Yesterday, eBay announced that the encrypted passwords and personal details of all 233 million of its users had been compromised in one of the largest security breaches of all time. What does that have to do with you at work? Well, if you use the same password for multiple accounts, as many people do, this or any other hacking incident could expose more than just your personal information: it could compromise your accounts at work, leading to potential security threats for your employer and career fallout for you.
Of course, we all know that we should be choosing unique passwords for each account. In theory, it makes perfect sense; in practice, it’s a nightmare to remember a different password for every social network, credit card, bank account, professional and personal email, and so on.
So how do you pick a unique password that you’ll also remember?
The Schneier Scheme
On his site, cryptographer and security expert Bruce Schneier offers a thorough explanation of how hackers’ software guesses passwords, but the short version is that it generally starts with a pronounceable root word plus an appendix. (Beginning, of course, with the ever-popular “password1”; Schneier reminds us that “password” itself was once the most popular password.) They also try various dictionaries — English, phonetic pronunciation, foreign languages — to determine roots.
If the hacker already has access to your address books, they might even be able to start with names of family members, significant others, and so on, to determine the root of the password, and if they can see your calendar, they can grab dates to try for the appendix.
“So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like ‘This little piggy went to market’ might become ‘tlpWENT2m.’ That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.”
The 100 Passwords in 1 Rule
Of course, the trickiest part of choosing a good password is that you don’t just have to do it the one time. In order to really be secure, you need a separate password for each account. Who can remember all that?
“You don’t need to remember 100 passwords if you have 1 rule set for generating them,” writes Gina Trapani at Lifehacker. “One way to generate unique passwords is to choose a base password and then apply a rule that mashes in some form of the service name with it. For example, you may use your base password with the first two consonants and the first two vowels of the service name. Say your base password is “asdf.” (See how easy those keys are to type?). Then your password for Yahoo would be ASDFYHAO, and your password for eBay would be ASDFBYEA.”
If you use the Schneier Scheme to create a root password, and then append a different code for each site, you can create unique, memorable passwords that are tricky to hack — or, at least, trickier than the passwords chosen by the vast majority of internet users. And when it comes to picking passwords, sometimes not being the low-hanging fruit is the best you can do.
Tell Us What You Think
What’s your trick for choosing passwords? We want to hear from you! Leave a comment or join the discussion on Twitter.