Internet Security: Top 7 Tips for Creating and Managing Online Passwords

Aug. 3, 2010— -- It's the Internet chore that just never seems to get easier.

As we spend more of our lives online, we use more of our brains creating and keeping track of Internet passwords.

We need them to access banks, e-mail accounts, social networks, shopping sites, travel sites, loan programs, mortgage statements... The list goes on and on. And, to be extra safe, we need to have a different password for each online account.

It's enough to give any Internet user a World Wide Web-sized headache.

ABC News asked security experts for their advice on creating and managing online passwords. Check out their tips below:

1. Be Complicated.

With all the passwords you have to remember, it can be tempting to keep it simple. But experts say short, basic passwords are a cakewalk for hackers.

"The passwords that are the weakest, that are the easiest for hackers or crackers, are short common words, simple, obvious phrases," said Jeff Fox, technology editor for Consumer Reports.

Cyber criminals often use software to help them figure out passwords, he said, and most programs can run through the most common words in the English language in just a minute or two.

Basic character arrangements, such as "123456" and "abc123," are also definite no-nos, he said.

Even though it means more typing, he said to aim for eight characters or more. The added characters multiply by billions the number of possible passwords criminals have to check.

And the longer it takes hackers to break into your account, the less likely it is that they'll succeed.

Password Checkers Can Help Evaluate Strength

If you want to check the strength of your password, a few online serivces, such as Microsoft's Password Checker and Password Meter are good options.

If you're told that a password is weak, Fox says to strengthen it. He said he recently found that Facebook allows people to use passwords, such as "circus," "victim" and "social," even though it leaves them vulnerable.

2. Try Creative Spellings.

If you have to be complicated, you might as well have some fun with it.

Fox said a way to thwart potential code crackers it to use punctuation marks and other symbols in place of letters.

He suggested choosing words you won't forget, but substituting a "$" for an "S" or a "+" for a "T."

"Obviously, if you use a random set of characters, you can never remember it," he said. "A good thing to do is take a normal word or name and then alter it by putting numbers and punctuation symbols into it somewhere."

For example, if you want to use the word sunshine, use a "1" instead of an "I," he said.

Changes like that are small enough to remember, but significant enough to make life hard for a would-be hacker.

Passwords Can Include Favorite Quotes, Personal Names

3. Make it Personal.

If you're worried about forgetting your growing collection of passwords, experts say you should keep them personal.

"I would use a combination of some personal information backwards," said Avivah Litan, a security analyst for technology research firm Gartner.

Assuming you remember your mother's birthday, she suggested reversing it in the password. A child's name or pet's name are other options.

Litan also said you can use that personal name as the root for a number of online passwords. For example, if your son's name is Daniel, you could use "LIENAD5" for an Amazon account and "LIENAD6" for eBay.

4. Use an Acronym.

Have a favorite phrase or words to live by? Put it to work for you.

Fox said another way to build a password system you won't forget is to take a phrase and turn it into an acronym. You can add extra numbers or characters to the beginning or end to change it up for different online accounts.

Say you use "I pledge allegiance to the flag." "2IPATTF" could be your Google password, "3IPATTF" could be your banking password and so on.

"It allows you to make a lot of passwords and [it's] easy to remember and very hard to crack," he said. "How do you have multiple passwords but not have to remember them all? Well, I use acronyms with numbers but from one account to another, I just change the number."

As long as you remember the acronym, he said, you could even keep a slip of paper in safe place with the names of your accounts and numbers next to them. If someone picked up the piece of paper they wouldn't be able to use it against you because they don't know the key acronym.

5. Try a Password Manager.

If you think your memory needs some high-tech help, you could use one of several password management programs.

Password managers are programs that remember and then recall your passwords for a range of accounts across the Web and, sometimes, across different devices. Instead of remembering anywhere from five to 15 (or more) passwords, you only need to remember the one, super-strong password that protects them all.

RoboForm, which costs $29.95, stores user names, passwords and login URLs in encrypted files but then automatically recalls the necessary credential information as the user surfs the Web. It even works across different computers.

KeePass provides a similar service for free.

Online Security Can Often Start With Common Sense

6. Go Low-Tech.

Despite the high-tech options on the market, some computer security experts say that when it comes to password management, they like to take the low-tech road.

"There's the security issue of putting all of your eggs in one basket," said Fox. Even though a password manager can help protect and remember your many online passwords, if a hacker can figure out that one password, he can get his hands on all of them.

Fox also said that not all programs can supply your passwords across multiple devices. As a man with many machines, he said he probably wouldn't be able to rely on a piece of software.

"I don't think it's a bad idea. It's a matter of personal style," he said, adding that he saves his on a carefully-stored piece of paper.

Litan also said that she recommends a pen and paper over a computer program.

"I recommend you keep them in a paper file. Sophisticated criminals know how to break into your PC; the last thing you want to do is store them in your PC," she said.

If you can password-protect your cell phone or smart phone, she said you could also store your passwords in a note or file there.

7. Shhh! Keep them to Yourself.

It seems like a no-brainer, but experts say it still happens too frequently – after all the hard work they put into creating a strong password, users simply give it away.

"Don't leave your password on a post-it next to your computer or lying around anywhere or give it to anybody on the phone or by email," Fox said. "Many hackers are able to get in and get what they want not through technological means but through getting on the phone and impersonating an official-sounding person."

Be suspicious if an IT officer calls up and asks for a password over the phone or if your bank tells you to send it over e-mail. Most reputable institutions don't ask people for passwords by e-mail anymore, he said.