The art of the perfect password
Anytime I forget something, I rationalize that what I’m really doing is clearing out space to allow new information to be stored in my brain. It’s a bit like cleaning off my desk or deleting cookies from my computer.
The most irritating forgetfulness is when I can’t remember that “perfect” password I set up for a particular website. At the time I created it, I was sure I’d remember it. Instead, I have to repeat the site’s entire security process to regain access. With so much of my role at Vanguard revolving around information security—and with so much of my life online—this can be distressing, and it’s a major inconvenience.
It can be tempting to streamline the number, length, and variety of passwords we use. But a recent New York Times article highlights the danger in this approach, and demonstrates the lack of awareness of those sailing around the Internet. Based on a new study of 32 million social-networking passwords stolen by a hacker and promptly posted on the Web, many people continue to favor easy-to-guess passwords—including the word “password”!
Have you ever used “abc123″? Or run your fingers across the keyboard and wound up with “qwerty”? You’re not alone. In this study, the most common password was “123456,” followed by “12345.” What’s more, 20% of this large sample (640,000 people) chose one of the top 5,000 passwords. That makes a hacker’s job a lot easier.
Fortunately, there are ways to protect yourself with distinct, memorable passwords. Some of the basic rules to keep in mind:
- The longer the password, the better.
- The greater the combination of uppercase and lowercase letters, the better.
- The more numbers and punctuation marks, the better.
- The more random, the better.
But, of course, for a password to be useful, you have to actually remember it! With that in mind, an FTC report on identity theft suggests using the first or last letters of each word in a familiar phrase.
For example, think of a line from a poem you might have memorized in school, such as “Listen my children and you shall hear …. ” Your password might be “Lmcaysh.” Or is there a phrase you remember your parents using? I’ll never forget “As long as you live in my house … ,” which gives you “Alaylimh.” Either way, you get a lengthy, hard-to-guess password that uses both uppercase and lowercase letters.
Adding numbers or punctuation is also advisable. Consider throwing in a memorable year—”1775:Lmcaysh,” for example, or “Alaylimh-1974.” And for even greater security, you might replace certain letters with numerals that resemble them, or vice versa, such as zero for the letter O, or S for the number 5.
It’s even better if your numerals, punctuation, and uppercase letters are distributed randomly throughout the password—”L:mCay5H177S,” anyone?—but we’re going for memorable, so don’t go overboard.
Whatever approach you choose, the key is to come up with passwords that seem random, yet are easy for you to remember. With a little creativity, you can help keep yourself from being one of the countless millions of Internet users who are practically inviting hackers to wreak havoc on their lives.
Note: The link to NYTimes.com will open a new browser window. Vanguard accepts no responsibility for content on third-party websites.
This advice is horrible. I have passwords for my two email accounts, three instant messenger services, a social networking site, a handful of blogs, three banks, four investment firms, three credit cards, several online stores, my own computer and the various computer networks at work. The secret to good passwords is to use different long and random passwords for every site and to write them down. There are several free programs available that will generate a random password for you and then store it with your user name and the website it is for in an encrypted file. Then you need to remember only one or two good passwords instead of 20 poor ones.
You may want to share some of this info with the those responsible for security at Vanguard. As far as I can tell, the passwords at vanguard.com are not case sensitive.
Also available is KeePass, a password manager. With multiple sites requiring a password, it isn’t wise to re-use the same password.
About 5-6 years ago (pre-Vanguard), I had an Investors Business Daily stock trade account. I used it alot, until I just got “crazy” with activity. I just got offline once. However, beforehand they had an EXCELLENT password protection device, which I would be comforted with. I wish Vanguard offered it.
It is a mail-out single detail device that must be “coded” on ID and password. I think that it was even a received “per transaction” call. If you misentered it, you had to start over. No mistakes approved. It was a bothersome device but a safe one. It was sent to you from IBD. Cost was $5 I think.
Vanguard could include it. Please re-consider.
So many websites require passwords now, that I have resorted to using a few standby’s. However, for financial sites, I do think it’s worthwhile to have a unique, complex password. If you must write them down to remember them, at least have them hidden or locked!
It is also important to not use the same password for everything. Social network sites are often unencrypted — it’s risky to use your Facebook password for Vanguard. Mixing in the website into the password can help make it unique. For example, use the first two characters of the service (e.g. ‘V’ and ‘a’ for Vanguard) as the 2nd and 6th characters in your password.
This is good advice, and I would like to see Vanguard support more of it. Vanguard passwords ignore case and do not allow symbols; all other financial sites I use allow symbols and distinguish upper and lower case.
Compliments on this article that addresses one of my real frustrations. Thanks for the very good suggestions.
Worthwhile article. How often should you change your password if ever?
OK, so my current password has both upper case and lower case letters and numbers. I just logged on to my Vanguard account and entered my password with ALL lower case letters and Vanguard ACCEPTED it and logged me on. I also seem to recall that Vanguard does not accept !@#$%^&* in the password. So, while I agree with your conclusion in your blog, and try to apply those concepts, Vanguard doesn’t seem to support the method in the passwords it allows its clients to use.
I use a password convention - most of my password is always the same, but there are two letters that vary for every site. I have a rule for picking those letters based on the site, and they always go in the same place. So I basically have a formula that allows me to have different passwords for everything, but only remember one thing. This was a method taught to me by a savvy IT guy and is the best approach I’ve ever heard.
If you’re old enough to remember a defunct phone number with both letters and numbers (E.g. BU8-1234) try using it.
Vanguard website should allow for complex password including special characters. In term of security, Vanguard should treat paper mail as email. Account owners know their own confidential information and account numbers. Printing them on paper mail is very very bad practice. No mail is secure. Tax forms and account maintenance postal mails should be waived as long as clients sign up for e-delivery. Please take more advantage of e-delivery and at the same time save trees, save money. Thank you in advance!
I like this advice and use some of these techniques. I also use the same password or versions of that password for sites for which I am not as security-minded. For example, I would not be devestated if someone hacked into one of my social networking sites or other sites that do not store my credit card info. Therefore, I use one password (or version of the password) for these sites. This simplifies things a little. Also, since different sites have different character requirements, as alluded to earlier, I have versions of usernames and passwords. For example, if a site lets me use the (hypothetical) username USArev76, then I’ll make my password Lmcaysh76. But if another site requires more letters for the username, I’ll use USArev1776 and password, Lmcaysh1776.
thanks a lot for your timely reminder and practical solutions! GOOD job!!
At a minimum, the Vanguard site should implement your advice and allow longer passwords, case-sensitive passwords, and symbols in the password. Ideally, Vanguard would implement a genuine multi-factor, token-based login system.
Perfectly terrible advice. You SHOULD include special characters, i.e., above the number keys, in making an effective password. Unfortunately Vanguard does NOT allow this. As an IT professional, I must say this is the only site I’ve come across to not allow special characters. Please get into the 21st century.