How to create and remember strong passwords

Using and properly managing strong passwords is your best defense against an intrusion 

by Larry Magid

A strong and confidential password is essential, not just for financial sites, but for social networking sites too. With social networking sites like Facebook, MySpace and Twitter, there’s the danger of people faking their way into the site and posting something embarrassing about you or others. They could use your account for hate speech or to bully or defame another person or put something on your site that jeopardizes your reputation or even your safety. Another risk is that they could use your online profile to assume your identity as part of a con, such as logging into a person’s Facebook account and using it to solicit money from his friends to a “friend” out of a tight spot.

Children and teens should be especially careful to never share their sociial networking passwords, even with their best friends. It’s sometimes tempting for kids to give out their password to a friend so that the friend can update or check their profile for them, but it’s a bad idea. Friends have a way of becomng ex-friends and there is the danger that a friend might share the password or be careless with it.

Have strong passwords
One of the best ways to protect your online security is to have strong passwords that you change periodically. But that’s easier said than done. Coming up with hard-to-guess passwords is hard enough, but it’s even harder to have separate passwords for different sites and to remember new ones after you change them.

One way to create a password that’s hard to guess but easy to remember is to make up a phrase. You could type in the entire phrase (some sites let you use spaces, others don’t) or you can use the initials of each word in the phrase, for instance, “IgfLESi85” for “I graduated from Lincoln Elementary School in ’85.” An even better one would be “MbfihswE&S” for “My best friends in high school were Eric and Steve.” You get the idea–upper case numbers, letters, and symbols that are seemingly meaningless to everyone but you. Microsoft has an excellent primer on passwords and a password strength checker.

But even if you do come up with a clever and hard-to-remember password, don’t use it for every site. Since lots of people do that, there’s the risk that a sleazy site operator–or a sleazy person who works for a legitimate site–could use it to break into your accounts on other sites.

Password managers
One solution is to use a password manager. There are several available programs and Web storage services, but the ones I’m most familiar with are RoboForm and Lastpass. These programs can generate passwords for you and remember them so you don’t have to. Both programs are, themselves, password protected, though you have the option of running RoboForm without a password or having Lastpass remember its own password on your PC. That’s OK as long as no one else has access to your machine. I recommend that you manually enter your master password on a laptop that could more easily fall into the wrong hands.

RoboForm has a free trial version that’s limited to 10 passwords after the trial ends. Lastpass is free.

RoboForm has been around for a long time, but Lastpass is a relatively new offering. Company CEO Joe Siegrist describes the program as a hybrid because it stores your passwords and usernames both on your machine and on the Web. You can download the browser plug-in to a PC or a Mac to work directly with Firefox on either platform or Internet Explorer on Windows, but there are also ways to use it with Safari and Chrome. Because it has a Web interface, it can work with any Web-enabled device, but the plug-ins for IE and Firefox make it easier to use.

On Firefox and IE, Lastpass records your usernames and passwords when you first enter password-protected sites and then enters them for you automatically for subsequent visits. Passwords are stored in a “vault,” which is actually a Web page stored on your PC, as well as the company’s servers, so you can access it from any device, including a borrowed machine. The password vault on your machine is automatically synchronized with the server, so you don’t have to worry about synchronizing or backing up your data.

Password data, according to Siegrist, is encrypted on the PC and on the servers. He said that no one–himself included–can decrypt them without the master password that only you know. Assuming the encryption is as good as he says it is, this should protect your security even if their servers are compromised. The company provides a lot of security information on its FAQ.

There are also versions for Blackberry, Windows Mobile, and Android as well as a Web site for phones and browsers that aren’t supported directly.

For a lot more on this password management, see CNET News reporter Elinor Mills’ post, “Facing the pain of passwords.”

Also, see’s “Tips to Create and Manage Strong Passwords


Leave a comment