2) DO use at least eight characters, as well as different kinds of characters. For example, if you use a five character password made of all lowercase letters, the maximum number of passwords a cracking program must try is computed as follows:
26 x 26 x 26 x 26 x 26 =
11.9 million possible passwords
That's 26 possible letters for the first letter, multiplied by 26 possible letters for the second, multiplied by 26
or 26 raised to the fifth power.
That sounds like a lot, I know, but some computer cracking programs could crack this in few minutes. Imagine though that you used eight letters instead of only five. This would yield:
26 x 26 x 26 x 26 x 26 x 26 x 26 x 26 =
208.8 billion possibilities
This would increase the number of passwords even further. Suppose that you used uppercase
and lowercase passwords, so that "Happiest" was different from "happiest" which was different from "haPpiest" etc
This would increase the number of possible passwords 52 raised to the eighth power, or 53,459,728,531,456, or
53.5 trillion. Still a lot, but not impossible to crack.
Imagine that you included numbers, or substituted numbers for letters. "William" could become "W1ll1am" with one's substituting for the I's. This is better, but still not as good as including special characters ()!@#$%^&*-_. Adding both numbers and these 12 special characters would add 22 more possible characters, raising the number of possible passwords to 899,194,740,203,776 or
899.2 trillion. Cracking this would take a
very long time.
3) So, you're thinking a bad password would be your daughter's name, and a good password might be "BaSeBaLl4$". After all, it has lowercase and uppercase letters, numbers, and at least one of the special symbols. It's not a bad password, but "baseball" is a common word.
Most cracker programs do not start breaking into a program with "aaaaaaaa", followed by "aaaaaaab", "aaaaaaac", "aaaaaaad" etc
but rather start by simply plugging in 25,000 or so words in the dictionary, then all these words backwards, then all these words over again with number substitutions for letters (e.g., 1's for L's, 3's for B's, and 4's for A's
_ then with symbol substitutions for letters (like ('s for C's, !'s for I's, $'s for S's
that kind of thing). They also include common phrases like "iamcool" and "damnpasswords" forwards and backwards, as well as words and phrases from other languages.
Thus, your "baseball" password would be discovered pretty early.
If all those real words and phrases kinds of passwords fail,
then the cracker program must go to the non-word combinations of characters afterward, which is far more time consuming. You might be thinking, "Well, even if my 'baseball' password is
easier to crack, it would still take
hours to crack this, wouldn't it, so I'm still safe?" Well
a cracker program could be turned on at 10PM and left running repeated efforts to break into a program until 6AM, and thus have "worked" for 8 hours while the hacker slept like a baby.
Thus, something tougher is needed. So what do you do?
Try a password like "
TtOsBt_2003". This looks tough but isn't. It includes every-other-letter capitalized, the first letters of each word in the phrase, "
To
Thine
Own
Self
Be
True", an underscore, and the year I started my new job. With 10 letters there are still 4,923,990,397,355,877,376 or about
4,924 quadrillion possibilities, just like above, but this is better since "ttosbt" is not a word, so it would take longer to crack. What about when you have to change the password? Try "OhWeEr_3114" which is the second letter of each word in the same phrase, an underscore, and the year I started my new job with a 1 added to each number. See?
Instead of "Stephanie", your daughter's name, how about "
DrN!Rm338@4:47AM". It includes upper and lower case letters, numbers and special characters, and is 16 characters long. Remember it with how
Dr.
Nelson was the doctor who came right away (
!) to
Roo
m 338 to deliver your daughter, who was born at
4:47AM. 16 characters means there are 808,551,180,810,136,214,718,004,658,176 possibilities, or
808 trillion quadrillion possibilities. There's fewer stars in the universe
. This is as close to uncrackable as you'll likely get.
Try a password like "
cOOpEr+1905=fOrd", which also 16 characters. "Cooper" is my grandmother's maiden name, 1905 is my grandfather's birthdate, and Ford is my dad's favorite truck. All the vowels are capitalized and the consonants are lower case.
A UIC page at
https://security.uchicago.edu/docs/userpassword.shtml offers a great suggestion that you create
levels of passwords based on what the password protects. Passwords for configuration settings for a web site or program are less important, and may get one level, while passwords for your email program and bank account get another.
"Consider your password as multiple parts: a central core of the password and a prefix and/or suffix which is specific to the service that is being protected.
For example, your core might be "
gPw4", from "
generic
Password
4 (for)
"
If this password is to be a password for the New York Times Web Site, you might choose to add "
NYt" to the beginning of the password and '
n' (for 'news') to the end. This would make your password:
NYtgPw4n. Your password for eBay might be
eBgPw4A ('A' for 'auctions')."
Obviously, you might use "4s&7yA" as a prefix, and "Ofb4Utc" as the suffix, and whatever the password is for in between. That's "
4 score
& 7 years
Ago", another word, then "
Our
fathers
brought
4th
Upon
this
continent" with the vowels capitalized and the consonants lower case. So my BankOne password might be "4s&7yAbank1Ofb4Utc" which has 18 characters. Again, this is as close to uncrackable as you are likely to get.
4) Change your passwords regularly. Do not use two passwords and simply alternate between them. If coming up with new ones is too hard, come up with twelve strong passwords, store them in a password saving program, and cycle between them. If you change them monthly, then any thief who gets one will need to wait a year before it's good again.
5) Last, do not use any passwords you see in articles about safe passwords. A hacker that can scan a dictionary program and collect 25,000 words can certainly scan 100 web pages on password security and pull up a ton more possible passwords.
Check out
http://www.securitystats.com/tools/password.asp to see how tough it would be to break your password.