Q: Do I really need to change my passwords every three months?
A: Yep. Let's face it, when it comes to online security, the weakest link is our collective refusal to create, memorize and change our passwords every 90 days, as the National Security Agency's Systems and Network Analysis Center suggests.
The only solution is to use a different password for every single site you visit, according to Tara Kelly, who co-founded Passpack, a web-based password-management provider that was later sold to Utah-based Kemesa Holdings. With the surplus of sites we enter on a daily basis, the only way to remember all that information is to not have to remember it at all.
"That's what password managers are for," Kelly explains.
We asked her to elaborate on password best practices.
Is there an alternative to memorizing complex new passwords every 90 days?
Consider using a password phrase. Instead of, for instance, "gaga72013," use a whole sentence, along with spaces and punctuation. Something like "Lady Gaga rocks my world!" is strong, and it'll bring a smirk to your face every time you type it in.
But what if a site doesn't support password phrases?
This is where a password manager can be put to good use. Many password managers are free, and they not only store your passwords, they also generate complex monsters like "4C!rhxn-KAnw&w5" for you. You only need to enter your master key password once to open the password manager, and it takes care of entering the rest of your passwords.
Some people talk about creating their own informal password algorithms. Is this something you recommend?
While it's better than reusing the same password across sites, it's not as safe as a completely random password or a well-constructed pass phrase. One example of a password algorithm that people frequently use is (name of site) + (birth year) + (cat name). In this case the birth year and cat name never change; the only thing that makes the password unique is the name of the site, which is different for every site you log into. Problem is, password algorithms can be easily reverse-engineered, especially if a hacker targets you specifically. Once the attacker discovers your system, it doesn't matter that each password is unique. They can easily figure them all out.