Using strong passwords
Last revision July 30, 2013
To protect yourself against identity theft and possible financial loss, you absolutely must set strong passwords to protect your SUNet ID, your own computer login account, your e-mail accounts, and your accounts on websites that store valuable personal information, such as financial sites.
Hackers don't bother trying to break into your individual account by laboriously typing guesses for your password. Instead, they try to break into network servers where they can grab many thousands of account names and encrypted passwords. Once they have that data, they run programs on their own computers to encrypt possible passwords and see which ones match the server's stored encrypted passwords. Because it takes too long to try every possible password, hackers use programs that take into account the rules for the server (type of encryption used, how many characters it allows, etc.) and their knowledge of human behavior. Basically, they try common patterns of words and word permutations, using large dictionaries of English and foreign language words. If you avoid those patterns, your password is much less likely to be cracked by a hacker.
Rules for setting strong passwords are based on examining the types of programs used by hackers to crack passwords. These password rules are enforced when you set your SUNet ID password. Stanford's IT Services department has provided an excellent guide for setting secure passwords.
Because hackers have been honing their techniques and cracking programs for years and have access to more and more powerful computers, it has become clear that effective password protection requires long passwords with random patterns. In recent server compromises (as of 2013), passwords up to eleven or twelve characters in length, even many that appear to be random, have been easily cracked by hackers. Use at least twelve characters where possible and add randomness to the password.
It is also clear that it is best to use separate passwords for each computer, service, or website that has valuable data or access to your finances. That way, if one site is compromised by hackers and they are able to crack your password, they can't just login to all your other services with the same password!
The twin imperatives of long and randomized passwords, plus separate passwords for each service, can lead to a nightmare of memorization - or more likely, failure to memorize! The solution is to use a password manager. This is a program (or web service) that generates and stores those long random passwords for you, and even enters them directly into the website or login for you (usually by pressing a "hot key" combination). It keeps your passwords secure by encrypting them with a master password that you memorize. In order to make the stored passwords uncrackable, this master password should be very long and include random alterations. But you only have to memorize this one password!
Recommended password managers as of 2013 include:
LastPass - web based, so it works from any computer, smartphone, or tablet with a browser. Base version is free; annual subscription required for premium version.
1Password - an application that you purchase and install on Mac OS X, Windows, IOS, or Android devices.
KeePass - free application for Windows computers.