Do you use one password for every website?

My suggestion is that a person use at least two or three distinct "levels" of passwords, depending on the "sensitivity" of the sites/information involved.   For example, one password to log-on to "non-sensitive" accounts (a forum like here at Dell, and perhaps your e-mail [depending on the nature of what you send/receive]), a completely separate password [or group of passwords] for "sensitive" accounts like accessing banking, credit card, and brokerage sites, and yet a third-level password (whenever possible) for conducting major transactions on these sensitive sites (e.g., a separate password for actually buying/selling stocks through your brokerage, over and above the password used to simply access your brokerage account).

People need to be especially concerned when using the intenet at non-secure public WiFi sites (Barnes & Nobles, McDonalds, airport terminals, hotels &etc.).    It's one thing if someone were to learn/steal your password to access the Dell forum... the worst that can happen is that they will try to impersonate you, and perhaps speak vilely enough to get you banned from here.  :emotion-12:  But if you also use that same password for your banking, then they could actually rip-off your finances.   :emotion-9:

So yes, you need to use at least two or three "levels" of passwords... and the more the better (subject to your ability to remember them all, and not lock yourself out of your own accounts!)

HOW to choose good passwords is also an important issue...first and foremost, you do not want to use a real (dictionary) word or name, as this is usually the starting point for "brute force" attacks:   a nonsensical/random password is far preferable to a real/dictionary word.   And the longer, the better (e.g., 8 or more charaters long).   Mixing some lowercase letters, along with some uppercase letters, and some numbers [and punctuation marks, if the site allows] is another "plus", as passwords are typically case-sensitive (i.e., "HELP" is different from "help", as well as from "hElp" & etc.)

You also don't want to use passwords that could be "obvious" to your family or friends, like your spouse's/child's name, your pet's name, your favorite sports team, your birthday, part of your address or phone number, or the name of the company you work for.   You should also avoid items that are typically used for identification purposes, such as your mother's maiden name, and especially, your social security number!

So first, choose two [or three] different ("levels" of) passwords [e.g., one for non-sensitive sites, and a second/different more-complicated one for sensitive sites].  For each "level" of password chosen, you can then invoke subtle variations customized for particular websites.   for example, let's say you've decided you would like to use the same base/root password "WhoozyWhatzit29" at your banking sites (because you have trouble remembering separate passwords for each site).   You can start with this "base" password, and then, simply tack-on letters related to each site's name:   for example, CHWhoozyWhatzit29ASE to access your CHASE bank account, and CIWhoozyWhatzit29TI to access your CITI bank account.   Such simple creativity can go a long way.

(for those wondering, no, "WhoozyWhatzit" is NOT my password... for ANYTHING!   And to be blunt, it's really not random-enough either.    Just using it as an example for the sake of this discussion.   For those interested in some thoughts on creating a much-more RANDOM password, the Info Here link given above by BugBatter contains a excellent presentation:  http://vimeo.com/3546084  )

Why you shouldn't be using passwords of any kind on your Windows networks . . .

- Robert Hensing - Microsoft PSS Security Team

While not applicable to website passwords, this alternative to passwords on Windows is vitually uncrackable.
----------------------------------------------------------

For website passwords, I use the first letter/number of each word in an easily remembered sentence, plus the punctuation:
eg: 30 days hath September, April, June and November! = 30dhS,A,JaN!

Strong passwords: How to create and use them:
http://www.microsoft.com/protect/yourself/password/create.mspx

You can check the strength of your password here:
http://www.microsoft.com/protect/yourself/password/checker.mspx

Hi Joe,

I figured you'd have some thoughts on this issue :emotion-1:.

I tried "playing" with the password-strength-checker link you gave, which rates passwords on a WEAK / MEDIUM / STRONG / BEST basis.   While I can't say I've "fully" cracked their classification, I believe the following assertions to be accurate:

1a) If a password has at least 8 characters but less than 14, and contains at least one digit and one letter, it will rate as MEDIUM.

1b) Likewise, if a password has at least 8 characters but less than 14, and contains at least Two letters --- of which one is CAPITAL and another is lower-case, it will rate as MEDIUM.

2) If a password has at least 8 characters but less than 14, and contains at least one digit and Two letters --- of which one is CAPITAL and another is lower-case, it will rate as STRONG.

3) If a password has at least 14 characters, and contains at least one digit and Two letters --- of which one is CAPITAL and another is lower-case, it will rate as BEST.

[ I did not attempt any testing with "special"  (i.e., NON alpha-numeric) characters , since not all websites allow them.   Also, for those logicians out there, my assertions are an attempt at finding sufficient conditions to achieve the specified ranking; however, I am not asserting that any of these conditions are also necessary.]

Of course, my comment above that the 8 (or 14) characters be chosen so as to constitute a random/nonsensical expression (rather than a real/dictionary word) is still applicable.

Hopefully, this discussion will get people to reconsider/reevaluate their choice of passwords... and ideally, implement changes for the better.

It's very interesting.

I had previously used a 14 character alpha-numeric password for my banking website, along the lines of an easily remembered sentence. I would have thought this more than sufficient, but the MS password checker only granted it only "medium" strength, presumably because all were lower case.

When I merely capitalized the first letter of the password it garnered a "best" strength rating. Just to emphasize the importance of incorporating both upper and lower case characters in a password.

Passwords are a pain to remember, but a necessary evil. Some say to never record them anywhere, but I don't find that practical. I keep mine in a password protected folder, and backed up on an external device. I hear there are password mangement programs that will encrypt your passwords, but have no experience with them.

All of my passwords are at least 15 characters in length and contain numbers, letters, and symbols. That's what I tell everyone else to do. Don't make it so long that you're going to forget it, but don't make it so short that it's easy to crack.

Basically I use two account/password pairs.  Anymore and I would forget them.  I once worked where they were very security conscience, I was one of the System Adminstrators.  The administrator passwords were changed often.  There were probably a half dozen unrelated passwords I had to know at all times.  I can assure you that almost everyone that needed those passwords had recorded them someplace.  The strength of a password should reflect value of what is being protected.  Should you replace your front door with a Mosler vault door?  

Actually I worked once where they did that.  The computer room ha poured concrete walls, floor, and ceilings and cooper wires embedded to prevent RF signals getting out.  The two front doors to the computer room were Mosler vault doors.  The building containing the computer  room was patrolled 24/7  The cabling to dumb terminals external to the computer room but within the building were encased in pressurized conduit and was monitered at all times.  The signals were passed through an optical decoupler to insure there was no RF leaks. 

There also seems to be a cart/horse problem.  To run a brute force cracker on my PC first you have to get on my PC, which many times are a breach of physical security.  

I maintain a password-protected file of password hints on my PC:

1) the file is password-protected (a standard, but little-talked-about feature available in WORD, WordPerfect, and OPEN OFFICE --- and each of these programs will respect/honor the other's protection), so that [hopefully] no one will be able to open the file without knowledge of its password.   [Yes, it is critical  that I don't forget this particular password]

2) even if someone managed to get into the file (either by knowing/cracking the actual password, or somehow "bypassing" the password-protection feature), all the file contains are suggestive hints to help me remember which password i'm using at any given website I frequent.

For my purposes, I believe that to be both helpful [when/if I get my online-password-variations mixed up] as well as reasonably secure.

-----------------------------

Each person has to decide for him/her-self just what they stand to lose should some of their passwords get uncovered.   In the example I gave above, about someone losing the security of their DELL forum password, little real damage can actually be inflicted in terms of forum (mis-)participation... "banning" the screen-name being the worst-possible consequence... after which, the true/original user could always set up a new forum screen-name.  

However, now that DELL, in its infinite wisdom, has insisted on merging forum screen names with the user's purchase account, it's become conceivable that a stolen "forum" password can in fact result in a fraudulent DELL purchase!

I certainly would be more careful and concerned about online banking & credit card accounts... but not to the point of paranoia.   While I have no doubt that Federal Investigative Agencies have the ability  to easily/quickly hack into my system [as well as through WEP and perhaps even WPA encryption passwords], I do not flatter myself as being important enough for them to consider doing so.   Yes, I have read many articles asserting that WEP is not considered secure anymore... but to me, the more fundamental question is WHO would be interested enough in ME to try breaking through my router/firewall?   my goal is not to stop the DoD, but only to deny sharing bandwidth with my neighbors --- presumably just ordinary people ---  living in close-enough proximity to even receive my router's signal in the first place... and for this, i'm hoping that even WEP should still offer SOME reasonable degree of protection [especially since my router's home/options page shows me all the users who are currently accessing it].