# Picking Passwords: Pitfalls, Practicalities and Protection

Read Time: 8 min

Like many people, you probably have a password for logging on to your computer at work, another one for logging into your work email, and then there’s your personal email. Your Mac at home. The AppleID for your iPhone. Twitter. Facebook. LinkedIn. And more? Oh, and you have to use a capital letter, some lowercase, at least one digit, a punctuation mark or other special characters and it has to be more than 12 characters long. Perhaps you can’t use more than 16 characters? Or perhaps that particular service doesn’t, afterall, allow you to use special characters - even more confusing!

Also remember that your employer wants you to change your password every 30 days, and that it can’t be the same as any previous passwords. What a nightmare! How can any normal person remember different, unique and secure passwords, conforming to different rule sets, for all of these services (and more) without resorting to writing them down in a little black book? There is a way...

## The Threat to Passwords

The Internet is generally considered to have been social and interactive since around the turn of the century, what is commonly termed Web 2.0. With the advent of services such as Twitter, Google+ and Facebook, it is now more important than ever to ensure that you use secure and unique passwords on your Mac and with services that you use on the web.

In 2012, hackers managed to steal passwords from popular networks such as LinkedIn, Yahoo and LastFM. Six and a half million passwords were stolen from LinkedIn, 450,000 from Yahoo and “some” passwords, reportedly “millions”, were lost in the LastFM password hack.

## Always Have a Unique Password for Email

If your email password is shared with anything else, anything else at all, please update it as soon you finish reading this article.

If you only do the minimum, just one thing, as a result of reading this article (and I really do commend you to do much more than the minimum) then please ensure that the password that you use for your email is unique, strong and secure. Please ensure that your email password is not used for any other service.

Let us suppose for a moment that you use Gmail for your email. You are on LinkedIn and you have a LastFM account. Let us suppose, also, that you use the same password for all three services, and more services besides those.

Now let us suppose that your LinkedIn account is hacked, the password stolen and decrypted. Sounds unlikely? Well it happened on 5 June 2012 to 6.5 million accounts!

Once that has happened it does not take such a big leap of imagination for hackers to test the same password against your Gmail account. In fact your LinkedIn profile may, indeed, list your Gmail email address.

In fact, once a hacker has the password to your email account he potentially has the key to your entire online presence. Furthermore, if he resets that email password, you will be locked out and you will not be able to prevent any changes that he makes to any of your social media accounts, email, or any other business with whom you deal online.

That’s frightening.

If your email password is shared with anything else, anything else at all, please update it as soon you finish reading this article.

## What Makes a Secure Password?

This is actually quite a big question that requires an even bigger answer. If you have not already done so, please read Marius Masalar’s excellent article: In Search of the Ultimate Password.

The long and short of it is that perhaps it’s not so secure to use capital letters, lowercase, at least one digits and special characters after all.

This is because:

• We only have the ability to remember fairly simple passwords
• We need to remember many different passwords for many different things
• Inevitably, we resort to writing them down

The way in which we have been taught to create passwords needs rebooting. This is excellently demonstrated by the XKCD comic on password strength.

XKCD: In 20 years of effort we successfully trained everyone to use passwords that are hard for humans to remember...

## How Long Will it Take to Crack my Password?

Perhaps an easier way to understand the strength password is to understand how long it would take a desktop computer, based on one thousand guesses per second, to crack any given password.

If we take the example, given in the XKCD comic, of “correct horse battery staple”, and enter it into the website howsecureismypassword.net - we can get an idea as to how long it would take to crack, and therefore how secure it is likely to be.

For the curious, or bone-idle, Wolframing “Octillion”, reveals that it is one billion billion billion, or 1,000,000,000,000,000,000,000,000,000. It’s usually written at 1x1027. Interestingly, our planet is a positively youthful 4.54 billion years old in comparison. In short, and as today’s technology stands, you’d need a lot of powerful computers to stand any chance of cracking a password such as that.

Tip: While websites such as howsecureismypassword.net look reputable (and there is no reason to suggest that it is anything other than reputable), you should always exercise caution on the Internet. You never know whether something such as this is just a clever social engineering trick to harvest passwords. Therefore, you may wish to use sites such as this to enter a password similar in structure to the one that you wish to use. Never any password that you actually use.

## You Don’t Need to Remember All of Your Passwords!

A problem with the solution proposed by XKCD is that many websites will not allow spaces within passwords. Or they require a mixture of upper and lower case, they require at least one digit, or they require special characters cover such as an exclamation mark or a percentage sign.

In such cases, it is going to be necessary to use some fairly complicated passwords. Passwords that are not going to be easy, or even possible, to remember.

Furthermore, we are not going to write down any of these passwords as that would immediately compromise their security.

In fact, it should be possible, and even more practical, to remember just one password. A master password that unlocks an encrypted database in a password management tool.

Imagine that! You can now have more secure passwords than you have ever had, they can all be unique, and you don’t need to remember any of them. How secure is that?

## Tools That Can Help

You may already be familiar with browser-based password savers, and you may use them. The disadvantage with this is that your password can only be used within that browser. Furthermore, it may be difficult to backup and transfer that password data if you rebuild your machine or upgrade.

You may also be familiar with Keychain within OS X, but this is a bit awkward for managing passwords.

Fortunately, there are dedicated tools out there that are available to manage passwords not only for browser based sites, but can store other information such a software licenses, credit card information and even documents such as PDFs.

### KeePassX

KeePassX is an opensource password manager for storing user names, passwords, urls, attachments and comments in one single, encrypted database and includes a small utility for secure password generation.

KeePass is available under GNU General Public Licence and is also cross-platform with Windows and Linux.

### LastPass

LastPass is a commercial password manager that allows you to synchronize your passwords across computers and across browsers on each computer. It also supports Google Authenticator for additional security.

It is available as a free, advertising-supported app, or advert-free for $12 per year. LastPass works on both OS X and Windows. ### 1Password 1Password began life as a Mac App and now covers iOS devices and Windows. Again, it is a password manager with browser plugins that synchronizes your passwords across devices. 1Password is a commercial product that can be tested free for 30 days and is available for OS X and Windows. At the time of writing, it is available for £34.99/$49.99 for OS X. It is an excellent product with active development and support.

By employing a password manager such as those mentioned means that you only have to remember one master password, something secure, and the rest of the passwords can be complex and you don’t need to remember them.

You will also be able to take advantage of browser extensions, for all the major browsers, that allow you to log into websites with speed and ease. Again, you only need to use your master password to do this, even though all of your website logins will have complex and secure passwords that no human stands any chance of remembering.

## Conclusion

In the words of the XKCD comic, “In 20 years of effort we successfully trained everyone to use passwords the hard for humans to remember but easy for computers to guess.” It would take a desktop PC about 154 octillion years to crack the password “correct horse battery staple” and we can use a master password, constructed like that, for our password management tool that then allows us to use impossible-to-remember, complex and unique passwords for all the services that we use.

By taking this approach, we are able to meet the requirements of numerous different websites each with differing rulesets on how passwords should be constructed. We are able to use complex, unique and secure passwords, for all of our online affairs, without needing to know any of them.