Which is the best recommendation for passwords?
Online Password Cracking
Online means across the Internet. All work is done remotely and delays are common. This is the most difficult path to password cracking. Each attempt must pass across the network and be processed by the webhost. Delays make this take a long time.
It is generally not feasible to use brute-force guessing in an online setting. Instead, dictionary attacks are used, based on information about you, maybe learned from your Facebook account. Who are your best friends? Your pets? Your dates (birthday, anniversary)? Your phone numbers? Your favorite entertainers?
Offline Brute Force Guessing
Offline means without using the Internet. All work can be done on a local computer without any delays. When they are just guessing, they start with one-letter words (including single-digit numbers). Then they move on to two-letter words, and so on. This is called brute forc
Common Passwords
Over time hackers have developed lists of common passwords. Hackers will try these first before going to brute force. This is called a dictionary attack. Type “common passwords” into a web search engine for an eyeopening experience. The dictionary attack is probably the best approach for a hacker that does not have your hash, since there are many fewer words in the dictionary than there are random letter combinations.
Account Chaining
If a hacker discovers your password on site xyz, they can try the same username and password on other sites, like email or banking (PayPal) or shopping (iTunes, Amazon) or social (Facebook, LinkedIn) or gaming (Sony, Blizzard). It is good to vary your passwords, at least for accounts that you consider to be valuable. If anyone gets your email password, you are in a world of hurt. Normally they can change any of your passwords because they may all be linked to your same email address.
How Often To Change Your Password?
The old-time wisdom says you should change your password often. You want to change it faster than your enemy can guess it. In the days of eight-character passwords, it makes some sense. Not much, but some.
The big problem with frequent changes is memorization. Who can memorize a new password and remember it reliably? When we are forced to change our password often, one of several solutions typically emerges.
- (a) The password gets written down. It’s on the yellow sticky-note under the desk phone, or on the wall.
- (b) The password is the same as before, but just part of it changed. Maybe it is “alohaFeb2000” in February of 2000, and in March, it will be changed to …
If you have a good, secure password, there is no need to change it, ever. By good and secure, we typically mean long, like 12 to 16 characters, or maybe more, and hard to guess. But if you ever think that it has been revealed, compromised, leaked, or broken, then you should change it, everywhere it is used.
Password Management Tools
There are nice web-based tools, free and paid, that make it easy for you to have a different password for every website, and make your passwords long. I recommend lastpass. It is a free password management tool. It facilitates having a different password for each website you join, and sharing those passwords among several computers that you might commonly use. It also fills in the blanks for you, reducing errors due to keying something in wrongly.