In this day of increased concerns over security, especially electronic security and new laws like HIPAA, using "strong passwords" is a must. "Strong passwords" are passwords that are difficult to break. Doing so helps to protect your own data from theft, as well as the data of your clients if you are in a health-care related field.

This is even more important given the ease with which hackers create and use "cracking programs." These are programs that try to break into password protected programs by having a computer enter word after word after word…. The most basic ones use methods referred to as "brute force" efforts to crack open a program; they simply enter password after password after password after password… until they break in.

Below are some tips to creating and using passwords which I have gathered from around the web.

1) Some "DO NOT" points:

use obvious passwords, like your first name, your birthdate, your phone number, your account name, your boyfriend's name, the name you have started calling your ex-boyfriend… as a cracker who knows the smallest information about you will try these kinds of passwords first before resorting to brute force methods

write your password on a post-it note and leave it at your desk, since this is where a cracker at your computer would look. If you must write it down, there are password saving programs, like PassSafe athttp://www.counterpane.com/passsafe.html allowing you to remember one password, which gives you access to your other passwords

let a website save your password for you, as a hacker, virus, or trojan horse program can recover these kinds of passwords easily

use the same password everywhere, as a hacker who gains access to one password then has them all

use "keyboard words" like "qwerty" or "asdfgh" – these are the first six characters in the first and second row of the keyboard

Some "DO" points would include the following:

2) DO use at least eight characters, as well as different kinds of characters. For example, if you use a five character password made of all lowercase letters, the maximum number of passwords a cracking program must try is computed as follows:

     26 x 26 x 26 x 26 x 26 = 11.9 million possible passwords

That's 26 possible letters for the first letter, multiplied by 26 possible letters for the second, multiplied by 26… or 26 raised to the fifth power.

That sounds like a lot, I know, but some computer cracking programs could crack this in few minutes. Imagine though that you used eight letters instead of only five. This would yield:

     26 x 26 x 26 x 26 x 26 x 26 x 26 x 26 =
     208.8 billion possibilities

This would increase the number of passwords even further. Suppose that you used uppercase and lowercase passwords, so that "Happiest" was different from "happiest" which was different from "haPpiest" etc… This would increase the number of possible passwords 52 raised to the eighth power, or 53,459,728,531,456, or 53.5 trillion. Still a lot, but not impossible to crack.

Imagine that you included numbers, or substituted numbers for letters. "William" could become "W1ll1am" with one's substituting for the I's. This is better, but still not as good as including special characters ()!@#$%^&*-_. Adding both numbers and these 12 special characters would add 22 more possible characters, raising the number of possible passwords to 899,194,740,203,776 or 899.2 trillion. Cracking this would take a very long time.

3) So, you're thinking a bad password would be your daughter's name, and a good password might be "BaSeBaLl4$". After all, it has lowercase and uppercase letters, numbers, and at least one of the special symbols. It's not a bad password, but "baseball" is a common word.

Most cracker programs do not start breaking into a program with "aaaaaaaa", followed by "aaaaaaab", "aaaaaaac", "aaaaaaad" etc… but rather start by simply plugging in 25,000 or so words in the dictionary, then all these words backwards, then all these words over again with number substitutions for letters (e.g., 1's for L's, 3's for B's, and 4's for A's…_ then with symbol substitutions for letters (like ('s for C's, !'s for I's, $'s for S's… that kind of thing). They also include common phrases like "iamcool" and "damnpasswords" forwards and backwards, as well as words and phrases from other languages.

Thus, your "baseball" password would be discovered pretty early. If all those real words and phrases kinds of passwords fail, then the cracker program must go to the non-word combinations of characters afterward, which is far more time consuming. You might be thinking, "Well, even if my 'baseball' password is easier to crack, it would still take hours to crack this, wouldn't it, so I'm still safe?" Well… a cracker program could be turned on at 10PM and left running repeated efforts to break into a program until 6AM, and thus have "worked" for 8 hours while the hacker slept like a baby.

Thus, something tougher is needed. So what do you do?

Try a password like "TtOsBt_2003". This looks tough but isn't. It includes every-other-letter capitalized, the first letters of each word in the phrase, "To Thine Own Self Be True", an underscore, and the year I started my new job. With 10 letters there are still 4,923,990,397,355,877,376 or about 4,924 quadrillion possibilities, just like above, but this is better since "ttosbt" is not a word, so it would take longer to crack. What about when you have to change the password? Try "OhWeEr_3114" which is the second letter of each word in the same phrase, an underscore, and the year I started my new job with a 1 added to each number. See?

Instead of "Stephanie", your daughter's name, how about "DrN!Rm338@4:47AM". It includes upper and lower case letters, numbers and special characters, and is 16 characters long. Remember it with how Dr. Nelson was the doctor who came right away ( !) to Room 338 to deliver your daughter, who was born at 4:47AM. 16 characters means there are 808,551,180,810,136,214,718,004,658,176 possibilities, or 808 trillion quadrillion possibilities. There's fewer stars in the universe…. This is as close to uncrackable as you'll likely get.

Try a password like "cOOpEr+1905=fOrd", which also 16 characters. "Cooper" is my grandmother's maiden name, 1905 is my grandfather's birthdate, and Ford is my dad's favorite truck. All the vowels are capitalized and the consonants are lower case.

A UIC page at https://security.uchicago.edu/docs/userpassword.shtml offers a great suggestion that you create levels of passwords based on what the password protects. Passwords for configuration settings for a web site or program are less important, and may get one level, while passwords for your email program and bank account get another.

"Consider your password as multiple parts: a central core of the password and a prefix and/or suffix which is specific to the service that is being protected.

For example, your core might be "gPw4", from "generic Password 4 (for)…"

If this password is to be a password for the New York Times Web Site, you might choose to add "NYt" to the beginning of the password and 'n' (for 'news') to the end. This would make your password: NYtgPw4n. Your password for eBay might be eBgPw4A ('A' for 'auctions')."

Obviously, you might use "4s&7yA" as a prefix, and "Ofb4Utc" as the suffix, and whatever the password is for in between. That's "4 score & 7 years Ago", another word, then "Our fathers brought 4th Upon this continent" with the vowels capitalized and the consonants lower case. So my BankOne password might be "4s&7yAbank1Ofb4Utc" which has 18 characters. Again, this is as close to uncrackable as you are likely to get.

4) Change your passwords regularly. Do not use two passwords and simply alternate between them. If coming up with new ones is too hard, come up with twelve strong passwords, store them in a password saving program, and cycle between them. If you change them monthly, then any thief who gets one will need to wait a year before it's good again.

5) Last, do not use any passwords you see in articles about safe passwords. A hacker that can scan a dictionary program and collect 25,000 words can certainly scan 100 web pages on password security and pull up a ton more possible passwords.

Check out http://www.securitystats.com/tools/password.asp to see how tough it would be to break your password.