“Get a Personal Trainer for Your Computer!”©



Password screen

I know, I know - - it’s a pain to memorize a random password, much less to use a different password for each application.  (A leading software support company (SurfSecret) reports that the number one reason users call them is because of lost or forgotten passwords.)  Unfortunately, this “password fatigue” is a necessary symptom of our networked, virtual world.  Balance this against the loss you might experience if you are hacked, though, and you can see that the effort might well outweigh the inconvenience.

It’s fair to say that chances are that most people will get their password hacked at some point in their lifetime.  In reality, passwords aren’t the best way to protect our computer data.  But since we started out this way, it the most prevalent.  However,  there are ways to prevent, or at least delay hacking through the practices discussed below: 


Almost anyone can hack a computer password used by the uninitiated by simply educated guessing or through the use of “social engineering” (these account for 80% of hacks) without any use of any sophisticated software or hardware whatsoever.  Just by hanging around you and talking to you, or searching social networking sites, others can quickly learn your pet’s or children’s names, birthday, home address or a variety of other identifiers that you may be using as access codes.  Either by using default or common passwords and/or socially engineered information, most hackers can get right into your system.  The more sophisticated hackers can use readily available software.  And a few are true experts.  Therefore, always avoid the following common mistakes:

  • Don’t use repeat characters (111, 123, abc, qwerty, etc.).
  • NEVER use password, admin, administrator, rememberme or PCuser.
  • NEVER use your name, initials, family names, pet names, addresses or other personal information (and ABSOLUTELY NEVER use your social security number!).
  • Don’t use dictionary words or slight variations of them (e.g. “hotdog123”) - [A hacker using “rainbow tables” or “John the Ripper” (readily available on the Internet) can hack such words in seconds].
  • Don’t use the same password for different sites (someone who knows or guesses your Facebook password could access your bank account) - at least use different passwords for your secure sites (banking or e-mail, for example).
  • Don’t allow your computer to automatically log on at boot-up to any automatic, chat or browser sign-ins.
  • Don’t use the same password for all of your different computers (e.g. desktop, office, laptop).
  • Try not to use the automatic (“Do You Want Firefox To Remember This Password?”) website sign-in option on various websites, as anyone using your computer can find the list of sites and their passwords if they know where to look. [See Tip #65] Keep sign-ins under your own control.
  • Don’t access password protected accounts over open Wi-Fi networks unless you see that the site is secured via https:// in the address bar.
  • Don’t enter any account information or passwords in any web page you may access via an e-mail link.  If you must, go directly to the address for that web site and sign in from there.
  • If at all possible (sometimes you can’t, as with eBay), use a “throw away” e-mail address for site registration (try for example or create another e-mail address in the seven you are offered with your Verizon or Comcast accounts).
  • Try using different browsers for different activities.  For example, while you can use Internet Explorer for general browsing, you might use Chrome or Firefox for checking your e-mail or on-line banking, starting it up and then immediately shutting it down, preventing the migration of a virus or malware from a generally insecure site into your important information.
  • If you are offered “two step verification” for your e-mail account (Google offers this option), take it.  Essentially, the second string of characters you enter after you provide your password is a second password, giving you additional security (see below for more).


INTERESTING NOTE:  Even the U.S. government gets lazy at times.  For quite some time, “00000000” was the nuclear launch code of the U.S.  Yep.  The U.S. Air Force disagreed with the JFK administration’s insistence that a safety protocol with a passcode be implemented.  So, the Air Force implemented the system, but set the passcode to “00000000”.  Until 1977, when things were hardened, no real safety measures were in place in the program.  (This, according to Bruce Blair, who was actually one of the launch officers in the 1970s.)  As a result, you’ll notice that in many Hollywood films about mass destruction, the “00000000” passcode was commonly used for the nuclear launch codes.  [In Star Trek 3, the destruct code for the USS Enterprise was “000-DESTRUCT-0”.]  Moreover, even with the progression of safer and larger storage media, the U.S. government still uses 1970’s technology to coordinate such key strategic forces as nuclear bombers and intercontinental ballistic missiles (and will continue to do so through at least 2017).  The Pentagon uses antiquated 8 inch floppy disks  (see Media) and ancient IBM Series/1 computers for it’s “Strategic Automated Command Control System,” the system which issues launch orders to commanders and shares intelligence.  In it’s defense, the Pentagon says that it is precisely because such disks are disconnected from digital networks that they are buffered from hackers.  [For more, see Leslie Stahl’s report on 60 Minutes, the Washington Post 5/26/16 article, and the GAO’s Report issued on 5/25/16.]


Do you think your current password is reasonably secure?  You should know that in January, 2010, an examination of 32 million passwords stolen by a hacker in December, 2009 from RockYou, a company that makes software for users of social networking sites like FaceBook and MySpace showed the 32 most most common passwords, all of which were published for hackers to see.  30% of the passwords examined were 6 characters or less; 50% were easily guessable names, slang or consecutive digits. Same for the Duo Security study in 2010, which analyzed some 400,000 passwords.  In addition, they found that 99.45% of the passwords were strictly alphanumeric (all letters, no numbers, no special symbols) and 61% were all lowercase (no varying caps and lowercase).  These things make passwords easier to crack.

 By 2016, not much has changed:















































































You get the idea - If you are using any of these insecure passwords, you’re begging to get hacked!  Most are still keyboard patterns, some Star Wars themes added this year (hottie, loveme and flower).  Splashdata says that over 10% of users still use at least one of the 25 passwords on the list, with almost 4% of them using the worst one, “123456”.

Amazingly, even after publishing these common mistakes, none of this seems to have made much difference. After the massive Adobe password hack of November, 2013, it was revealed that the customers’ passwords were “pathetic,” allowing them to be so easily hacked.  For example, 1.9 million customers had used the string “123456” as their password.  Had they used something more secure, the hackers might not have taken the time to get into their accounts.  Still, the dominant way that sensitive information is disclosed is through “social (i.e. human) hacking”.  Take the Snapchat disclosure of some 700 current and former employees’ payroll information, including their names, social security numbers and other sensitive data, which occurred in 2016 when an attacker simply pretended to be Snapchat chief executive Evan Speigel and tricked an employee into e-mailing the information to him. 



1.  Ideally, in order to be reasonably safe, a password should be cryptographically strong and longer than 10 characters.  It should contain at least one upper case letter, at least one digit and one symbol (could be a “;” or a “#”).  This is now necessary because of the vast improvements in computational power and more sophisticated and duplicitous password-cracking software and  techniques readily available to hackers.  Password strength is measured using a concept from information theory known as information entropy or bit strength.  This is expressed as the length in bits of the number of possible password combinations given its length and complexity.  For example, a password with a strength of 10 bits (e.g. “ab123”) has 1024 possibilities, which is relatively weak. Basically, anything that makes a hacker spend more time to decipher your password (e.g. symbols, upper and lower case, numbers, spaces, dots, etc.) will increase the entropy and act to your advantage.  That’s why a poor password like “12345,” (which would take 0.00000111 seconds to crack) even when “padded,” to “12345......” (which would take 3 hours to 3 months) will be a better password than a much longer one that’s not as random. 

See the links immediately below to test your password’s strength.

>>>You can check your password strength at “Password Meter” site,  Microsoft's “Check Your Password — Is it Strong?” page, or “Test Your Password” site test site.

For a tester for how long it would take to crack your password (not its strength), click HERE for an excellent site.

2.  There are lots of sites advising you about how to create memorable and unhackable passwords (and some software that’ll actually do it for you, e.g. “Random Password Generator”), but I like the following idea best:  Create a mnemonic password out of a passphrase.   It could be a favorite movie quote or some lyric, poem or the first sentence in a novel, or just something random:  For example: ICNRMP0203.  What does it mean: “I Can Never Remember My Password 0203”.  To make it more difficult, switch between upper and lower case, as in iCnRmP0203, which will increase the difficulty.  Or even more difficult, use the second letter in each word of the phrase.  Obviously you can make one even shorter: MDiG03 (“My Desk is Green 03”).   But take this advice: Use a combination of numbers and letters and different cases, it makes the password significantly harder to crack.  Maybe you can change the numbers if you need multiple passwords (i.e. 19, then 28, then 37, etc.). Or add a few characters at the front so you’ll know which site it goes with.  You shouldn’t use the same password for everything, but it’s hard to keep track of many different ones, so you SHOULD save them and/or write them all down somewhere (see below for more about this). Want something easier?  Just type a short passphrase.  It doesn’t have to mean anything.  something like “2 Blue Turtles Ate Sushi”.  It’ll never be cracked.  In fact, in 2015, two University of S. Cal. researchers (Marjan Ghazvininejad and Kevin Knight) took this solution one step further - convinced that the best security is completely random words (like “correct horse battery staple”)  is far more secure than a random word (like “Troubador”), even with character substitution (which powerful computers can hack relatively quickly), then suggest creating a short poem of random words.  (e.g. “A peanut never classified/expected branches citywide”). [Kind of like the junk you see in spam e-mail addresses that they use to get past the spam filters.] They’ve even posted a link to which you can post your e-mail address, where they will send you a short poem, they delete everything from their server.  Be prepared to wait.  Eight years after this page was initlallywritten, the Washington Post also wrote an article suggesting the use of passphrases, as in “mycatlikesalotofgrapes” or “ithoughtiwonthelotterybutididnt”  Same idea.

3.  Another clever way to devise a password is known as the SFSP (“Simple Formula for Strong Passwords”) developed by the SANS Institute.  This involves basically taking an easy to remember password, sticking your birth date or some other meaningful number in the middle of it surrounded by special characters.  For example:  If your dog is a beagle and the number is your golf club membership number, it could look like this  “~+beag2655le~+”.

4.  Some people like to use what’s known as “keyfile” passwords.  These encrypted passwords take the first 1,024 characters of a file (any file, it could even be an MP3 music file) and use that as a password.  Sounds good at first, but the longer you keep and use that file, the more chance that it could be slightly changed, or add/delete headers or the like, making it useless.  If you’re going to use this type of password, make sure you keep it in multiple places!

5.  If offered by your provider (e.g. bank), use two factor authentication or multi-factor authentication it makes hacking exponentially more difficult.  Also, if available, biometrics (everything from fingerprints, eyeball scans and voiceprints) are less hackable as well.

6.  You can take a lesson from the spies:  Use a letter substitution cipher, where you replace each letter with another letter, number or symbol.  For example, replace each letter with the next one in the alphabet, so “joe” becomes “kpf”. Hackers try common passwords, maybe type them in backwards (yes, they always think of this), but rarely try ciphers, as they’d have to know the type.  A bank password like “retriever” is hackable, but “sfusjfwfs” would require brute force encryption or cryptogram solver software (and time) to hack. Similar to substitution ciphers, you can simply move your hands one key to the right (or left) on your keyboard when typing a password, so “dog” becomes “fph”.  [But, if you must write down your passwords, write down the “plain” word (“retriever,” “dog”) and not the encrypted one, so they don’t get the key to decipher it.]  Another alternative is mnemonic code: Use a word to correspond with a letter (e.g. r = rockville) or number (1 is 3, 2 is 5, etc.), then use it for the first (or last) letters of the site for the password (e.g. etsy = rp).  To make it even more difficult to hack, combine it with a second-level letter or number substitution cipher and then add a symbol, it’ll be almost impossible to hack etsy = rp = sq = [sq]).  Some mnemonics use things like song lyrics (a/k/a “earworms” or “brainworms,” that catchy music that continually repeats through your mind long after it stops playing) [e.g. “Don’t Worry, Be Happy” or The Police. “Every Breath You Take” becomes EB, then “FC”].  And then, there’s the old standby of using a sentence from the same book (like the Bible) as a “key” to conform the cipher at both ends. For those sites requiring changing your password periodically, simply add the year or the year and month or quarter to the end of the password (e.g” re]-15-q2”).

7.  Corporate passwords store passwords using encryption with a one-way hash function that, unlike symmetrical data encryption, cannot be reversed to reveal the clear text even with so-called brute force attacks.  But this may be a little much for home users.  And even all of this may still be insufficient to protect a business:  For security, businesses should rely on more robust authentication:  Encryption, smart cards, tokens, biometrics and the like can be quite common in the enterprise.


If you feel that you have so many passwords that you absolutely must use software to keep track of them, or have the need to sync the information between more than one computer and perhaps an iPhone, there is both free and paid software (a/k/a “Password Managers”) readily available for this purpose.  Just Google them.  See, e.g. LastPass and RoboForm, which are the two most popular. Both are cross-platform (Macs and PCs) and personal and enterprise (business) friendly. Also, SplashDataSplashID Safe, 1Password and KeePass (which use a local file to store passwords), Dashlane and PasswordBox (which add cloud services), AgileBits or Callpod’s Keeper for Macs, PCs and mobile devices.  And Windows Password Key Standard, Kruptos 2 Professional, 2 Password, and Quicky Password Generator.  But the problem here is that this type of software, which  normally logs you on to a site (so long as you remember the one master password for the software), still resides on your computer.  So if it’s stolen, you’ve lost your passwords and someone else can theoretically find them. And nothing is ever completely safe:  In June, 2015, LastPass prompted its users to change their master password because it appeared that its network was breached on June 12, 2015.



Once you’ve created the list, the next question is where it can be safely kept. Even the security for the best password is compromised if you put it on a Post-It Note on your monitor, or tape it under your keyboard or some other obvious place.  If it’s a good password or passphrase, you should easily remember it!  Moreover, you should plan ahead, so that if you should become incapacitated (through accident, death or disease), your spouse or heirs can access your computer data.  Leave the list in a secure location known only to a trusted party.  Or use a service such as Legacy Locker, which promises to grant access to friends of loved ones in the event of loss, death or disability.  The free trial account let’s you protect up to three assets.  On a daily basis, it may be better to simply create a list of your passwords and store them away from the computer, say in an encrypted USB flash drive.  Just don’t keep the list on your desktop or inbox, under your keyboard or on a sticky note on the monitor, where it can easily be found by hackers.  I keep a list of mine (now well over 75) on a spreadsheet showing not only the account and password, but also the date it was created, modified or canceled and the website information, but it’s not in the same room as my computer.  I print it out and also have it stored on a detachable USB flash drive.


No one really wants to hear this, but it would be a good idea to change your password periodically. Not that most of us actually do.  In fact, in 2016 Facebook’s Mark Zuckerberg’s Facebook account was hacked and because he duplicated his password (“dadada”) for his Pinterest and Twitter accounts, those were hacked as well.  If guys like Zuckerberg, Jack Dorsey of Twitter and Square and Google’s CEO Sundar Puchai of Silicon Valleuy can be hacked (all by OurMine, a security company in 2016), as well as Katy Perry, so can you.  If you use the passphrase method described above, you can just change the passphrase itself, leaving the other information the same.)   Still, for corporate uses, every six months or so is the recommended period, hopefully not less than than once year.  Also, your bank and other secure sites may insist on this anyway.  Remember:  Treat your password like your toothbrush: Don't let anybody else use it, and get a new one every six months.  Maybe coordinate everything with daylight savings time - change your clocks, the batteries on your smoke detectors and your passwords at the same time.

And, please, please don’t forget to change the default user names (e.g. user, admin) and passwords (e.g. password, admin) that come with your hardware (like your home router).  You can be hacked and it can cost you privacy and money.  See Security.  Just change them and write the custom ones down.

On a related issue, you should be aware that security questions sometimes can pose security risks themselves, due to the limited set of responses.  For example, when your are asked “what is your favorite color?” the responses are quite limited and can easily be foiled with a brute force attack.  You should also avoid security questions that involve answers that reveal personal information, such as your mother’s maiden name, your dog’s name or your high school.  This type of information are often found on the Internet, perhaps on your Facebook page and may permit outsiders to find out information about you that you want to be kept personal.  I suggest that you type in a response to the security hint that has absolutely nothing to do with the question.  For example, when asked where you were born, you could respond “Asparagus”. If you’ve used your web browsers to manage your sign-in for accounts, you should  change or limit your sign-in credentials.  Same if you use any type of software password manager, like Roboform. [You may decide that this is a good time to start using one of these to avoid this confusion if it ever happens again.] And remember to keep records of all of these changes (by date), as they can quickly add up and become hard to keep track of.


Despite all of your protective measures, this can happen.  Take the Adobe hack of thousand of their accounts in October, 2013, and many others well publicized since.  So what do you do when you’re notified that your information has been compromised?  This is where your job is more difficult if you’ve been using the same or similar password for everything, because hackers will attempt to use the stolen password for one account to attempt to access the others.  Unfortunately, you have a long process ahead of you.  First, if the hack can compromise your credit cards, use the toll-free numbers to cancel and reissue your credit or debit cards.  For bank accounts, call your bank and see what procedures they recommend for changing passwords, accounts or permissions.  You may want to contact the major credit reporting agencies (Equifax, Experian and Transunion) to make sure your credit hasn’t been compromised.  They owe you one free check per year, and they can put a “fraud alert” on your account.  Or you can sign up for one of the paid identity theft protection services.


It is interesting to note that most password hacks are a matter of “social engineering”.  Someone will approach you on-line or by telephone or even in person and just ask you for your password for an app or account in the guise of helping you or solving a problem.  Don’t fall for it.  And, apparently, don’t eat chocolate first.  In 2016, a large scale (1,208 people) by the Universite du Luxembourg revealed that when they conducted an experiment asking passers-by their attitude toward computer security, then for their password, if they gave them chocolate first, the number of positive responses increased by almost 50%!  If the chocolate wasn’t given until after they were asked, the request was denied substantially less.  (They posit that this would work for any small gift, not just chocolate.)  You shouldn’t give out any of your passwords, no matter how nicely or innocuously asked, any more than you would hand a stranger your house or car keys or alarm system code.  Even if they give you chocolate first!


There are alternatives to passwords many of which are included on your computer hardware, some which can be added as peripherals, in case you demand increased security measures because of the nature of the data on your computer (work materials, stock transactions, etc.):  Biometrics (like fingerprints and retinas) and facial recognition (Google’s Face Unlock utility which uses funny faces and gestures to unlock Android phones). Even selfies, as MasterCard introduces CheckMobile in 2017, which allows mobile users to verify their identity for mobile payments.  But they can be fooled, too (e.g. the Jelly Bean version of Android let users blink their eyes (to avoid hackers using a photo), but it wasn’t perfect and had to be rewritten). And the famous “Gummy Bear” fingerprint hack, discussed under the biometrics definition.  And, more often, sites are using “two stage authentication” to verify users.  You see this a lot in banking sites that ask you a security question after you’ve already logged in with your ID and password.  For more discussion, see below.

Windows 8.1 and 10 users:  You now have the choice to sign in to your computer using a “personal identification number” (PIN) rather than a password.  It has a default of four digits, but can be customized for more digits.

A note about BIOS/UEFI passwords: These are the passwords that control the startup settings for your computer.  They’re not very safe.  Usually, by pressing a switch on the motherboard or simply removing the battery, it can be reset by even a newbie hacker.  Don’t waste your time.

UPDATE - 2014 and later - The Game is Changing:  If you’ve been following the news, these days hackers steal passwords wholesale, not one by one, which has changed the password playing field.  You should always protect your passwords at your own personal computer level.  But that won’t prevent a hack at the server level of the computers you commonly connect to, like your bank, gas station or department store. [See graphic below.] And those servers, contrary to popular belief, don’t have the best protection, as many companies just don’t consider spending money on this to be a priority.  The main vulnerability, then, is no longer a human like Matthew Broderick in War Games or even the Conficker type of malware, which relies on being loaded on individual computers.  Rather, it’s two things:  Phishing attacks (see Spyware), which the wary can often prevent.  And wholesale heists like the Target, Home Depot, JP Morgan, Neiman Marcus and the like (See Security) thefts, stealing literally millions of accounts at once, over which end users have very little control (see Hackers).  If a credential database from a retail chain or financial institution is compromised, it really doesn’t matter how complex your password is, it is stolen along with all of the others.  That’s not always bad, as the more difficult you make the password, the harder it will be to decrypt and maybe the hackers will give up (but probably not; if they’re expert enough to crack the network, your password won’t be difficult).  And, unfortunately, using servers with more secure authentication protocols won’t gain you much either, because today’s password hackers aren’t gaining access by attacking weaknesses in those protocols. In fact, you don’t really have much control over the corporate server and host computers used to process your transactions.  You can’t insist on two-factor authentication even if you would like this additional layer of security (If the hackers control your endpoint, you’re out of luck anyway.)  So what can you do? You won’t want to hear this but you should (1) change your passwords at least once a year.  (2) Use complex passwords, but don’t spend too much time on them, as they’ll probably only slow down professional hackers a little (you can always hope for a poor hacker, though).  (3) Don’t share the same passwords among sites, at least any theft won’t cross over your entire digital identity.  (4) Don’t fall for phishing requests (see Spyware), err on the safe side. (And look over your shoulder when paying or logging in, avoid potential social engineering issues.)  That’s all you can do for now.


©Computer Coach, 2014



Password fatigue applies not only to computer users but also e-commerce companies, social networks, banks and other businesses which must keep track of the logons for millions of online customers.  These companies are moving toward having their customers keeping their logon information on their own computer, through the use of biometrics that let users record their voice, facial features (laptops from HP and others equipped with webcams recognize your photo as a password), fingerprints and the like onto their devices.  Hackers would have to steal not only their devices, but also their fingers, eyes or quirks to make the theft useful, not a likely scenario. Less fancy, but more plausible, may be “picture” passwords or “gesture” passwords (with more tablets and Win8 available), where a user draws a figure eight or a symbol to identify themselves

The (not too) Distant Future:  Aware of the increasing complexity of strong passwords and the number of different ones required by the average user, DARPA is developing software that determines, just by the way you type, that you are entitled to use the computer or smartphone.  Drexel University is trying to extract authorfingerprints” (known as “stylometry”) from the large volumes of text we enter into our PCs and smartphones (style, repetitive words and phrases, speed, pauses, etc.) and use any disruptions in the pattern to determine when someone else might be at the keyboard.  Richard Guidorizzi, the DARPA Program Manager, calls an individual’s distinct behavioral computer characteristics, their “cognitive fingerprint”.  Currently proposed software is based on “mouse dynamics,” which uses each person’s idiosyncratic way of using a mouse, such as the speed with which you move the cursor across the screen (the path - i.e. straight line, convex or concave arc; or the presence or absence of “jitter”), “keystroke dynamics” (how long a user holds down a given key and moves from one key to another), and activity-based analysis, which uses the gyro sensors inside smartphones to detect user’s characteristics like stride length, how you balance your body, walking speed, arm length, physical proximity to others you know (or don’t know) and many other factors, as well as micro-hand movements (how you hold the smartphone, touch burst activity when you tap or swipe, including pauses and other gestures) but it isn’t certain whether these behavioral characteristics will ultimately prevail.

UPDATE:  Starting in 2016, selfies may replace passwords in some applications.  For example, MasterCard plans to roll out a service named “Selfie Pay,” where cardholders can confirm purchases by taking a selfie on their MasterCard mobile app.  And Georgia will roll out a pilot program where taxpayers can create a secure account where they verify their identities by taking a photo.  Law enforcement agencies will use facial recognition to search driver’s license databases.  Of course, these will not be exactly the same as your Facebook photos - MasterCard and USAA, for example, require the user to “blink” to show that they are a real person, and not a photo.

And, on the hardware side, there are alternatives:  Some people have actually embedded chips into their fingertips to gain access to their computers without actually remembering passwords, avoiding the possible hacking via Bluetooth, Wi-Fi or NFC communications.  Or using the body as a conductive conduit, where the user places one hand on their cell phone and the other on the device requiring the password (e.g. a realtor’s lock box), using their biometric signature to complete the connection.  Much like iris or fingerprint scans already in use, and just as more secure.



Finally, while password security is important, viruses and malware that can compromise your computer are much more important.  A keystroke logger, for example (see Security), can hijack your computer, by keeping track of all of the passwords you enter through your keyboard, then use that information against you.  To protect yourself against these types of intrusions, it’s essential to keep your anti-virus and anti-malware programs up to date.


FAQ:  Make it idiot proof and someone will only make a better idiot.





























© Computer Coach.  All written materials are the sole property of Computer Coach (unless otherwise attributed) and no part of this website may be used in any format without the express written permission of Computer Coach.