Kids Code & Computer Science

If you use a password you created that is less than eight characters, your password is vulnerable to hacking. Here are three ways to create and use secure passwords online.

Passwords as we know them are effectively dead or dying. A recent analysis of 6 million username and passwords showed 91% of users had one of the 1,000 most common passwords, with 99.8% using a password from the 10,000 most common passwords. And guess what? Those 10,000 most common passwords, and more, are freely available on the internet for anyone to download and use to hack your online accounts.

Even worse, people who have hacked passwords from LinkedIn and other popular services have published online the passwords they’ve stolen. With millions of complex passwords available to hackers, it’s hard to come up with a unique password that is difficult to hack.

At the same time human-generated passwords have become mostly impractical, password management software has evolved and become simpler to use. Password managers provide encrypted password storage, of course, but also the ability to store encrypted credit card data safely and fill out web page forms automatically. They also generate passwords based on criteria you set. For example, I tend to use 12+ character passwords with all possible letters (upper case and lower), numbers, and special characters.

Most of these services also provide phone and tablet applications to allow you to use your stored passwords on any device. The question is not if you should use these services. The questions are when you should start and which service works best for your needs.

The best approach is to download 2-5 different software or web password managers, add in a few passwords for your sites, and get a hands on feel for how they work. Pick the application that works best for you and add your passwords over time as you use services online. Very quickly you'll see a password manager can save you a lot of time, as well as let you easily use extremely difficult to hack passwords.

One other point: do not be afraid to pay for software. Your money helps maintain the software and keep the company viable. Paying benefits you.

Whatever you choose to use, also be sure their phone versions let you add a PIN to access your passwords. And definitely, if you have not already, add a PIN to your phone as an easy way to make your phone secure. On the iPhone, for example, click the Settings icon then the General link then the Passcode Lock link to set a PIN of 4 or more characters. The only reason I’ve heard to not put a PIN on your phone has to do with accidents while cycling or in a car; if you crash, and you’re unconscious or barely able to think, and someone needs your phone to identify you or call your family, a PIN bricks your phone. Is it worth not using a PIN? The decision is yours. I use a 6+ number PIN to lock my phone.

Here are three popular password managers to evaluate. Search online if you need more options.

1Password

This password manager has web, phone, and tablet software so you can retrieve and use passwords on any device you might have. In addition, you can store credit cards, create profiles with your name and address(es), and protect all your data with a single login. Price is $49.99. Phone and tablet apps are separate purchases.

LastPass

I use this password manager, on the recommendation of someone I trust, and it has worked very well. In my situation, a web browser and phone app work for me. While storing credit cards and creating profiles is not my thing, it can do both. And LastPass includes multi-factor authentication. Passwords are stored locally on my computer, available only with my password. There is a secure cloud option built in. More interesting, they have the ability to import your passwords from competitors, for example, 1Password and RoboForm. Price is $12 a year. Phone and tablet apps are free.

RoboForm

Roboform appears to work a lot like 1Password, as an all-in-one solution for credit cards, identities, and passwords. My wife has used the software for years and has found it easy to use. It was first developed for people who do online sweepstakes and have to fill in dozens of online forms a day. Today the software has been built out to be a true password and identity manager. Price is $9.95 for first year, $19.95 afterwards. Phone and tablet apps are included in the price.

Learn More

1Password

https://agilebits.com/onepassword

LastPass

https://lastpass.com/

Roboform

http://www.roboform.com/

Password Manager Reviews

http://www.pcmag.com/article2/0,2817,2407168,00.asp
http://www.infoworld.com/d/security/review-7-password-managers-windows-mac-os-x-ios-and-android-189597
http://lifehacker.com/5944969/which-password-manager-is-the-most-secure
http://www.digitaltrends.com/computing/quick-guide-to-password-manager-apps/

How I Became a Password Cracker

http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

Password Strength: How Strong is Your Password? (Infographic)

http://www.bitrebels.com/technology/password-strength-security-infographic/

Born to be Breached: The Worst Passwords are Still the Most Common

http://arstechnica.com/information-technology/2012/11/born-to-be-breached-the-worst-passwords-are-still-the-most-common/

Kill the Password: Why a String of Characters Can’t Protect Us Anymore

http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/

Why Passwords Have Never Been Weaker — and Crackers Have Never Been Stronger

Probably the best overview of how user-generated passwords no longer work. And a cautionary tale for people who use 12345678 as their password (you know who you are).
http://arstechnica.com/security/2012/08/passwords-under-assault/

Long passwords are good, but too much length can be a DoS hazard

http://arstechnica.com/security/2013/09/long-passwords-are-good-but-too-much-length-can-be-bad-for-security/