For the security-conscious among you, this is likely old hat (and not a talking one, either). For the rest of you, please read on.
This lovely article was recently passed to me by a co-worker under the title "Why IT wants us to have good passwords." It is a blog that explains how weak passwords can be hacked, how weak or nonexistent protection / encryption schemes for passwords do not serve us, and how the author could hack his way into our bank accounts and confidential information if he so desired.
Summary (from the blog entry):
- Passwords matter, even those that you might think wouldn't
- Use different passwords for every account
- Ensure that none of your passwords are weak or easy to hack
- More accounts (and associated credentials) matter than you think
What I do personally is put access to various things (and thus the credentials associated with those things) into these criticality classes:
- Worthless: If these accounts are compromised, it is hard to see how it could harm me. Examples: the password I use for access to the Wall Street Journal free online access; the accounts I use for read-only access to on-line personals sites.
- Important: If these accounts are compromised, it could be very troublesome. Examples: primary blogging account; paid account to various on-line services; EBay account; participatory accounts on various on-line communities.
- Critical: If these accounts are compromised, it could lead to serious problems. Examples: work email account, personal email account, work VPN access; access to personal server machine, laptop or home network; PayPal account; on-line banking access, etc. More things are critical than you think.
The passwords for each of the criticality classes must be quite distinct. Here are the rules I recommend:
- Worthless: I might use all the same password, and it might be as poor a password as 'iamsocool'.</i>
- Important: I would definitely not use the same password for all accounts, thought I might use a set of passwords all derived from the same root. Examples: '2bsewg00d71' and '7csewg00d93'.
- Critical: I would use entirely different passwords for each account. These passwords might look like '53v5hdx4', qgh24xv5', etc. Or instead of being random, they can just look random, but be much easier to remember. For example, here is a password based on a phrase: 'when I was five i liked to roller skate'--that password could look like 'wIw5IL2rs.
In general, all passwords should be at least seven characters long, none should be dictionary words (in any language), all should include both letter and number characters, and all should be personally memorable, while not being based on birth-dates, SSNs, pet or significant-other names, and none should have to be written down. Paradoxically, the activities that have the highest criticality are those for which you want to use the most obscured passwords, and so those are the ones you are most likely to write down. Please don't succumb to this temptation.