Whether it's your birthday or mine, there are only 365 different possibilities in a year. A single human could go through all those possibilities in a few hours. A computer in a few milliseconds. Even if you add the year to the birthday, we're only talking seconds or minutes for a computer to guess each possibility. You have to remember that computer crackers are not specifically targeting YOU usually, they are targeting anything they can get. If you happen to be the poor soul who's birthday is January 1st, 2001 and you use 010101 as your password because you think there are a lot of birthdays out there - too many for even a computer to figure out - you're going to be owned on about the third guess.

Many tricks (disguises, mnemonics, etc) mentioned here may be fine for non-critical stuff. However, a reasonably skilled hacker would think those cracks are child's play. A good hacker isn't sitting there staring at your passwords. They're dealing with computer programs that have complex algorithms involving complex math that does most of the work. The hackers are not trying hard at all.

Do you think nobody cares that much about your passwords? Well, they probably don't, but the hack isn't hard. The situation is your laptop or cell phone is stolen/lost. The hacker has all the time in the world at that point. Again, they're not trying hard. Their tools are doing most of the work.

I embrace that concept. I do not leave passwords exposed in any manner. If I use a system for disguising passwords, it's after I've applied some sort of password holding software program.

Off topic sorta...

I really hate admitting this, but password protection may be a situation where good ol' pen and paper is superior. That is, if you store the paper in one safe. At that point, the only way to get the password (from you) is by getting into that safe or into your brain. You leave no exposure via your lost computers, cloud computing, etc.

Even better is store passwords on an encrypted computer who's single purpose in life is to store your passwords, and then lock that encrypted computer in one physical safe. (Storage in only your brain is obviously the highest security, but for me personally that's not an option.)

All the fancy encryption algorithms cannot beat a system where your password is simply not stored on any computer in any way, shape, or form. Of course, your third parties (e.g., bank computers) store passwords somewhere, but you have no control over that storage.

If you are using paper ( or index card ) for your passwords, it may help to throw some imaginary passwords in the mix. Just like remembering strokes on the keyboard, you will remember which ones are real passwords and which ones are fake.

No one stores passwords anymore. Encrytped or otherwise.

What is stored is a one way hash. There is no way to get the password from the hash.

When you enter your password, the password you enter is put thru the hash algorithm and the output compared to the hash stored on the computer system. If the correct password was entered, the hash will be the same.

But there is no way to go backwards from the hash and get the password.

Okay, the following is super-nerdy and nitpicky, and may not be of interest to anyone.

Most systems don't store your password. They store a hash of your password instead. A hash function is supposed to be a mathematical "trap door" that takes an input, does math to it and comes out with a fixed-length output that's repeatable and unique to the input. That's impossible, so there are multiple inputs that can repeat the same output. That's called a hash collision.

Anyway, when you enter your password, the system authenticating you performs the same hash function on your input and compares the hash output to the hash output it has stored in your user record.

You can pen and paper store a password if you have a system.

Here's one. Password is combination of a word, with numbers and symbols. Then you encode it for yourself.

"pizzabyTigger88" is what is written

To me that means the password is "pepper93))oni"

Pizza = pepper oni
byTigger = the year my cat Tigger was born
88 = )) - caps and add a key

And only I know the last 3 letters of the major word come after the other keys.

Do this for yourself. Easier than most codes, only decodeable by you and those in the know.

You'll wear out the safe door that way egtting your passwords every time you need to sign in to something.

1) how do you get around the keyloggers that are on your work computers? Most larger companies log all computer input, not just web history. Makes things much easier on the HR department for both personnel and corporate espionage issues.

2) don't Google and Apple store all their customers' smartphone data on company servers? Don't they claim access to everything that goes thru your phone?

This is actually harder to do than you might think. Logging all Internet access is pretty easy (it isn't cheap to do it well, but it isn't hard). Logging all access to files is tougher but do-able. Logging all network access is hard. Logging keystrokes sounds easy to do but you need to deliberately neuter or compromise your workstation security software to do it, as well as spend a lot of time and effort reviewing the logs. Almost none of my customers have attempted to do this. This is very rare outside of high-security government facilities.

Logging Internet access from company networks and workstations is generally legal, but make sure you have a written policy in place to support it. Logging email is a federal felony without a written policy and some evidence that the end-user was aware of the policy. Logging keystrokes is a dicey area of law; you'd most likely end up with civil liability and criminal liability is a real possibility. Consult an attorney first.



They log usage information but do not (as far as I know) log keystrokes/button pushes or log the activities of third party apps.