August 14, 2009 11:30 AM PDT
How to make strong, easy-to-remember passwords
by Larry Magid
One of the best ways to protect your online security is to have strong passwords that you change periodically. But that's
easier said than done. Coming up with hard-to-guess passwords is hard enough, but it's even harder to have separate passwords
for different sites and to remember new ones after you change them.
One way to create a password that's hard to guess
but easy to remember is to make up a phrase. You could type in the entire phrase (some sites let you use spaces, others don't)
or you can use the initials of each word in the phrase, for instance, "IgfLESi85" for "I graduated from Lincoln Elementary
School in '85." An even better one would be "MbfihswE&S" for "My best friends in high school were Eric and Steve." You
get the idea--upper case numbers, letters, and symbols that are seemingly meaningless to everyone but you. Microsoft has an
excellent primer on passwords and a password strength checker.
But even if you do come up with a clever and hard-to-remember password, don't use it for every site. Since lots of people
do that, there's the risk that a sleazy site operator--or a sleazy person who works for a legitimate site--could use it to
break into your accounts on other sites.
Password managers
One solution is to use a password manager. There are several available programs and Web storage
services, but the ones I'm most familiar with are RoboForm and Lastpass. These
programs can generate passwords for you and remember them so you don't have to. Both programs are, themselves, password protected,
though you have the option of running RoboForm without a password or having Lastpass remember its own password on your PC.
That's OK as long as no one else has access to your machine. I recommend that you manually enter your master password on a
laptop that could more easily fall into the wrong hands.
RoboForm has a free trial version that's limited to 10 passwords after the trial ends. Lastpass is free.
Joe Siegrist, Lastpass CEO (Credit: Lastpass)
RoboForm has been around for a long time, but Lastpass is a relatively new offering. Company CEO Joe Siegrist
describes the program as a hybrid because it stores your passwords and usernames both on your machine and on the Web. You
can download the browser plug-in to a PC or a Mac to work directly with Firefox on either platform or Internet
Explorer on Windows, but there are also ways to use it with Safari and Chrome. Because it has a Web interface, it can
work with any Web-enabled device, but the plug-ins for IE and Firefox make it easier to use.
On Firefox and IE, Lastpass records your usernames and passwords when you first enter password-protected sites and then
enters them for you automatically for subsequent visits. Passwords are stored in a "vault," which is actually a Web page stored
on your PC, as well as the company's servers, so you can access it from any device, including a borrowed machine. The password
vault on your machine is automatically synchronized with the server, so you don't have to worry about synchronizing or backing
up your data.
Password data, according to Siegrist, is encrypted on the PC and on the servers. He said that no one--himself
included--can decrypt them without the master password that only you know. Assuming the encryption is as good as he says it
is, this should protect your security even if their servers are compromised. The company provides a lot of security information
on its FAQ. There are also versions for Blackberry, iPhone, Windows Mobile, and Android as well as a Web site for phones
and browsers that aren't supported directly. For a lot more on this password management, see CNET News reporter Elinor Mills'
post, "Facing the pain of passwords." .
