What are some tips for creating a secure password? Should you never use the same password twice?

Erik makes a very critical point at the very end -- don't share passwords/passphrases for any account that needs reasonable security.

Example, if you have a logon that allows you to comment on 3 or 4 different news sites, using the same password for all of those accounts will not cause you nearly as much problems as sharing the password for your online banking, online trading, and corporate health plan.

Choosing phrases that are easy enough for you to remember, but not necessarily memorable to anyone else, or easy to brute force is important. I would add, however, that good password management requires that you use some tool for tracking the passwords as well. Given that you will need to change your passwords periodically -- and not just by adding 01 to the end -- it can become unwieldy to try and manage all those passwords manually.

There are many secure password tools that can (and should) be used to store your passwords after you have taken the time to make a good one. I happen to use Password Corral, but there are many great options, such as PassKeep and KeePass.

Create a system for yourself, bearing in mind that if it is too predictable it might be vulnerable to brute force attacks, and employ it regularly. Most people are undermined by weak, shared passwords, so make them strong, keep them as unique as is reasonable, and store them safely...

*** If we assume that the average user will not use a password vault then we must train them on a reasonable complex password system. ***

I understand what you're saying, Amy, but if we are willing to give end users and consumers easy outs like this, then we will never get close to having good security. Business users and consumers have a role to play in security, given the ever-changing landscape, and it is incumbent upon us to make them aware of the possible consequences of them taking the easy way out.

If they don't use some sort of password vault, then they'll have to remember a number of complex passwords. Even if the system they use is relatively straightforward for them *and* not prone to a programmatic attack, they're going to end up with a lot of passwords, or fairly substantial password re-use.

On some level, particularly in the consumer realm, that's their own choice, but they need to be made to realize that such choices could be the difference between having a single account hacked, and having an account hacked that allows instant access to other, more critical accounts.

If they are made to understand this, and still make the choice to avoid using a password vault, then they cannot expect any sympathy should they become the victim of a security incident.

And, lest we fall back to the "but they shouldn't have to know any of this" argument, all I can say is, this is the cost of doing business in the 21st century. For good or for bad, these are the risks we face, and we can either adapt and survive, or muddle on and be victimized.

Here is a simple suggestion. Would love to get feed back from the experts here. The current problem arises when websites like Gawker.com use an MD5 hash of stored passwords (They better. No excuse for storing plain text.) But simple and short passwords are easy to discover based on comparing to a lookup table of dictionary words or simply every possible combination of numbers letters, and special characters. Long passwords made from random combinations are almost impossible to guess because there are so many combinations.
So why not use extended salting? Salting is adding a few bits to the password before hashing it, forcing the cracker to do a lot more work. So add a lot of salt!

Key point: While password strength is a very important part of security, and while end-users do need to employ better security practices, it should be noted that the vast percentage of breaches we are seeing have nothing to do with password strength, but are generally based on some application level or system configuration weakness.

This makes password re-use a MUCH more important than password strength. If your password is obtained by way of an unencrypted password database of some service provider, then regardless of complexity, the attacker will have that password. Having that same password in use anywhere else will make you more vulnerable than if you were using a weak (but different) password at ever single site you use.

This also means that despite the importance of good password management, great system configuration management and enterprise security practices is where we should be spending the bulk of our effort and energy.

The real problem with passwords is a lack of standards on complexity across websites, operating systems and the like. I recently tried to change my password on a high-profile site run by a company that *should* understand the need for passphrases and it wouldn't let me. My password was too long which I thought was too funny...

Owners/admins/developers of systems and software need to step back and think about what they're doing. Are they setting their users (and, indirectly, their business) up for success or for failure with their password policies? It's likely the latter. Unless and until we can get some semblance of control in these areas, we're going to continue to have problems.

To your original question, here are some bits I've written on password practices and mistakes that may help:

Windows password management myths
http://searchwindowsserver.techtarget.com/tip/Windows-password-management-myths

Nine common password oversights to avoid
http://searchenterprisedesktop.techtarget.com/tip/Nine-common-password-oversi...

Testing for weak passwords: a common oversight without a great solution
http://www.acunetix.com/blog/web-security-zone/articles/testing-weak-passwords/

How often should I change the passwords for my bank and other important online accounts (a Women's Health magazine piece I contributed to)
http://womenshealth.coverleaf.com/womenshealth/200904/?pg=22#pg22

Balancing Windows security with reasonable password policies
http://searchwindowsserver.techtarget.com/tip/Balancing-Windows-security-with...

Secure your systems with proper password practices
http://searchenterprisedesktop.techtarget.com/tip/Secure-your-Windows-systems...

Managing multiple passwords in Windows
http://searchenterprisedesktop.techtarget.com/tip/Managing-multiple-passwords...

Hope this helps!

I use the freeware "Password Safe" package. It generates long random passwords and stores them all in a password/encryption protected database. I retrieve the passwords as needed and copy/paste them. I do not allow Internet browsers to remember passwords.

Password Safe allows you to choose a default strength policy. For example, my default is a 10-character password with at least 2 upper-case, 2 lower-case, and 2 numbers. Some on-line policies require a special character as well, so I add one to the generated password manually when needed.

If we assume that the average user will not use a password vault then we must train them on a reasonable complex password system. It's not easy to do. The password needs to be complex, not guessable but easy to remember. Add to that, that everyone needs several perhaps 3-5 depending on their job function and use of Internet.

For these reasons I have my users develop a system that they can remember. Here's how I suggest that user develop a complex password. Choose a word, Choose an exclamation, choose a number, choose an unrelated word, choose an exlamation. The result is something like: Shoe@987Radiohead! Complex but easy enough to remember.

Needing a look-up table for passwords is the begging of the end. My worst password is 14 alphanumeric/special character long which needs to be changed every 45 days.

My least is three characters.

For one account, I have a token, and two sets of 14 digit passwords, plus user-names to enter. At some point, where does it end?

There is a side answer I would like to suggest. Use unique email addresses if you can. I own several domain names and according to registrars it is pretty easy to do. Using a unique email address like joesgrill@domain.com and focus@domain.com allow you to keep your data a little more separate than unique passwords. Then, if there is a compromise, you can monitor emails to that unique email address, which you would have changed, for spam. That is what I did with most of the hacks in the last year I was part of (Gawker, PSN, etc)...

The rumor is that hackers are building lookup databases that hold the encrypted form of every password that is possible or that they encounter / steal. They can either run decrypts on entries in this database at their leisure, or can simply supply the encrypted form of the password to some applications and gain access without ever having to know the decrypted form.

It is likely that these databases hold every possible combination of 7 characters or less today. At some point, these databases will hold every possible combination of 8, or 9, or 10 characters.

So current "more paranoid" best practices say that a 12 to 14 character password or passphrase is good these days. Yes, that is quite a lot of characters.

It is definitely best to never use the same password twice - if it ever gets compromised once and put into the database, then it is a simple matter of running through the database to compromise your account at some other site at some other point in time.

If you're going to have unique 12+ character passwords, you definitely need some kind of lookup device. A piece of paper still works pretty well, is very affordable, and is pretty difficult to steal online. But there are, of course, many online solutions as well.

I'm primarily referring to Website login passwords, which typically would map back to an Oracle, MySQL, or SQL Server database. If a hacker is able to capture login info over a network, or steal one of the backend databases, it is easy enough to write an application that will compare a username / password strings (either in encrypted form or not) in the large lookup database to your small amount of captured / stolen data, and quickly give you several matches. From there, you have legitimate entrances into the system to do further bad actions.

The same techniques can work against UNIX system passwords as well.

Yes, there are an awful lot of different systems, methods of authentication, encryption options, and methods of attack.