g., three of each type of character in my last example). But, a hacker generally won’t know the precise mix characters that you used, so they may start by trying just lowercase letters and then add more complexity if that isn’t successful. And, if your password is one of the 470,000 or so words in the dictionary or one of the more commonly–used passwords, it may take a hacker only a few seconds to guess your password.
If you’re wondering how to remember all of the strong passwords you’ll need for each of your online accounts, consider using a popular software tool like LastPass, 1Password, KeePass, RoboForm, Keeper, etc. Look for a tool that is secure, easy to update, convenient to use, and portable so that it’s always with you (e.g., on a smartphone). If you use an encrypted electronic list, make sure you write down instructions for your fiduciaries so they can find it and access it if you are incapacitated or deceased (store the written instructions in a secure location like a safe deposit box, home safe, etc.).
One of my favorite features of LastPass and similar software tools is that they can integrate securely with my Web browser to automatically fill in my username and password (after I’ve typed in my master password when I first start my Web browser), so that I don’t need to manually type any of my “strong” passwords. LastPass and similar software tools also can generate “strong” passwords when you register for a new Web service or when you choose to change your password for a Web service—and they can fill in the new password automatically for you so you don’t make a typo.