Another day, another major site getting hacked. This time it's eBay and, possibly (and frighteningly), Paypal.
Everyone knows that passwords are a horrible way to protect your information, but until finger scanners or other systems are in widespread use, we don't have much choice. And, even where finger scanners are used (Android and, on a limited basis, iOS), you still need to provide a backup password for when the swipe doesn't register.
There are a handful of basic rules for passwords which we all know by now:
- Passwords should not be words that appear in the dictionary
- Passwords should have a mix of upper and lower case
- Passwords should have a combination of letters and numbers
- You should not use the same password on multiple sites
Yet, despite the fact that we know these rules, most people break them all the time. It's simply too difficult to remember dozens or hundreds of passwords.
The best approach is to use a secure password manager. Personally, I'm a fan of 1password. Their protection is about as strong as you can find, they have a simple browser plugin, and they support multiple platforms and devices (OS X, Windows, iOS, etc). Other password managers include LastPass, KeePass and oneSafe. I strongly recommend you use one of those tools. But, for those who don't want to pay for a password manager, or choose not to use one for other reasons, there are still ways to keep secure.
Here's an approach that I'd used previously, before I adopted 1password. It's free. It's fairly safe. And it's still easy to remember the password for hundreds of websites.
1. Start with a basic password you'll remember but that's not that obvious. For this example, I'll choose falcon.
2. Always capitalize one letter in the word. Now it's faLcon.
3. If possible, change one of the letters to a number. How about faLc0n
4. Add the current year to the password. faLc0n14 (or better yet split the year into two parts - like 1faLc0n4). Then, each January, update the password, so it becomes 1faLc0n5 in 2015, etc.
At this point, you have a fairly unique password that consists of a mix of numbers and letters, does not represent a word in the english language, etc. It can still be beaten by brute force (i.e. a computer trying tens of thousands of combinations) but would not be easily guessed.
5. Now - here's the key part. For every website, take the 1st 2 letters of the URL and insert them at the beginning or end of your password. So, for Facebook, the first 2 letters are fa. If I put the f at the front of my password and the a at the end, my Facebook password becomes f1faLc0n4a. For Yahoo, my password would be y1faLc0n4a, etc.
Now, I recommend you modify this approach to your own requirements. Perhaps you put the numbers in the middle of the base word. Or, maybe, instead of the first 2 letters of the URL, you take the last 3 letters before the .com suffix. Make it your own. But there's no excuse for using weak passwords or using the same password on multiple sites.