Password Protection - why should you change your password

After a few desperate minutes of trying various passwords and username combinations we finally resort to the 'lost my password' button that supposedly sends our password to the email address we entered for the site we're trying to log into.

Pity we couldn't remember that particular email address either so we enjoy another few minutes at a different password and username login prompt trying to figure out what our password was!

This scenario probably seems familiar to a lot of us and if not then you're either blessed with an exceptional memory, only have a few internet sites that require a sign in or you made all your passwords the same for each site. (Not a good idea!)

Especially with millions of methods for automatic sign in, automated email retrieval and other methods that seem to magically circumvent our login process we tend to forget the passwords we used only days after we actually used them.

Going through the frustration of retrieving our passwords through email answering cryptic 'hint questions' or simply having to wait for our password to arrive once we used the 'password retriever' can often be an agonizing inconvenience.

Some of us simply decide to leave the 'leave me logged in' function enabled or get the idea to make all the passwords they ever use the same so that they won't have to think too much no matter what account they happen to log into.

Unfortunately taking the easy way out of our day to day password problems is also taking the quick way into a potentially dangerous situation.

What can happen?

Any of your passwords can be hacked, stolen or otherwise appropriated causing you to lose control of any number of online services.

Some of us might shrug this off, after all our emails are hardly that interesting to someone other than us.

Despite the fact that the content of your emails may not be, your address book certainly is and so is any personal information you may have ever obtained or sent.

Personal address information, name, social security numbers, credit card numbers if ever used in an online environment usually come to your email address for the purpose of identity confirmation or order confirmation. Whatever the case may be, your emails and address book contain valuable information about not only you, but also the greater part of your contacts.

This information when used inappropriately can lead to identity theft (a well known crime that can cause severe damage to our [financial] lives).

If on the other hand your Paypal or online bank account passwords are stolen you are bound to observe the effects immediately. Either you will find all your money missing some day or you will notice that despite your best efforts you are no longer able to log into the account.

But even the most stubborn of us eventually recognize that changing a password once in a while is more or less mandatory. The problem isn't so much the act of changing the password, but picking a password that is safe and easy to remember.

At this point it is important to note that usernames are always public knowledge. Your username is never hidden well enough to count as a password and if a hacker attempts to hack any of your internet accounts you can safely assume that they have already retrieved your username (which also clearly indicates that it isn't wise to use your username as a password).

Creating a safe password

Creating a safe password is not as hard as many may think (we're talking letters and numbers after all) but in order to understand what is safe and what isn't we will first take a look at the two most common methods used by people hacking passwords:

1. Dictionary hacking
2. Brute force hacking

Dictionary hacking

Most password systems allow us to have an infinite amount of tries to log in. Both dictionary hacking and brute force hacking rely on this fact to gain entry to your account.

A dictionary hacker is a software tool that attempts to use every word in the dictionary and attempts to use this word to log into your account. If your password for example is 'sphynx' (incorrectly spelled but we aren't all perfect) then the dictionary hacker will eventually attempt to log in with 'sphynx' as password (after going through 'ape','blood' and all words that come before it in alphabetical order).

Most dictionary hackers come with an extended dictionary: this means not only does it include words, it will also include dates, common deviations of words such as 'appropiate ' instead of 'appropriate', slang and more often than not a list of common names.

Brute force hacking

Imagine someone bashing a huge hammer against a door till it opens. Brute force hacking does just that. By trying every combination of characters possible within a set of parameters the brute force hacking method will eventually manage to break open each 'lock'.

A brute force hacking program can generally be told what characters to use and how long the 'password' is. If someone is attempting to hack your account with this method and they use a password length of 8 characters and your password is 9 characters long then they will never get in.

If they use a length of 10 then eventually they will break your password and have access to your account.

Obviously trying every single character combination in existence even for a password that is only 8 characters long is a very time consuming effort even at the speed of the newest computers.

In general terms it is safe to say that the longer the password the longer the brute force attack will take.

The 'right' password choice

Now that we have identified the two most commonly used hacking methods is time to pick the 'right' password to not only be secure but also have something we can remember.

Since we already know that taking a word out of the dictionary and using it isn't advisable we will have to look into methods of making this password unrecognizable.

To go back to our previous password 'sphynx' we could for example change the 'y' into a '7' creating sph7nx as a potential candidate for a password. This password already has overcome the first hurdle of being hacked which is the dictionary hack. It is fairly safe to say that only few dictionary hackers have sph7nx in their database (until now).

Unfortunately, the brute force attack will still be able to figure out this password eventually. The fact that our password is only six characters long makes it an easier prey than a password that is double that length.

In order to fix this problem we may opt to change our password to say: 'EgyptianSphynx'. Taking into account dictionary hackers we once more replace any occurrence of the letter 'y' with '7' and we end up with 'Eg7ptianSph7nx'.

As unreadable as it may seem we have just successfully created a fairly safe password and one we actually have learned to recognize.

We could now focus on making this password even more secure by maybe adding a special character to it or in front of it. I am sure creative minds will eventually come up with things like: '!3g7pt1@n$ph7nx!' or worse creations (which are actually quite safe).

And even though one password of that type may be remembered if we have five different passwords for different places we will quickly become confused. Since it is not advisable to use the same password twice or multiple times (if you lose one you lose them all) we will have to figure out a way to actually remember half of our creations.

We can achieve this by creating a typical identifier to our password; something that is contained in all our passwords but doesn't lend itself to dictionary hacking or brute force attacks.

Let's assume we are the owners of 5 different accounts that require a suitable password: Email, Paypal, Online bank, Message Forum and eBay (a fairly common selection).

Since we have been already playing with the word sphynx we decide to make it the key element to all our passwords.

We know that sphynx is 6 characters long (a bit short but we like it) and since we don't want anything out of the dictionary we will just have to remember that pesky '7' instead of our 'y' making our 'basic' password (once again) sph7nx.

The next step in the process of creating a more universal password for ourselves is to pick a so-called 'delimiter' a character that will serve us as a separator. Since this is personal choice we pick the character '!' as a delimiter.

With our basic password and our delimiter selected (yes you'll have to remember those no matter what) we can start to create passwords for our five accounts.

For our email account we could select the password !sph7nx!email!. As you can guess this would lead to !sph7nx!paypal!, !sph7nx!bank!, !sph7nx!forum! and !sph7nx!ebay! as passwords for the other account.

Even though this creates passwords that are partially included in dictionaries they provide sufficient safety (thanks to your key element !sph7nx!) to prevent dictionary hacks. As you can see all the passwords also exceed 8 characters easily making brute force attacks a very lengthy process (years depending on the computer processor power of the hacker).

This method allows us to just remember our basic password and then adding the needed element to complete the password. Naturally this method is more risky than picking completely separate passwords for each account (since the pattern is easily recognized and experimented with) but it strikes a good balance between password security and our ability to remember it.

Once you have gone through the process of selecting a personal key make sure your efforts don't go to waste and select a new key password every month or few months for optimal security.

And finally be wise and never let anything log you in automatically, storing your password anywhere is never a wise idea so guarding it like you would guard your credit card number is well-advised.