Unless you’re famous or have a vengeful enemy, it’s extremely unlikely that anyone is trying to specifically steal your passwords.
Unfortunately, that doesn’t mean you’re safe. Unless you have strong passwords, you run the very real (and growing) risk of having your passwords stolen, which could mean anything from professional embarrassment (someone sending crude spam from your email) to financial disaster (someone opening credit cards in your name, or stealing money from your online bank account).
Why? The unfortunate fact is that every year many companies (including big ones like Adobe and LinkedIn) have millions of encrypted passwords stolen from them. Sooner or later, a bank, email provider, or social network you use will have passwords stolen. When that happens, hackers will try to break every one of those passwords, including yours. Having a strong password will be your only defense.
Like everything else related to computers, the technology of password breaking has advanced quickly in recent years. The old rules like “include a number and symbol”, “don’t use your name”, or “don’t use dictionary words” are no longer sufficient.
But fear not, my friend. By remembering a few rules, you can keep your digital identity (and money) safe!
- Good passwords must be both long and contain words not found anywhere online, preferably both.
Bad (random but short): jdu31$
Bad (long but found on Wikipedia): FourScoreAndSevenYearsAgo
OK (Long and does not exist online): _ForeScore&7YrsAg0!0)
Best (random and long): 4`qGieEl-7yx7yd
- Use a password manager. Can’t remember long, random passwords? Neither can I.That’s why I use a password manager like 1Password or LastPass. I strongly recommend generating long, random passwords for anything financial (bank sites, etc) . And don’t forget to backup your computer, so you don’t lose your password data!
Don’t use the same password for more than one site. As soon as a hacker breaks passwords for one site, they’ll immediately try to use the same password for others. It’s especially important not to reuse an important password (say, for your email) on less important sites (say, social networks).
Use a strong, unique password for your email. Having your email hacked is a nightmare - a hacker can use your email to reset all your other passwords! Creating a totally random password is not very practical if you want to access your email from anywhere, but you can invent a long and memorable password that includes numbers, letters, and special characters. If you’re using Gmail, consider using 2-step verification for a much higher level of security.
Overwhelmed? Don’t worry, you don’t need to spend the next week changing passwords for hours a day. Just follow these steps:
As soon as possible:
- Buy a password manager
- Make sure your email password is strong and unique
- Make your online banking passwords strong and unique (ideally, totally random)
Then, every time you log into a website, change your password to something unique. Within a few months, you’ll have all your important accounts changed over.
Totally nerdy addendum: How passwords and password hacking works (for the curious)
When you create a password for a website, the site doesn’t store the password itself. Instead, it computes a “hash” of the password. A hash is a new piece of text with three important properties:
- The same password always produces the same hash.
- Two slightly different passwords generate completely different hashes.
- Although it’s easy for a computer to compute the hash from the password, it’s impossible to compute the password using the hash 
For example, the password “racecar” always generates a hash “8912a78b859d876e507a23d9f2bd445e”, while the password “Racecar” always generates a hash “416f144a69a432d5af861f7cae1ad95f”.
When you log into a website with your password, the site computes the hash of the password and compares it with the hash they have stored. If they don’t match exactly, you can’t log in.
In most cases, when you hear about passwords being stolen, a hacker has stolen a list usernames and password hashes (through various means we won’t get into here). The hacker then uses a computer program to compute hashes for billions of possible passwords per second and compare each hash to the stolen list of password hashes.
For example, let’s say a user used the (weak) password “abcd”. There are less than a billion four-letter passwords, so the hacker’s program could compute hashes for every possible 4-letter password in well under a second. That’s why short passwords, even random ones, are easy to break.
As passwords gets longer, it becomes harder and harder to try every combination. So, hackers resort to trying likely passwords - words found in the dictionary, phrases found on Wikipedia, dictionary words with the “i”s replaced with “1”s, or combinations of all of the above. Random passwords are hard to break because they don’t fit any patterns.
For every password a hacker finds, they will use a program to try the username and password on many different sites to see if the same username/password combination was reused. That’s why it’s important to not use the same password on multiple sites. Even if it’s unlikely that Google will be hacked, other sites (e.g. LinkedIn) have been.
: Yes, hackers are trying billions of phrases from Wikipedia.
: That means you won’t be able to access these sites when you’re not at your computer, but in practice, I think that’s a reasonable trade-off. There are mobile versions of 1Password and LassPass, but they are a bit of a pain to use.
: If it seems strange that a computer can compute a hash, but not the reverse, consider that certain mathematical operations are only easy to compute “one way”. For instance, it’s easy for a calculator to compute that 5,903 x 7,393 = 43,640,879. But if I gave you a calculator and asked which two numbers multiplied together equal 43,640,879, you’d need to try out thousands of possible combinations. Easy one way, not so easy the other way!