Cat Coode: Technically Speaking


How -and WHY- You Need to Pick Better Online Passwords

Your passwords are the keys to your valuable personal information

by: Cat Coode
How to choose a secure password |

Recently, the top 25 most common passwords were published and the list was full of predictable choices such as 'password', '1234' and 'qwerty'. And to show the signs of the times, 'starwars' and 'solo' also made it to the top.

I read the list and laughed. Seriously who uses 'password' for a password? Then I realized… I have. And I am betting you have too. The average person online now has around 100 digital accounts. Before you think that is a ludicrous number, consider all the accounts you use:

  • Primary accounts: email, social networks, banking (including PayPal) and anything connected to your credit cards.  
  • Secondary Accounts: Used less frequently, such as cell phone provider, utility bills, online shopping sites, app stores etc
  • Tertiary Accounts: One-offs that you used once or twice to get something online.

I have no less than 80 passwords written down which don’t include my primary accounts or those tertiary ones.

And if you are using ‘password’ or anything that predictable, you may as well not have a password at all.

Why it matters

Hackers are getting much better at writing programs to break passwords, especially common words. They use programs called ‘dictionary attacks’ where they take your email account (which could have come from any number of places) and then they try it with millions of ordinary words in the password field. The scary part, it takes seconds. It is that easy.

Your primary accounts should be considered sacred because they lead to your most valuable assets online: your personal data and your finances. If nothing else, these accounts should have kick-ass passwords on them and they should all be different (in the event that one account gets hacked, you do not want people gaining access to any others).

I will admit to reusing passwords on my secondary accounts, like access to Netflix or on my library card. Is this a risk? Sure, there is information associated to these accounts like my name and address, but as far as my viewing history or book holds go, I am not so worried.

As for the tertiary accounts, they don’t seem to matter: race results for your kids’ event or signing up for free dinner on your birthday at a restaurant. Problem here is that those accounts also contain personal info and you really should be more protective than just giving it away. The combination of your name and birth date from one of these places could be enough for a hacker to set up an account somewhere else in your name, or your child’s. Tips to avoid this below.

Picking better passwords

As you could have guessed, longer and more complicated is always better. The ideal password is 8 characters long, isn’t in the dictionary and includes both numbers and symbols. Yikes.

Here are some tips to create strong passwords:

  • Acronyms are better than words. Use a sentence to easily remember Ex. Mary Had A Little Lamb could be MHALLLLLL
  • Add numbers when possible. Ex. Harry Potter and the Goblet of Fire is Book #4 could be HPATGOFIB#4
  • Pick nicknames that you have for you or your children that are made up words. Ex Limplillies (<- full disclosure, I just made this up, my kids are not limplillies, but they’d probably respond to it anyway)
  • Use a ‘root’ word or sentence that is not in the dictionary and then add different endings for each password. Ex Rosble12, Rosble65, Rosble98. Not as safe as unique passwords but harder to crack and easier to remember.

Alternate ways to log in

Many websites are now offering Single Sign On. This is the ability to use your Facebook, Google, or Twitter ID to log in. If this is a trusted site, this could be a good option; HOWEVER (big caveat here), when you do this you allow the new website access to your personal information from your social network. For a full list of what info you give away, you can read more in my article on Signing in Using Social Media Logins.

The other option is to fake it. I literally just created a fake account to get access to the MS Readathon page for my daughter. All I wanted was the end date of the event at her school but I was not interested in creating a real account to do it. I made up a name and an email. If you want to create an account with a fake email but still need it to be legit, you can always use 10 minute mail. This creates a temporary email address that lasts, well, 10 minutes. Long enough to get in, verify the account, do what you need, and leave no trace behind.

How do I remember them all?

I get this question all of the time. There is no right answer, so do what works for you. You should have your primary passwords memorized, especially if you use them daily.

  • I write down clues for each of my passwords. If the password was the Mary Had a Little Lamb acronym, I may say ‘as snow’ on my list. If the password is the Harry Potter acronym I may say ’Horntail’ (dragon from the 4th book). 
  • You can write your actual passwords down and hide them. But they better be very well hidden.
  • Finally you can use a password keeper program to save them for you. If you do decide to do this, make sure your passwords are encrypted (kept in code, not in regular text), and that the program is reliable. You can read PC Magazine’s review of password keepers to see if one is right for you.

In summary

  • A simple password is equivalent to not having a password at all
  • Long and strong passwords are safest
  • Use, but be wary of, Single Sign Ons
  • Find a safe way to keep your password list that works for you

 RELATED: The Hidden Facebook Settings You Should Be Using