The Spokesman-Review Newspaper
The Spokesman-Review Newspaper The Spokesman-Review
Spokane, Washington  Est. May 19, 1883
Current Temperature
62°F
Current Conditions
Overcast clouds
View complete weather report
Subscribe now

Passwords can be key to our fortunes - and misfortunes

Newhouse News Service The Spokesman-Review

Our world is turning into one big password: We have computer logins, e-mail accounts, online access for our bank and credit card accounts, ATM PINs, codes for our voicemail and home burglar alarms, and even secret words that a person can use to pick up our children from day care.

What steps should you take to pick a good, solid password? Should you use the same password for as many things as you can? And how are we supposed to remember them all?

These are important issues, but chances are good that you’ve created your universe of passwords on the spur of the moment.

If you’re not cynical about hackers and fraud, you should be. According to the Computer Emergency Response Team/Coordination Center, a federally funded organization based at Carnegie Mellon University in Pittsburgh, about 80 percent of all computer security problems are caused by bad passwords.

People have an average of 20 to 25 passwords and PINs. Some may not be very important; others may control your life savings or all of your investments.

Maybe you doubt there are actually thousands of hackers who sit around at their computers and start guessing at usernames and passwords and strike gold. You’re right. They don’t just sit around and punch keys. Instead, they’ll use an automated program that can try thousands of combinations per minute. Some studies show that the typical password can be broken in less than two hours.

Here are some suggestions — some obvious and some more sophisticated — to help you make your password-protected world more secure:

Don’t use any names or numbers that can be connected to you, said Linda Foley, executive director of the Identity Theft Resource Center in California. Ever.

This means the names of spouses, children and pets, phone numbers, important dates or years, the name of your high school, the model of your car and so on. While these are easy to remember, they’re also easy for someone to guess. And these are the first pieces of information that bad guys try.

Even if you think you’re being creative by using a variation, you’re not. Don’t ever create a password combining your children’s names (as a friend of mine did) or a home burglar alarm code that is the numeric part of the address backward (as the previous owners of my house did).

These pieces of information are the first things that a would-be identity thief will use, Foley said.

Don’t use any information that can be obtained through any public record, such as maiden names, names of streets you lived on before or the year you were married.

Don’t repeat characters or letters in sequence on the keyboard, said Cindy Spitz, spokeswoman for KeyBank in Cleveland.

It’s amazing, however, that 12345 and qwerty (the left-hand keystrokes) are among the most common passwords nationwide.

The best passwords don’t contain real words because they can be guessed or hacked with programs that can blow through the dictionary in hours or days.

But nonsensical strings of letters can be a pain to remember.

The best advice: Think of a sentence that you can remember, but not a common phrase (such as “I pledge allegiance to the flag …”)

Maybe your sentence will be “My sister Deborah is an emergency room nurse who works 12-hour shifts.” If you use the first letter from each of those, it’s “msdiaernww12hs.”

Use a combination of upper- and lower-case letters, and not just at the obvious places. If your password is “msdiaernww12hs,” make it “mSdiaernWW12hs.”

A seven-character password with only lowercase letters and digits could be hacked in less than two days, while using both upper- and lower-case letters increases that to 23 days.

Make your password as long as you can while still being able to remember it, said Ellen Johnson, vice president of consumer online services at Huntington National Bank in Columbus, Ohio.

Eight characters should be the minimum. Passwords with only five letters and numbers can potentially be hacked in two minutes, according to LastBit Corp., a New York security and software company.

Passwords with six characters can be hacked in just over an hour; ones with seven characters can be violated in less than two days. An eight-character password, however, takes 65 days because of the exponentially increasing number of combinations.

The best passwords are more than 14 characters, according to Microsoft.

A 15-character password is about 33,000 times more secure than an eight-character one, Microsoft says.

The California Credit Union League, while recommending that longer is better, notes that some systems allow passwords up to 128 characters. With that, however, your session might be timed out before you got signed in.

Use letters and numbers, at a minimum. It’s better if the site you’re logging into will accept symbols too, like $.

A password with eight letters can be breached in four days; a password with eight letters and numbers takes 65 days. A password with eight letters, numbers and symbols takes 463 years.

Don’t think you’re being smart by using a variation of a real word. The hacker programs that use the dictionary also try words spelled backward, common misspellings and all sorts of slang profanity that you wouldn’t find in the dictionary.

Be careful where you use your password. If you come up with a good, solid password, you should feel free to use it for any secure financial site, said Foley of the Identity Theft Resource Center.

Never provide your password to anyone, except your spouse or someone who shares the account. This includes the company itself. A reputable company will never ask for your online password by phone or e-mail, said Jennifer Semo, a business analyst with Huntington.

Consider changing your passwords from time to time. It depends on how good they are and how long they are. A password that is fewer than eight characters should be considered good for only a week; a password that is 14 characters or longer — containing numbers, symbols and upper- and lower-case letters — can be good for several years.

And Johnson said you should arrange to get statements and other information online instead of by mail, which can be stolen or advertise to acquaintances the places where you have accounts.