Every single day, there are stories in the news about
security breaches.  For every news story,
there are thousands of unreported incidents, most of them limited to one or a
few people.  
Astonishing as it continues to be to me, there are scads of
people all over the world who have made a career of breaking into computers and
accounts that don’t belong to them for the purpose or mischief, theft, or
worse. I often wonder what the world would be like if we could somehow turn all
that energy toward good instead of evil, but that’s a topic for another blog
post.  
We have come to the point where computers are not really
very useful unless they connect to the Internet.  But, if
you’re going to connect to the internet, you’re at risk.  The key is how to minimize that risk so that you
don’t end up being a target.
The biggest, and easiest, key is the use of passwords.  I continue to be surprised at how little
priority people place on password management.  In case you’ve forgotten, here are the rules
you absolutely MUST follow to minimize your risk of “being hacked”:
- Every
     password should be more than 10 characters long.  Longer is better.  
     
 
- There
     should be NO recognizable words in your password.  Let me say it another way: no string of
     characters in any part of your password should appear as a word in any
     dictionary.  In any language.  
     
 
- Your
     password should contain numbers and special characters. Two of each is a
     good minimum.  There are still some
     accounts that don’t allow characters.  But where you can use them, use
     them.  
     
 
- Every
     password should be unique.  In other
     words, do NOT use the same password for more than one account.  
 
Oh, I can hear the wailing and whining now.  I can’t remember all those passwords!  I can’t type them right if they’re that
long!  XYZ company makes me change them
every 30 days anyway!  
Okay. First of all, it's worth the effort.  Really.  How much will it cost you if someone gets into your bank account?  You really don't want to think about it.  So here’s how you
make it [relatively] painless:
- Create two  master passwords.  Use the rules above.  Here are two options and examples:
- Pick
      two completely unrelated words, but ones you will remember. Substitute some of the letters for
      numbers or symbols.  Add additional
      numbers and symbols if necessary to create a password of more than 12
      characters.
 Example:  Edition + Severity  = E41tions#v#rITY
- Think
      of a pass PHRASE that you’ll remember.  Pull the 1st letter from each
      word.  Substitute as above, again
      ensuring you have at least 12 characters.
 Example: Oh, I never remember passwords, but I will remember this one! = oinrpbiwrto
      = 0INr*,BiwR71!
 
- Memorize your Master Passwords.  I mean it.  You’re going to use them every day,
     multiple times per day.  It should
     only take you a day or two before you can type them cleanly and remember
     them.  If you have to use a yellow
     sticky crutch, do it in the privacy of your home (and DON’T leave it where
     your teenager can find it).  If you’re
     still worried you’ll forget, put that sticky somewhere away from your
     computer.  In your jewelry box or
     something.  Don’t label it, especially if you keep it in your wallet.
     
 
- Use
     one of your memorized Master Passwords to log in to your computer.  If
     you don’t know how, google “create password” or “change password” along
     with whatever operating system your device uses.  The instructions are simple.  
- Use a
     Password Manager to keep your passwords.  I use KeePass (http://keepass.info/), but there are
     others out there that have good reputations and might be better for you,
     depending on what you do, and how many devices you use to access the
     internet, and what your favorite operating system is.   Use your other memorized Master Password
     as your password for your data base.  Then let your Password Manager generate
     ALL the rest of your passwords. 
     
 This means, every time you log in to an account using your computer, make
     an entry in your Password Manager’s data base for that account, and reset
     the account’s password to what the Password Manager generates for the
     entry.  Occasionally you have to
     modify – amazingly, there are sites out there that won’t take the 20+
     character passwords KeePass generates for me.  But do it, every time.  Pretty soon all your accounts will be in
     the data base.  Organize the entries
     so that you can find them easily.  Be
     sure to save a backup of the data base.
If you do this, and get all your accounts re-passworded with
complex passwords from your Password Manager, you can stop worrying about
remembering them.  They’re there when you
need them and safe when you don’t.   I like not knowing what my Facebook password
is!  My KeePass data base is on Dropbox, so it's automatically up-to-date on all my devices.  KeePass also has a portable installation so that I can use it from a USB drive when using a computer that is not mine (at a client's office or the library) without installing anything or leaving a copy of my data base anywhere I don't want it.
An additional plus: most of the time, you’re using
copy-and-paste to put your passwords in the appropriate field while logging in,
thus foiling keystroke capture.  “ctrl-v”
doesn’t help hackers  much.  
Do I follow these rules? 
Well, no.  I don’t.  I make the following two exceptions:
- I
     created and memorized a 3rd Master Password, which I use for my
     email account.  Sometimes I’m too
     lazy to open up KeePass just because I want to check my email.  However, that password DOES follow the
     rules for complexity.
- I have
     an “easy” password that I use on extremely low-risk sites, like forums.  It’s still a pretty secure password, but it
     doesn’t quite follow the rules above and I do use it in multiple places.   Although in recent months I’ve started
     replacing that password with one from KeePass in part because I also use
     KeePass to remember what accounts I have in the 1st place.  Eventually I’ll probably also follow the
     no-duplicates rule because it’s so easy to let KeePass do the work.  
One other question to answer, and that’s about resetting
your password.  There are indeed still a
few sites that require passwords to be reset periodically.  Your Password Manager makes that easy – just generate
a new one and use it to reset.  If I hear
of a breach or a danger, I likewise go back to KeePass and set myself a new
password for the account in question. Otherwise, frankly, I don’t worry about
it much.  
The Security Community has slowly moved away from making
people reset passwords frequently.  It
only encourages folks to a)choose simple, short, easy-to-use passwords and/or
b)use the same password for multiple accounts. Both of these are set ups for hackers.  If you create a complex, hard-to-crack
password using my suggestions above, it stays complex and hard to crack. There’s no need to change it.  
There are other steps individuals – and IT departments – can
take to reduce the risks of a security breach. But this one is far and away the most
important.  It’s really not very
hard.  And it’s in your hands.
Do you do these things?  What other ideas do you have for password
management?  If you don’t generate unique
and crack-resistant passwords, why not?  Tell
me about it in the comments.