Advice from a Hacker on Picking a Good Password

Rebecca Greenfield

August 29, 2012 at 6:02 PM

As mass hacks abound, it's hard to know the best way to handle our Internet security, so we went to a password expert to figure out how best to protect ourselves. Alex Horan is a proclaimed "white hat hacker," meaning he hacks "for good, not evil" in the words of the public relations liason for CORE Security, where Horan is a product manager. He, like us, believes the password system these days isn't ideal for people trying to protect their online info. Though hacks are happening more often for various reasons (as discussed here), there is one part of the dysfunctional system we can control: Our own password habits.

RELATED: LulzSec Explains Itself, Sort Of

But Horan does not blame us for not using ideal passwords. One of the biggest problems with passwords is the glut of sites that require them. "The end users are really in a bind," Horan said. "More and more things are online and there is no ability yet for me to have a single online ID where I can use the same user name and password to authenticate to some central database." Right now, people are asked to create new usernames and new passwords for everything. When our creativity wanes (and our memories dim) we often resort to reusing the same password. But that's unsafe. The biggest danger of a password hack is that a password found at one site can be used to get into other, more important accounts. (That's what happened to James Fallows' wife, as he explained in The Atlantic.) The other option is to have different codes for everything, which is unreasonable and annoying. A recent survey found 38 percent of respondents would rather clean a toilet than think of new combinations. Another 38 percent said they would rather tackle world peace. So what to do? Here's what Horan suggests.

RELATED: LulzSec Disbands Before Its Members Are Outed

Save brain space for the really important accounts. For the stuff that really matters, like bank accounts, for example, Horan suggests we use unique passwords for each and every one of them. For the less important stuff, it might make sense to choose a "dumb password," a suggestion we had a few weeks ago. That doesn't totally eliminate the so-many-things-to-remember issue, but it compartmentalizes things. Also, I sometimes forget which passwords I picked for what sites, this system would help me remember, at the very least, what type I picked.

RELATED: The Problem with Parents Helping Kids Lie to Get on Facebook

Forget password, think passphrase. A password indicates some intricate combination of letters and numbers (and maybe symbols) that looks hard to guess. Those are hard to remember, and not always impenetrable. A passphrase, instead, consists of a string of whole words. Like, a line of a book, or a song lyric, Horan suggests. "The first line of my favorite book is very hard for someone to guess and also very hard for a computer to brute force." (A brute force attack is when a computer program does hyper-speed password guessing, which is what happened with LinkedIn.) One extra character makes it exponentially more difficult to crack, as this chart Horan provided shows.

RELATED: The Internet Is Getting A 'Cat Signal'

RELATED: Do You Even Care If Someone Has Your LinkedIn Password?

Longer is better, but harder to remember if it's a nonsensical code. So Horan suggests making it something that isn't a single word someone would think of, but that's easy for you to remember.

Don't use the same login for everything. Hackers don't generally look for multiple email addresses that have the same password, but rather hope the username-password combo exists elsewhere. To avoid this, Horan suggests we don't think passwords, but rather usernames. "For LinkedIn, have linkedin.alexanderhoran@gmail.com," instead of the standard YourName@gmail.com, he told us.That involves creating the unique Gmail account and then linking it up with your standard mail address, which sounds like a lot of work to us. But it is just a one-time set-up and a lot easier to remember than a bunch of random letters and numbers.

Update August, 30 1:52 p.m.: Though one could go through all the trouble to make new email addresses, Horan has clarified that Gmail allows it to appear as if you have multiple email addresses when you don't. For example the email address YourName@gmail.com can also use the following logins: YourName+LinkedIn@gmail.com and YourName+facebook@gmail.com and YourName+Twitter@gmail.com, etc. "All those email address will work, and they will all come to my inbox. I can then use filters and folders in gmail to organize them etc as well," Horan told us.

Our password picking habits aren't the only reason passwords have failed us. A lot of it has to do with the way websites do (or rather, do not) protect us. Not all these sites are using the most secure systems. The Yahoo Voices system, which was hacked last month, didn't use encryption, for example. LinkedIn added salting -- a system that inserts random characters into a password hash, making it harder for hackers -- not too long ago. Horan also has suggestions for how sites can do better.

Use a well known public encryption scheme. To sites that don't encrypt at all: Get on that. But, Horan says there is a misunderstanding that a homemade scheme does better than a mass-used one. He says that is wrong. "With a private one you might miss a problem. And then, even if you find it you've got to fix it." A well-vetted public one is a better bet.

Use a strong, long salt. The more intricate the salt, the harder it will be for a brute force attacker to crack it. Makes sense.

Be transparent. At this point, we just hand over our information to companies and trust them with our keys. If we knew what kind of protection these sites had, maybe we would think before locking important stuff up behind something that's about as secure as childproof medicine caps. "They should tell us the effort they make in general to protect the passwords," he said. Then, people like him could check for holes. And people like us could be conscious of what's what. Though, we offer a more cynical point of view than Horan. People don't read terms of service agreements, why would they bother with some technical password protection mumbo jumbo?

Image via Shutterstock by mkabakov

Yahoo Sports
Former NBA guard Darius Morris dies at 33
Former NBA guard Darius Morris has died at the age of 33. He played for five teams during his four NBA seasons. Morris played college basketball at Michigan.
Yahoo Finance
The FDIC change that leaves wealthy bank depositors with less protection
Affluent Americans may want to double-check how much of their bank deposits are protected by government-backed insurance. The rules governing trust accounts just changed.
Yahoo Sports
Mickelson on the majors: 'What if none of the LIV players played?'
Phil Mickelson hints that big changes could be coming to LIV Golf's rosters, and the majors will need to pay attention.
Yahoo Sports
Kyle Larson beats Chris Buescher at Kansas in closest finish in NASCAR history
Larson won by 0.001 seconds.
Yahoo Sports
Bulls' Lonzo Ball picks up $21.4 million option for 2024-25 season amid knee concerns
Ball hasn't played since the 2021-22 season.
Yahoo Sports
No one was airing Angel Reese and Kamilla Cardoso's WNBA preseason debuts, so an X user livestreamed it
The quality was choppy, but it was better than what the WNBA had.
Yahoo Sports
New details emerge in alleged gambling ring behind Shohei Ohtani-Ippei Mizuhara scandal
It turns out the money was going from Ohtani's bank account to an illegal bookie to ... casinos.
Yahoo Sports
Monday Leaderboard: Brooks Koepka is ready to slow the Scottie Scheffler train
A dominant LIV win and a heartbreaking PGA Tour loss headline this week's top golf stories
Yahoo Sports
NFL Power Rankings, draft edition: Did Patriots fix their offensive issues?
Which teams did the best in the NFL Draft?
Yahoo Sports
2024 NFL Draft grades: Denver Broncos earn one of our lowest grades mostly due to one pick
Yahoo Sports' Charles McDonald breaks down the Broncos' 2024 draft.
Yahoo Sports
Anthony Edwards' arrival should have the Nuggets — and the entire league — on high alert
The Timberwolves' rising superstar led Minnesota to a Game 1 victory over Denver, then reminded the world that he's 22, not 23 ... yet.
Yahoo Sports
Formula 1: Miami Grand Prix sends cease and desist letter to prevent Donald Trump fundraiser during race
Race organizers say they'll revoke a Trump fundraiser's suite license if he holds an event for the former president on Sunday at the race.
Autoblog
Why did Musk ax the Supercharger team?
Elon Musk’s decision to dismiss much of Tesla’s Supercharger team this week came as a shock. A look at possible reasons why he did it.
Yahoo Sports
The best QBs for 2024 fantasy football according to our analysts
The Yahoo Fantasy football analysts reveal their first quarterback rankings for the 2024 NFL season.
Yahoo Sports
Canelo Álvarez and Oscar De La Hoya erupt in heated exchange ahead of title bout with Jaime Munguía
Canelo Álvarez is set to defend his title against undefeated Jaime Munguía on Saturday in Las Vegas.
Yahoo Finance
CVS stock plunges after earnings numbers one analyst 'did not even believe'
CVS warns it could cede Medicare Advantage market share as reimbursement rates pressure the company.
Yahoo Sports
Kentucky Derby: Mystik Dan wins in three-horse photo finish, outruns favorite Fierceness in stunning upset
The 150th Kentucky Derby produced yet another magnificent two-minute spectacle.
Yahoo Sports
Lionel Messi smashes MLS and personal records with goal, 5 assists in a single half
Messi needed just 33 minutes to do things that no MLS player had ever done in a full game, and that Messi had never done in his career.
Yahoo Sports
Formula 1: Lando Norris gets his first win ahead of Max Verstappen at the Miami Grand Prix
Norris hadn't pitted and was leading the Grand Prix when a safety car was deployed for Logan Sargeant and Kevin Magnussen's crash.
Yahoo Sports
UFC 301: Anthony Smith confronts career reality after reconciling with the man who knocked out his teeth
After 56 pro fights and losses in three of his last four, the UFC veteran knows what fans think about the state of his career – but he also knows they've been wrong before.

News

Life

Entertainment

Finance

Sports

New on Yahoo

Advice from a Hacker on Picking a Good Password

Recommended Stories

Former NBA guard Darius Morris dies at 33

The FDIC change that leaves wealthy bank depositors with less protection

Mickelson on the majors: 'What if none of the LIV players played?'

Kyle Larson beats Chris Buescher at Kansas in closest finish in NASCAR history

Bulls' Lonzo Ball picks up $21.4 million option for 2024-25 season amid knee concerns

No one was airing Angel Reese and Kamilla Cardoso's WNBA preseason debuts, so an X user livestreamed it

New details emerge in alleged gambling ring behind Shohei Ohtani-Ippei Mizuhara scandal

Monday Leaderboard: Brooks Koepka is ready to slow the Scottie Scheffler train

NFL Power Rankings, draft edition: Did Patriots fix their offensive issues?

2024 NFL Draft grades: Denver Broncos earn one of our lowest grades mostly due to one pick

Anthony Edwards' arrival should have the Nuggets — and the entire league — on high alert

Formula 1: Miami Grand Prix sends cease and desist letter to prevent Donald Trump fundraiser during race

Why did Musk ax the Supercharger team?

The best QBs for 2024 fantasy football according to our analysts

Canelo Álvarez and Oscar De La Hoya erupt in heated exchange ahead of title bout with Jaime Munguía

CVS stock plunges after earnings numbers one analyst 'did not even believe'

Kentucky Derby: Mystik Dan wins in three-horse photo finish, outruns favorite Fierceness in stunning upset

Lionel Messi smashes MLS and personal records with goal, 5 assists in a single half

Formula 1: Lando Norris gets his first win ahead of Max Verstappen at the Miami Grand Prix

UFC 301: Anthony Smith confronts career reality after reconciling with the man who knocked out his teeth