Fix your terrible, insecure passwords in five minutes.

Innovation, the Internet, gadgets, and more.
Nov. 12 2009 3:06 PM

Fix Your Terrible, Insecure Passwords in Five Minutes

A foolproof technique to secure your online accounts before holiday shopping season.

Update, Dec. 17, 2010: Gawker Media's servers were hacked last weekend, potentially compromising the usernames and passwords of more than one million users. (You can use Slate's widget to check if your account was hacked.) Gawker has encouraged all of its users to change their passwords. Check out the piece below, originally published last year, for tips on how to create good passwords.

When the Gawker data was exposed, a lot of people were shocked to see the high incidence of incredibly weak passwords like 123456, qwerty, and, well, password. I think something is being overlooked here: It's perfectly valid to use 123456 as your Gawker password, because you won't suffer any major consequences if someone gets into your Gawker commenting account. (Unless, that is, you're an anonymous Vogue employee who spends all day complaining about Anna Wintour.) In fact, my piece on password strength below recommends this kind of behavior: You should create easy-to-remember passwords for sites that don't need to be secured, because you only have so much room in your head for strong passwords, and you should reserve those for important sites.

The danger comes when people use the same, easy-to-crack passwords for Gawker and online banking sites. In that case, you're in trouble if any of the sites you look at regularly gets hacked—once they've got Gawker, they've got your bank account. For advice on how to avoid that fate, read my original article below.

Illustration by Robert Neubecker.

It's tempting to blame the victim. In May, a twentysomething French hacker broke into several Twitter employees' e-mail accounts and stole a trove of meeting notes, strategy documents, and other confidential scribbles. The hacker eventually gave the stash to TechCrunch, which has since published notes from meetings in which Twitter execs discussed their very lofty goals. (The company wants to be the first Web service to reach 1 billion users.) How'd the hacker get all this stuff? Like a lot of tech startups, Twitter runs without paper—much of the company's discussions take place in e-mail and over shared Google documents. All of these corporate secrets are kept secure with a very thin wall of protection: the employees' passwords, which the intruder managed to guess because some people at Twitter used the same passwords for many different sites. In other words, Twitter had it coming. The trouble is, so do the rest of us.

Your passwords aren't very secure. Even if you think they are, they probably aren't. Do you use the same or similar passwords for several different important sites? If you don't, pat yourself on the back; if you do, you're not alone—one recent survey found that half of people online use the same password for all the sites they visit. Do you change your passwords often? Probably not; more than 90 percent don't. If one of your accounts falls to a hacker, will he find enough to get into your other accounts? For a scare, try this: Search your e-mail for some of your own passwords. You'll probably find a lot of them, either because you've e-mailed them to yourself or because some Web sites send along your password when you register or when you tell them you've forgotten it. If an attacker manages to get into your e-mail, he'll have an easy time accessing your bank account, your social networking sites, and your fantasy baseball roster. That's exactly what happened at Twitter. (Here's my detailed explanation of how Twitter got compromised.)

Everyone knows it's bad to use the same password for different sites. People do it anyway because remembering different passwords is annoying. Remembering different difficult passwords is even more annoying. Eric Thompson, the founder of AccessData, a technology forensics company that makes password-guessing software, says that most passwords follow a pattern. First, people choose a readable word as a base for the password—not necessarily something in Webster's but something that is pronounceable in English. Then, when pressed to add a numeral or symbol to make the password more secure, most people add a 1 or ! to the end of that word. Thompson's software, which uses a "brute force" technique that tries thousands of passwords until it guesses yours correctly, can easily suss out such common passwords. When it incorporates your computer's Web history in its algorithm—all your ramblings on Twitter, Facebook, and elsewhere—Thompson's software can come up with a list of passwords that is highly likely to include yours. (He doesn't use it for nefarious ends; AccessData usually guesses passwords under the direction of a court order, for military purposes, or when companies get locked out of their own systems—"systems administrator gets hit by a bus on the way to work," Thompson says by way of example.)

Security expert Bruce Schneier writes about passwords often, and he distills Thompson's findings into a few rules: Choose a password that doesn't contain a readable word. Mix upper and lower case. Use a number or symbol in the middle of the word, not on the end. Don't just use 1 or !, and don't use symbols as replacements for letters, such as @ for a lowercase A—password-guessing software can see through that trick. And of course, create unique passwords for your different sites.

Advertisement

That all sounds difficult and time-consuming. It doesn't have to be. In Schneier's comment section, I found a foolproof technique to create passwords that are near-impossible to crack yet easy to remember. Even better, it'll take just five minutes of your time. Ready?

Start with an original but memorable phrase. For this exercise, let's use these two sentences: I like to eat bagels at the airport and My first Cadillac was a real lemon so I bought a Toyota. The phrase can have something to do with your life or it can be a random collection of words—just make sure it's something you can remember. That's the key: Because a mnemonic is easy to remember, you don't have to write it down anywhere. (If you can't remember it without writing it down, it's not a good mnemonic.) This reduces the chance that someone will guess it if he gets into your computer or your e-mail. What's more, a relatively simple mnemonic can be turned into a fanatically difficult password.

Which brings us to Step 2: Turn your phrase into an acronym. Be sure to use some numbers and symbols and capital letters, too. I like to eat bagels at the airport becomes Ilteb@ta, and My first Cadillac was a real lemon so I bought a Toyota is M1stCwarlsIbaT.

That's it—you're done. These mnemonic passwords are hard to forget, but they contain no guessable English words. You can even create pass phrases for specific sites that are coded with a hint about their purpose. A sentence like It's 20 degrees in February, so I use Gmail lets you set a new Gmail password every month and still never forget it: i90diSsIuG for September, i30diMsIuG for March, etc. (These aren't realistic temperatures; they're the month-number multiplied by 10.)

TODAY IN SLATE

War Stories

The Right Target

Why Obama’s airstrikes against ISIS may be more effective than people expect.

The NFL Has No Business Punishing Players for Off-Field Conduct. Leave That to the Teams.

Meet the Allies the U.S. Won’t Admit It Needs in Its Fight Against ISIS

I Stand With Emma Watson on Women’s Rights

Even though I know I’m going to get flak for it.

Should You Recline Your Seat? Two Economists Weigh In.

Medical Examiner

How to Stop Ebola

Survivors might be immune. Let’s recruit them to care for the infected.

History

America in Africa

The tragic, misunderstood history of Liberia—and why the United States has a special obligation to help it fight the Ebola epidemic.

New GOP Claim: Hillary Clinton’s Wealth and Celebrity Are Tricks to Disguise Her Socialism

Why the Byzantine Hiring Process at Universities Drives Academics Batty

Moneybox
Sept. 23 2014 3:29 PM The Fascinating Origins of Savannah, Georgia’s Distinctive Typeface
  News & Politics
History
Sept. 23 2014 11:45 PM America in Africa The tragic, misunderstood history of Liberia—and why the United States has a special obligation to help it fight the Ebola epidemic.
  Business
Moneybox
Sept. 23 2014 2:08 PM Home Depot’s Former Lead Security Engineer Had a Legacy of Sabotage
  Life
Education
Sept. 23 2014 11:45 PM Why Your Cousin With a Ph.D. Is a Basket Case  Understanding the Byzantine hiring process that drives academics up the wall.
  Double X
The XX Factor
Sept. 23 2014 2:32 PM Politico Asks: Why Is Gabby Giffords So “Ruthless” on Gun Control?
  Slate Plus
Political Gabfest
Sept. 23 2014 3:04 PM Chicago Gabfest How to get your tickets before anyone else.
  Arts
Brow Beat
Sept. 23 2014 8:38 PM “No One in This World” Is One of Kutiman’s Best, Most Impressive Songs
  Technology
Future Tense
Sept. 23 2014 5:36 PM This Climate Change Poem Moved World Leaders to Tears Today
  Health & Science
Medical Examiner
Sept. 23 2014 11:37 PM How to Stop Ebola Could survivors safely care for the infected?
  Sports
Sports Nut
Sept. 23 2014 7:27 PM You’re Fired, Roger Goodell If the commissioner gets the ax, the NFL would still need a better justice system. What would that look like?