Duck hackers with better passwords

2/26/2005

The rules for creating strong passwords that you don t have to write down to remember are changing.

Hackers and other crooks are getting better at cracking passwords.

At the same time, people are using passwords more than ever for ATM machines, cell phones, online financial transactions and safeguarding other confidential information. That combination puts millions of people and their money at risk.

If you think that replacing letters of a word with symbols or numbers that look like the letters still makes a strong password that is easy to remember, think again.

I used m1ch@elw00d$ as a password until I watched someone run my personal information through a password-cracker program.

It took the software about 3 seconds to spit out m1ch@elw00d$ as one of my most likely passwords.

The programs available to hackers and identity thieves are just too good these days to rely on the old tricks for making passwords. They can be cracked too easily.

Most people know the basics of what to avoid when deciding on a password. Don t use your birth date, for instance, login name, street address, names of your spouse, children, or pets. It is risky to use those names spelled backwards, words picked at random from a dictionary, and even common foreign-language words found in dictionaries.

Strings of completely random letters, numbers, and other characters do make very strong passwords. However, they are difficult to remember. Most people write them down, sometimes on a slip of paper stashed in a wallet, purse, or briefcase. That violates one of the most basic rules for a secure password never write it down.

Some people keep dozens of passwords, credit card numbers, and bank account information in a Palm Pilot-type personal digital assistant (PDA), Pocket PC, or cell phone. They think it s because they use a password to protect the device from unauthorized access.

If a crook lays hands on the device, and cracks the password, it is a bonanza for him and a disaster for you another case of identity theft. With that information, a crook can pose as you, charge to your credit cards, withdraw cash from your accounts at ATMs, and more.

You may find out only after big losses.

One good solution is to stop using passwords, and start using passphrases. Passphrases are easy-to-remember sentences. My two grandchildren in Columbus are Alexander and Caden. You can make a strong password from the first letter of each word, mtgicaaac.

A few tweaks give the passphrase even more muscle, without making it more difficult to remember. Try making the passphrase case-sensitive, for instance, using upper and lower case letters: mtgiCaAaC. Try substituting other characters for some of the letters: m2giCaAaC.

Save the strongest passphrase for your most important accounts.

Use a different one for accounts that don t matter. Keep the passphrases secret. Don t write them down. Try to follow the experts advice and change it several times a year.