As an IT practitioner I deal with passwords all the time. Between work and home I regularly use hundreds of accounts, each secured by a password. I don't EVER write them down! When it comes to password security there are just 2 rules to remember:
Rule 1: Length matters.
Rule 2: There is no other rule.
Lots of people use passwords like this one: Boston14. I picked 14 because it's almost 2014. I don't know why I picked Boston. This password meets many so-called strong password requirements being 8 in length and composed of at least one upper, one lower and one non-alphabetic character. Guess what, it's not a strong password. Neither is Yeller01 or SoccerM0M. Are your passwords kind of like these?
Here's how I construct secure passwords. First, I generate a very long password phrase that only I would know but that is easy for me to remember. String together several words that have nothing to do with each other but that you can easily remember. You can use numbers too but remember, it's the length that matters! For instance, I might combine a favorite writer, "Clancy" with a favorite Starbucks beverage, "Mocha" and a favorite band, "Boston". That gives me a password that is 17 characters long. That's a brute force search space of about 150 octillion unique combinations of upper and lower case letters. Of course, using a dictionary attack reduces the search space to a theoretical 100 quadrillion unique combinations (of any 3 of the 470,000 words in Merriam-Webster).
I recommend you read this excellent article on password security to better understand why length is the main thing to consider when creating strong passwords. I used the "Passfault" hack time calculator (read the article!) to evaluate my example passwords. The results:
| Password | Time to Crack | Size of Search Space |
| Boston14 | < 1 day | 3 million |
| Yeller01 | < 1 day | 45 million |
| SoccerM0m | < 1 day | 8 billion |
| ClancyMochaBoston | 220 years | 7 quadrillion |
OK, so what? So, I use this special long password to secure a password valet app such as:
KeePass Password Safe (my personal favorite), Dashlane or Password Wallet.
These apps keep your passwords securely organized and easily accessible from each of your devices. Basically you only have to remember the one "special" long password. All the others you can look up inside the app if you forget them. Perhaps the best part of this approach is that it forces me to record every account I have that made me enter a password. So, if some site I use gets hacked I just open up my password app, find the web site url, log in (it stores my username too!) and change my password to a new one.
Now go secure your digital world in 2014 and have a Happy New Year!
