I was foolish enough to talk at length about the gawker hacking story in the morning news conference a few weeks ago, and one of the side effects was that I was interviewed for G2 to give some advice on how to tighten up your password.
The advice was designed for the sort of people who currently use 123456 as their password (or even stronger 12345678), and so I didn’t include anything about using symbol characters and space and so forth. I’ve also found that there are some websites that wont accept unusual characters, and since that makes it harder to remember which sites do and don’t, this will still produce a very strong password.
Red faces at the US gossip site Gawker: last weekend hackers hijacked the front page and released the usernames, email addresses and encrypted passwords of 1.3 million registered users of Gawker and its affiliated sites.
They also decrypted 200,000 of the least secure passwords. So anyone could see not just the relatively simple password used by Gawker’s founder, Nick Denton – but the fact that he used the same one for other online accounts, including email, Twitter and Gawker’s internal messaging system.
“More than 3,000 Gawker users chose ‘123456’ as their password,” says Michael Brunton-Spall, from the web team at the Guardian. “But lots of people used just one simple word – ‘starwars’, say, or ‘princess’. ‘Letmein’ was quite high up the list. And ‘trustno1’, which was Fox Mulder’s password in The X Files, was popular too.”
Bad mistake. “If you use the same insecure password for everything, you’re laying yourself open,” Brunton-Spall says. “Already Gawker users are complaining that their Twitter accounts have been hijacked. That’s embarrassing. But imagine if they were using the same password for their online bank.”
So here are Brunton-Spall’s top password tips. First, make it secure: two random words, preceded or separated by a number, make a memorable, hard-to-crack password (most people add a number at the end, making it much easier to hack). An alternative is to use the initial letters of the words that make up a favourite saying or song lyric – again, preceded or separated by a number.
Second, don’t have a multipurpose password. On the grounds that no one could remember an entirely different password for every site, you could try having three basic passwords – one for things financial, one for things professional, one for things social. Then you could drop in two letters from the name of the specific site: if, say, your basic social media password was shock7asset, your Facebook password might be fshock7basset. Or your Twitter one might be tshock6assetr. Easy, really.
guardian.co.uk © Guardian News & Media Limited 2010