Password fatigue. We all have it. We need to remember too many passwords. The average Internet user today has 40 personal and professional accounts requiring user names and passwords, according to PriceWaterhouseCoopers. To make life easier for ourselves, we choose passwords that are easy to remember, like our pets’ names, for example. Over half of the consumers it interviewed used the same user name and password for all or most of the sites they visit, Jupiter Research found.

We know what we’re supposed to do. Make them cryptic, and change them regularly. But strong passwords­­—those that contain upper and lower case letters, numbers and punctuation—are a lot harder for us to remember than, say, our cat’s name. It isn’t surprising that we turn to Fluffy as our source of inspiration.

How do passwords get stolen? Robert Graham, CEO of Errata Security, explains that we can get hit with either online or offline attacks. In online attacks, hackers try to log on pretending to be you and guess your password. Unless you’ve chosen something extremely easy to guess, such as asdfg, this isn’t usually a problem, because online systems automatically lock your account after several attempts.

Offline password hacking, Graham says, is another story. When hackers break into a system to steal the encrypted password file or eavesdrop on an encrypted exchange across the Internet, they are then free to decrypt the passwords without anybody stopping them.

Graham’s facts are eye-openers. Hackers have programs that can guess passwords at the rate of 1 billion guesses a second. With passwords composed of letters, numbers, and symbols, a five-character password will have 10 billion combinations. This means hackers can guess a five-character password in only 10 seconds. But things quickly get more difficult for hackers:

5 characters = 10 seconds
6 characters = 1,000 seconds
7 characters = 1 day
8 characters = 115 days
9 characters = 31 years
10 characters = 3,000 years

It is obvious that we need long and complex passwords. While hackers can usually crack anything with seven characters or fewer, they are unlikely to decrypt passwords that are nine characters or longer. Passwords should also contain uppercase and lowercase, numbers, and symbols. According to Graham, that makes 100 possible combinations for each character. Lowercase passwords have only 26 combinations per character. A hacker can guess an all-lowercase password of 10 characters in about two days.

Hackers have another trick up their collective sleeve: the mutated dictionary attack. As Graham explains it, a large password like “Aardvark-Zebra9″ is a longer password than hackers would be able to discover by brute force. But Hackers get around this with a dictionary attack. It involves trying to match passwords with words in a dictionary, instead of trying all combinations of characters. Hackers then mutate the words that reflect the common alterations (mutations) people make to passwords.

When we try to make their passwords complex, we usually do something simple to them. Instead of choosing the just michael, we will make it michael! . Putting an exclamation mark at the end of a password is one of the most common mutations people choose. Hackers know this.

When devising your passwords, consider this list of common mutations that hackers will try to dictionary words:

• Capitalizing the first letter of a word
• Checking all combinations of upper/lowercase for words
• Inserting a number randomly in the word
• Putting numbers on the ends of words
• Putting numbers on the beginning of words
• Putting the same pattern at both ends, like *foobar*;
• Replacing letters like “o” and “l” with numbers like “0″ and “1″
• Punctuating the end of words
• Duplicating the first letter, or all letters in the word
• Combining two words together
• Putting punctuation or space between the words

Hackers don’t choose only words in English, but also in Spanish, French and German. They also choose words from pop culture, like xbox360 or Britney Spears.

Here’s an example Graham gives: If they know who you are, they will find words particular to you. Let’s say your name is John Smith, you drive a BMW, you work for Microsoft, and you like to watch The Office. A hacker will Google these terms and create wordlists from the resulting Web pages. Thus, Carell325i seems like a fine 10-character password to defeat hackers, but it will get cracked in only a few minutes by a hacker who knows you.

Devising strong, secure passwords doesn’t have to give you a migraine.

So how do you choose an effective password? Increase the complexity of elements hackers have to check. This will make it less likely they will guess your password. They will check for numbers on the ends of passwords, but as long as you’ve chosen something like your birthdate instead of 1234, it’s something likely to be missed.

Including just one international character, like a vowel with an umlaut, will defeat most password crackers. Typing long phrases instead of words will also help. In theory, it should be easy to guess “Twas as a dark and stormy night” as a pass phrase, but hackers won’t catch it.

On the other hand, the more complex you make your password, the harder it will be for you to type it. Try to create something that you can comfortably type.

For managing and remembering your passwords, consider a password manager. When you create a password, store it in a password manager to keep it safe and encrypted. To generate effective passwords, use a password generator. Dozens of good password management and generator tools are available.

Check out Google’s directory list of password management and password generator options.

Try random.org to generate a random password of bytes converted to hex or straight digits.

The Associative Word List Generator is a tool that generates a list of words relevant to some subjects, by scouring the Internet.

Roman Lab Software’s Any Password is a free, easy-to-use download that encrypts and stores all of your passwords and user names in a simple tree format.

KeePass is a free/open-source password manager helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key-disk

Test the strength of your passwords at Password Checker.

Source: Robert Graham