A Password Strategy

Most people have a terrible password strategy; it consists of one password used for every type of account. It's usually either something easy to remember or uses one of those crazy letter substitution schemes.

If you follow this advice, it will keep your stuff more secure.

1. Wherever possible, use a "pass phrase" rather than a password. A long pass phrase such as "we wish you a merry christmas" is much harder for a computer to crack than, "p@ssw0rd1" for example. The theory behind this is that machines can easily crack words using letter substitution so using symbols in place of letters is no help. However, a pass phrase with a minimum of 12 characters takes a LOT longer for computer to crack. In my example of a pass phrase above, it's a 28 letter password (including spaces). Do you have any idea what kind of resources would have to be thrown to decrypt a password that length? Also, a pass phrase is easier to remember than a cryptic, but shorter password.

2. Use a different pass phrase for each banking or financial account. Even if there are only slight differences, protect your most important asset. Databases can get cracked. Sometimes when this happens, the passwords are also discovered. You don't want one database being cracked to result in all of your accounts being drained. If you use one of those RSA tokens to access your account you probably don't have to worry about this so much, but still use a good pass phrase.

3. Account levels. You don't need a million different passwords, but having a couple of account levels is definitely appropriate. The levels should resemble the following:
*Financial - we already discussed this
*Communications - social networking, email
*Shopping and memberships - Amazon, iTunes, Netflix.
*Casual - Pretty much everything else that is non-critical

So we're talking about 4 different pass phrases to remember. The don't need to be totally different but don't make the difference obvious. Remember, 12 characters MINIMUM.

One other point of note, some stupid sites require you to use capitalization and at least one number and one symbol. In that case, come up with a standard combination and stick to a pass phrase. "we wish you a merry christmas D8$" would take care of most requirements. And if any site that is not in the "casual" category restricts you to using less than 12 characters, you should consider using some other service.