How To Pick Passwords That Protect Your Online Experience

With the recent upsets with Twitter Phishing Scams, it should be abundantly clear why a good password is essential for both you and your users.

This article will show you ways to pick effective, easy to remember passwords.This article will show you ways to pick effective, easy to remember passwords.

As we build websites and use the web in our usual day-to-day activities, we are often plagued with having to create user accounts for anything and everything.

This can create a real challenge when we attempt to memorize all of the many passwords we’ve established. Imagine how your users feel as you ask them to create a user account on your site. Realistically, if we were to ask them if they have trouble remembering their logins/passwords, many of them would laugh and think, “No, I can remember my passwords easily, because I use the same one for everything.

Truly, this frightens me. I’ve seen many a friend become a victim of phishing sites (website that purports to be an authentic login page for a website you use, with the intention of stealing your username and password). These come in many forms, and if you happen to be in the category of people that use a single password for everything, imagine having to go back and change them all.

Personally, I don’t use the same password twice for anything. I have a unique password for every website where I have a login. In this article, I’ll give you some tips that will help you maintain a much more secure online lifestyle, and perhaps these are tips you can share with your users. Here’s a quick breakdown of what I’ll be discussing:

  • Choosing memorable yet effective passwords
  • Keeping track of all your passwords
  • Protecting yourself from phishing

Choosing memorable yet effective passwords

To get us started, let’s take a look at the process of selecting a password. I know that a lot of people use the same password for their online banking that they use for Facebook or their email. In addition, it’s often something really simple like the current family cat’s name. Let’s take a look at why this might not be such a great idea. If a criminal was going to start guessing at passwords, they often start with the most obvious: birthdays, family members’ names, friends’ names, pets’ names.

For starters, this makes guessing your password incredibly simple for a would-be criminal. Why not pick something very personal that no one else knows and then use that on all your websites? Simply put, this creates a single point of failure. If this one password is compromised, so is your entire life.

When creating passwords, I use mnemonics with a twist. According to Webster, a mnemonic is something that assists or is intended to assist memory. So here’s a quick breakdown of how I choose my passwords. When I get to a website for which I need a good password, I do the following:

1. When thinking of the website, what is the first word (over 6 letters long) that comes to mind?
2. Is it really the most memorable word for me when I think about this website?
3. Capitalize the first letter of the word
4. Swap out some of the letters for numbers (I’ll provide more detail on this below)
5. If you’re required to include some type of punctuation, use an exclamation mark or a period.

Swapping out letters for numbers

When I create a password, I usually insert a few numbers just to add to the randomness. Here’s a list of some common replacements for letters that can be solved with numbers and add a significant amount of complexity to your passwords.

A = 4
B = 3 or 8
E = 3
G = 6 or 9
I = 1
L = 7
O = 0
S = 5

You may have others that you use, or you may only switch out certain letters every time. You may even just place a particular set of numbers at the end of the keyword that you pick. Whatever method you employ, including numbers in your passwords will always make them harder to crack.

Here’s my example:

If I wanted to create an account on Amazon.com, I might follow this process:

  1. First word I think of:  rainforest
  2. Capitalize the first letter: Rainforest
  3. Replace a few of the letters with numbers: R41nf0r35t
  4. That’s it. I have a much more secure password.

Clearly, this is a password that demonstrates the use and shouldn’t actually be used for anything.

Keeping track of all your passwords

Now that you’ve seen how easy it can be to create more secure passwords for the various websites out there, it’s important that you use this technique. Now that you have a lot of different passwords, we certainly wouldn’t want you to negate your new found added security by writing all your passwords down on a notepad.

It’s also important that you not store them somewhere where someone could too easily get to them. If you are going to jot them down somewhere, you should take advantage of a secure method. Utilize a tool that keeps them encrypted. There are a few different ways of storing them on your computer in a way that is more protected. If you use Firefox to browse the internet, you can have it remember your passwords for different websites as you access each site. This is a great tool, but it’s important that you enable the Master Password for Firefox. Otherwise, someone could get onto your computer and then just open your browser and go shopping! In addition, if you don’t use a Master Password, all of your various passwords are unencrypted and can easily be perused by anyone.

I prefer to use a tool called 1Password from a company called Agile Web Solutions. It is a tool that has a desktop version as well as an iPhone version, and all my passwords are stored under Triple Data Encryption Standard (TDES) that requires a special password to unlock. Obviously I have a very special password for this tool that is completely unrelated to any other password I use elsewhere.

Protecting yourself from phishing

It’s critically important that you pay close attention to the links that you click. Almost daily I see a spam message come from someone I know either from their email, or via a social networking site. They’ve fallen victim to a phishing site. This is a site or page that pretends to be a login page for a site you are more familiar with, but in fact it is there to mislead you into entering your username and password so that they can exploit your accounts. This has happened across the entire spectrum of websites because they know that people tend to use the same password for other sites.

Once you enter bogus information, they then use computers to access lots of other sites that they think you might do business with. They then make attempts to login as you. In addition, they post messages and bulletins that appear to be coming from you, with links to videos or freebies, but in order to gain access, your friends have to enter their username and password. Now they’ve been compromised as well. It happens entirely too often.

More recently, all of the most popular web browsers have included phishing filters that alert you when you are visiting a known or suspected phishing site. In addition, using a tool like 1Password will help prevent you from entering your password on a site with the wrong web address because the tool verifies the address to determine which site’s password is needed. If the domain name doesn’t match an entry, no passwords are available for you to choose.

There are a lot of ways to protect yourself from hackers and thieves out there. Be sure to not click on links that seem out of character for the friends that may have sent them. It might not actually be them that sent it. In addition, remember that phishing emails are emails that ask you to click a link that takes you to a website purporting to be from your bank or other site, but is asking you to verify your information by logging in and inputting other verifying details. If you get emails like this, check out your bank’s website by typing that address into the browser, or ask your banker.

Now That You’re Protected, Protect Your Users

Share this information with your users. It’s critical that they choose a password that is unique for each site. Encourage your users to choose passwords using the steps shown here that will keep them protected no matter where they create user accounts. Explain to them the importance of choosing different passwords for different accounts, and help them come up with ways for remembering their own passwords that won’t leave them less secure.

Ultimately, my goal here is to help you protect your clients, and to reduce the chances of you or them having an identity stolen. It’s no fun when it happens, but by giving them these tips, they’ll choose better passwords… and if you happen to spawn the latest and greatest social networking site out there, you’ll know that your users are armed with good password management tips!

About the Author

Brian Rayner

I'm a partner development manager for a technology company near San Francisco, but in a previous life I was an interactive designer at a prominent design firm. I lived and breathed usability. Now I use my experience in usability for beta testing and product development of my products, as well as those of other people.

Related Articles