How to Make a Password 

February 2013 (Revised December 2013)

Here's a New York Times article by Nicole Perlroth: "How to Devise Passwords That Drive Hackers Away." It has some great guidance -- I disagree with none of it. (See also this piece in Lifehacker, "Strong Passwords Aren’t Enough: How to to Ensure the Apple and Amazon Exploit Never Happens to You" for some more advanced techniques. -- these are good, but pose some hassles. For the truly nerdy, see this Wikipedia piece.) 

My own practice for constructing passwords is a riff on passphrases; I'm as focused on being able to remember the password as I am on making it strong. 

  • Give each core resource its own unique password. By "core resource," I mean your institutional (work) account(s), the biggies (Google, Facebook, Twitter, etc.), and any and all concerning money (online banking, Google Wallet, Amazon, etc.). For relatively unimportant resources -- subscriptions to online publications, for instance -- I may use the same (strong) password for all. 
  • For resources that use an email address as the username, don't use the email account's password as the resource's password. 
  • Long passwords are more secure than short passwords. A dozen characters, if permitted, is good.
  • Use passphrases. Form a sentence that is meaningful for you, you'll remember, relevant in the context of the particular resource, and meets any particular requirements for the resource (including for length and use of numbers, special characters, etc.). Then use the first character in each word of the sentence as the password to generate a mix of cases, numbers, and special characters. For example, for Twitter: I try to post to Twitter 3 x daily = IttptT3xd. 
  • Foster memorability by constructing parallel passwords for analogous services. So your Mascoma Bank password might be: We change our Mascoma $ Bank password every July 4 = WcoM$BpeJ4, and so your Schwab password might be: We change our Schwab $ password every July 4 = WcoS$peJ4. And so on for all your finance-related resources. All your passwords for social media resources could have parallel construction, and your newsletters, and your shopping sites, and so on. 
  • But don't reuse passwords. 
  • Don't use the default password. 
  • Use two-factor authenticaton when available. Two-factor authentication uses two identifiers -- one that you know (i.e., your password) and one that you have (e.g., a generated code sent to your mobile). 

And what about usernames? Usernames in and of themselves aren't all that important to resource security. I tend to keep them relatively uniform -- if not required to be an email address, perhaps stringingalongsomewords, and inserting cases, numbers, and special characters if required.

Usernames are actually pretty easily discoverable -- you should focus more on the security of the password than on the uniqueness of the username. 

(Colleen, Gret, Lauri, Liz, Richard, Suzy -- thanks for your comments.) 

September 2013

November 2013

December 2013