Password protection for everyone
by Jürgen Schmidt
First things first: never use the same password for multiple services. To avoid losing track of the resulting multitude of passwords, use either a password safe or a personalised password system. And there's a technique you can use to memorise the required complicated master password.
Let's begin by pointing out that the responsibility for the security of internet passwords actually lies with the service operators. If these operators are careless with their users' passwords and, like RockYou, store passwords in plain text on their servers and then have them stolen from there as well, users can't win. A similar thing applies when, as in the case of LinkedIn and Last.fm, passwords in the form of unsalted SHA1 or MD5 hashes fall into the wrong hands.
On the other hand, a cracked password that provides access to LinkedIn isn't the end of the world, because the intruder already had full access to the LinkedIn servers, and to users' data, even without the password. Therefore, if you haven't used this password anywhere else, it doesn't really matter to you whether or not the attacker can crack it after intruding into the service. However, if the attacker can use your password to hijack your email, eBay, Amazon or PayPal accounts and then go on a shopping spree – that will create a real problem for you.
When appropriate methods such as bcrypt or PBKDF2 are used when a password is stored, passwords with a minimum of eight random characters can withstand even offline attacks for many years. The emphasis here lies on the word random – in other words, not
S3cr3t!. It has long been demonstrated that anything a human being can devise and easily memorise is far too calculable and consequently offers little security.
Therefore, a very good password of at least eight random alphanumeric characters and special characters should be generated; twelve characters can't do any harm for really important passwords like the password safe's master key. It's important that the characters are chosen randomly; don't hesitate to use a password generator such as PWGen that really can create no derivable patterns. Start by writing this password on a piece of paper and set it as your user password on your main computer. Then set the screen lock timer to the minimum value, for example a minute, which will prompt you to re-enter your password after every short break. This may seem extremely tedious, but it will help you to commit the password to memory very quickly. After a couple of days you will know the password by heart and you can then reset the screen lock timer to a bearable amount. Keep the piece of paper with the password in your wallet for a few more days as a precaution. Then put it into your safe or with your other valuables.
While this means that you have memorised a very good password, you must not use this password for all your accounts. On the contrary: it is best not to use it for any internet services at all and instead either make it the master password for your password safe or use it as the basis for your personalised password system.