Outsmart Hackers
Forbesasked prominent security researchers and consultants for tips on creating passwords that keep your online accounts secure. Here's their advice.
Easy To Remember
Kevin Johnson, a senior security analyst at security consultancy firm InGuardians, says passwords don't have to be hard to remember, just hard to crack. He suggests typing a sentence with lots of words and including punctuation. With enough words, it keeps the password sufficiently long but makes them easier to type and remember.
Change It Up
Arbor Networks' Jose Nazario suggests changing your passwords more often based on the sensitivity of the content those accounts protect. He says accounts protecting financial information, for example, should have strong passwords that are changed often and are never reused.
Misspellings OK
Alexander Peslyak, chief technologist at security software company Openwall, suggests avoiding password phrases like "To be, or not to be" that appear elsewhere. Deliberately misspelling words can make passwords harder to crack too, he says.
Nothing Personal
Paul Judge, chief research officer at anti-spam company Barracuda's threat analysis lab, suggests staying away from using words and numbers that are dear to you--pets, significant others, your mother's maiden name, etc. That kind of information can be easy to find at sites like social networks, he says.
Scramble It
Cryptography Research's Paul Kocher suggests that if you need to write a password or pin on a piece of paper, scramble the letters. He says even something as simple as swapping or adding digits can help prevent misuse.
Separate Passwords
Jeremiah Grossman, chief technologist at consultancy WhiteHat Security, notes that you wouldn't have the same key for your home, car and office--so don't keep the same password for different sites either. That way, he notes, if one account is compromised you won't give the attacker a foothold into the rest of your accounts.
Seek Help
Nate Lawson, president at Root Labs, suggests using a password manager like Keepass on Windows or 1password on Macs to generate stronger passwords than you may be able to remember.
Add A Number
Rich Mogull, chief executive at analyst firm Securosis, says you should consider adding a number to the end of sentence-based password phrases for extra uniqueness.
Avoid Public Wi-Fi
Alex Sotirov, an independent security consultant, avoids public wi-fi and typing passwords into other people's machines in case a keylogger is installed. People can watch network traffic, he notes, and staying away from wi-fi points at places like Starbucks can squelch the opportunity for others to "sniff" out your passwords.
Lots Of Levels
Lookout Chief Technologist Kevin Mahaffey says that if you have to reuse passwords, only do so at unimportant sites. Having different levels of passwords will help prevent attackers from gaining a foothold into your entire online life
Https
Cryptography Research's Kocher suggests making sure that you only log in on pages protected with SSL encryption. Look for the "s" in "https://" and you can decrease the likelihood that someone could sniff your password on an open network or public wi-fi access point. He says you'll also help protect yourself against phony Web sites and other phishing attempts.
Deceptively Strong
Openwall's Peslyak warns that cheap password management software can sometimes generate passwords that look strong but aren't. He also warns against the default passwords generated by many Web applications, which can also be weaker than they appear.
Write It Down
WhiteHat Security's Grossman says that it's much easier to secure a piece of paper than a computer. So if you need to write your passwords down, do it on a physical medium. This way bad guys have to be on premise to steal them and can't reach into your computer from afar.
Archive It
Cryptography Research's Kocher suggests archiving important passwords so that friends and family can have access to your accounts in case tragedy strikes.
Replace It
Some people replace letters for numbers, and vice versa, in their passwords in hopes of making them more secure. So, instead of typing "replace," they type "r3plac3." Openwall's Peslyak says this doesn't always work because software can replace letters too, allowing a hacker to crack your password. Peslyak says you should use different numbers to replace a letter, i.e.,"r7plac8" not "r3plac3."
SOURCE
