Developing

How to create hacker-proof passwords for your PC

We spoke with Marion Merritt of Norton Security about how regular people can create a solid password.

The ideal password is, well, it's probably not a word for starters. As the comic geniuses at online comic The Oatmeal put it, the ideal password is one that looks like a "cat took a 12 hour nap on the keyboard."

But that's not very realistic -- people can only remember so many things, so many letters, uppercase, lowercase, random symbols, blah blah blah. So what's your best bet?
~
We spoke with Marion Merritt of Norton Security about how regular people can create a solid password. Here's the scoop so you can avoid your own personal Cybergeddon.



                    [Related: How to stay safe from the latest 'phishing' emails]

The passwords not to use
So, the basics. You don't want to use dictionary words. You don't want to use obvious combinations of letters and numbers. That would mean things like going across your keyboard like "WERTY," or even something as bizarre sounding as "QAZWSX" is just going down the keyboard. The only reason I know about that one is, if you look at the list of most commonly used passwords, those are some of the things that show up. The reason that even something like that becomes a problem is that hackers can use all the data from data breaches as a dictionary to launch hacks from. So even if it's not something that makes a word, we know people use it as a password, which means it is something to avoid.

Always use a different password for your email
The piece of advice I give the most often is that of all your passwords, the most important is the one you use on your email. The reason for that is, every website you go to as a "forgot your password" feature. We couldn't live without that feature because you're always being told to create a unique password. So if a hacker has control of your email account they can change everything.

That one account password needs to be as unique and complex as possible. You never reuse a password. And when I say, 'You never reuse,' the reality is people reuse. They'll come up with really great password and it's super complicated but then they'll use it everywhere. Which means, that if gets hacked or something goes wrong, you've given away the keys to the kingdom. So, again, the email password needs to be totally special.


                              [Related: The story behind Cybergeddon]

Can password managers help?
What's good about a password manager is it makes the whole process of creating unique and complex passwords and retaining and reusing them -- it makes it really easy.
So I actually do recommend people use them. The Norton one is great because it encrypts everything and you can store everything in the "cloud"... so if you're logging in from your brother-in-law's computer to print out a boarding pass, you can log in from the cloud and get the passwords there. Norton and others provide those capabilities.

I'll be the first to say that managing passwords has gotten worse, not better. Every site requires a password and because of that I think consumers have password fatigue. So, when people say, 'I have my cool passwords that I use for email and social networking and then I have this one that I use for everything,' as long as the 'everything' doesn't include sites where you could lose money like your credit card, you bank, online shopping where you store credit card information, I'm less concerned...

If you're logging into your hometown newspaper, and you have a standard password you use, there's probably nothing too serious [that could happen], but if you get notified that there was a data breach for some program or some site you use, how are you going to remember where you used that password... So, you do have to be senseful. And that's, again, why a password manager is so great. If you ever found yourself in a situation where you say, 'Gosh, I was using 123456 and I know I shouldn't have been, but I was'... a password manager can tell you where else you've used it.

How hackers can 'guess' your passwords
The way most websites work is, you can enter a password incorrectly three times and then you get locked out. It isn't just the number of times, it may also be the number of seconds in between requests. The typical user is going to have some delay. A hacker fan run through an entire database in the number of allotted seconds. So, even though you think, 'How could they do more than five attempts at my name?,' they can. Not only do they have a database of dictionary terms, they also have a database of previously used passwords in addition to information available on social networks...

How to create super-strong passwords
There are different theories as to how to make a password strong. One is to take the first letter from each word from a sentence you have memorized. For example, "The duck flies at midnight but only if the moon is full." Your password would then be the first letters of each word: Tdfamboitmif. Is that a good idea for a password? Well, here's what great about it. You've come up with a unique phrase that won't be in any dictionary and it's not likely to be in any hack database unless you've used it before.

What's bad about it -- if it does get hacked and it's the password you use everywhere then it's as good as nothing. So I tell people to come up with a phrase and customize it for every website you use - for instance, by using letters near the ones you use on the keyboard, which is easier to remember.