We all know the situation: We discover an other website that offers a nice feature, all you have to do is to enter your e-mail address and a password to sign up. And there we have it: a password.
You could use the password you use everywhere else, but together with your e-mail address this is enough information to read your e-mails and sign in to almost all your accounts on the internet. So you need to figure out a new password, which you won’t forget, but on the other hand it must be very hard (for a computer) to guess. This sounds like a contradiction, but it does not have to be one:
There are 1020 different sequences of four words which are randomly chosen from a dictionnary with 100’000 words in it. If we assume that for a regular password there are a 100 possibilities for each character, you need 10 (random) characters for the same number of possibilities. What’s easier to remember, “HaoJtR+ki7” or “correcthorsebatterystaple”? What’s safer? “correcthorsebatterystaple” is safer since there are more words in the English language than I used in the calculation (more than 170’000 in the oxforddictionary) and less than a 100 characters used in the “traditional” password (A-Z, a-z, 0-9 = 62 + less than 38 special characters).
But with four random words per account, you need to remember a 100 words with absolutely no context to protect 25 accounts. That’s still pretty hard especially for accounts you use once in a blue moon.
That’s why I use PwdHash, a browser-extension which generates a new password (a hash) based on the URL and the (master-)password I enter. It’s still possible to find out my masterpassword from the hash, but this takes too much time to figure out my password before I change the password again (eg. every year). If you are in an Internet-Café you can generate your passwords on the PwdHash website and there’s an app for android.
You could also use a service like LastPass, but they also had security-issues. A combination of both would be a quite good solution, but I have not yet found anything like this.
The most important points are:
- Use PwdHash (or passwordmaker.org or a similar program), just don’t send the same password to more than one website.
- Size does matter! The longer a password is, the harder it is to guess. If you use a sentence to remember a password, the whole sentence (passphrase) is safer than the password. (Unfortunately most websites have restrictions on password-lenght. Yes, even some banks)
- Change your passwords regularly (for me it’s one of the first things I do every year). Keep a list of your accounts, so you don’t forget to change some passwords.
This all takes some effort, but so does wearing seatbelts while driving a car. You wear them event though you hope you’ll never have an accident. But if you have one, you are glad you wore them. It’s the same with passwords, for a long time I used a (weak) single password almost everywhere, and I never had a problem with it. But I could have had trouble until now. In times of social networks, a compromised account not only exposes your own data but also private information about your friends.
And last but not least:
Passwords are like underwear: change them often, don’t let them lie arround and don’t share them with friends (and others)
EDIT: this year I’ll give LastPass a try, even though I prefer PwdHash due to its decentralized, server-independent manner of functioning.
Adrian Aulbach 