Do:

  • Always use a unique email password. If someone breaks into your email they can use it to change passwords on all accounts you have associated to that email.
  • Use a unique email account that is only used for password recovery. This account should not be used for any other form of communication.
  • Change passwords at least twice a year.
  • Create a process instead of using “real” words (ie, dictionary entries, proper names):
  • Use a phrase that combines multiple words that have no correlation to each other but is easy to remember. ie. Hometown + Father’s middle name: “ForrestDean”
  • Replace any spaces with a special character. Always use the same character so it is easy to remember: “Forrest%Dean”
  • Add the current year to the end. This will also help you remember to change your passwords: “Forrest%Dean2014”
  • Add a prefix to the phrase based on each website. For example, you could take the first two letters of the website and add them to beginning. For Facebook we would have: “faForrest%Dean2014”
  • Memorizing a process such as this will give you a unique password for each website while making them easy to remember so you don’t need to use a password manager or have your browser store your passwords.
  • Finally, the generic nature of security questions means that the answers can usually found by knowing you or looking through your various online profiles. Treat security questions as if they are another password – give bogus answers, but be sure to have a method for remembering these “wrong” answers.

Don’t:

  • REUSE PASSWORDS – If you do, a hacker who gets just one of your accounts will own them all.
  • USE A DICTIONARY WORD AS YOUR PASSWORD – If you must, then string several together into a passphrase.
  • USE STANDARD NUMBER SUBSTITUTIONS – Think “P4ssw0rd is a good password?  N0p3!  Cracking tools now have those built in.
  • USE A SHORT PASSWORD – no matter how weird.  Today’s processing speeds mean that even passwords like “h6!r$q” are quickly crackable.  Your best defense is the longest possible password.