Kevin Mitnick’s 10 Rules for Stronger Passwords
Always use strong passwords on the internet. A strong password is one that is hard for someone else to guess.
1. Don’t tell your passwords to anyone, even tech support people who may ask you for them. Nobody should ask for your password, and you should never give your password to anyone.
2. Don’t use simple dictionary words or pets’ or people’s names for your password. And avoid things like your zip code or key dates like a birthday or an anniversary.
3. Use passwords that are at least 12 characters long; however, those are still easy to crack if an attacker gets into your network. If you want to be super safe, use 20 characters. And don’t write them down where they can be easily found.
4. It’s actually easier and more secure to create a passphrase instead of a password. A passphrase is a few nonsense words like $3 for the pirate hat or Betty was smoking tires and playing tuna fish.
5. Use a different password for each website. And don’t use simple patterns like password1, password2, password3 for different sites—those are too easy to guess.
6. Change your passwords for sensitive websites, like online banking, every 60-90 days, and, like Rule 5, do not use easy-to-guess patterns when you change them.
7. If you think your password may have been compromised, change it immediately and check your other websites for any signs of misuse, starting with your online banking site!
8. Sometimes websites ask you to enter the answer for a security question that you can use if you forget your password. Make sure that your answer to that security question is just as hard to guess as your password. This answer should not be used anywhere else.
9. Use extra security features, such as stronger forms of authentication, everywhere you can. For example, a site may offer an option to use Google Authenticator, which is an app that generates a new six-digit number every minute as a “second password.” That is a good security feature, so use it! Sites also sometimes offer to send you a code via a text message. To log in to your account, you need both your password and the code. That’s less secure than the Google Authenticator app on your phone but better than nothing.
10. Use the password procedures that your organization requires you to use, and consider using a password manager at home. These products make it much easier to have strong, unique passwords on all of your accounts. There are also online password generators that create hard-to-guess passwords—for example, www.passwordsgenerator.net