15.2. Creating Passwords
A password of 75aRvLx3 is pretty darn unguessable. Unfortunately, it's also impossible to memorize except by a few child prodigies. And therein lies the problem with passwords: picking them creates a constant tradeoff between convenience and security.
To make things worse , everything seems to wants a password these days: ATM machines, Web sites, email accounts, cell phoneseven Windows XP asks for a logon password, if you password-protect your user account (Start Control Panel User Accounts).
When faced with a deluge of password requests , too many people resort to the quick and dirty approach: using the same password for everything, which creates a master key for a thief . Other people choose simple, easy-to-remember passwords like "1234" or "asdf" that fail most basic "good password" guidelines. Several worms (see Section 15.6.2) released on the Internet in the past two years come with password crackers that try the most common passwords.
Tip: A good password is eight characters or longer and mixes numbers with uppercase and lowercase letters . A bad password is your own name , the words admin; 1234; password; open sesame ; the name of a spouse, relative, or pet; or your home or work address.
Although passwords will always be an inconvenient necessity, several creation tricks make them slightly less bothersome:
Mnemonic phrases . Anybody who's taken piano lessons remembers "Every Good Boy Does Fine," which helps them remember the E, G, B, D, and F positions on the music scale. Similarly, passwords based on mnemonics hold special significance to their creators . For instance, the phrase "I ate fish last Thursday evening" could be reduced to I8flTe, creating that rare combination of both a strong and memorable password.
Word combinations . Combine two random four-to-six letter words with a number or symbol between them, like apple#deluge .
Browser automation . Both Internet Explorer and Firefox will memorize passwords for Web sites, automatically filling in both your user name and password whenever you visit. That's fine for your recipe swap site or woodworking group . But your browsers repeat that helpful act for anybody sitting at your PC, including the person who walked off with your laptop yesterday . Limit your browser's password stash to low-risk sites.
To change Internet Explorer's password assistance settings, open the program and choose Tools Internet Options. On the Content tab, click Auto-Complete, and then either turn on or off "User names and passwords on forms. " Doing so tells Internet Explorer to stop memorizing your passwords.
To change Firefox's password settings, open the program and choose Tools Options Privacy Saved Passwords, and then turn off Remember Passwords. Or, to have security and Firefox's password helper, click Set Master Password on that same page. After you set a Master Password, you must enter that password each time you open Firefox on your PC. Without that password, Firefox will still run, but it won't automatically fill in your passwords at the Web sites you visit.
Both programs place a password-clearing button on these password settings pages, which is handy after you enter your password at a public terminal. Just click the button at the end of your session, and you instantly force the browser to forget any password you've just entered.
When you find yourself juggling more passwords than you can remember, you may want to enlist the help of a password management program . These programs let you enter one strong password, after which they display your entire password collection. Whenever you visit a site requesting a password, open your password management program by typing its single password, copying the password you need, pasting it into the Web site, and then closing the program.
Some of the more popular password managers include Password Safe (http://passwordsafe. sourceforge .net), which even creates those hard-to-think-up passwords like "i5GBh9F6." Other people prefer hardware devices like a fingerprint reader, shown in Figure 15-5, for quick access to sites.
Figure 15-5. Microsoft's fingerprint readers (www.microsoft.com/hardware) come in a standalone model (shown here), as well as models built into keyboards and mice. All three variations let you log onto Windows XP at the touch of a finger, but they really shine at logging onto password-protected Web sites, automatically entering your user name and password when you touch the pad.
For security on your own PC, these passwords will stop most people from accessing your data:
Entire PC . To stop people from even getting into Windows, much less your files, password protect your PC's BIOS (Section 17.2.3). That tells your PC to request a password when first turned on, before it loads any operating system or program. It's only a first line of defense, as some PCs make a BIOS password easier to bypass than others. Try to break in (see Section 17.1) and see whether your PC's BIOS opens the door or keeps it slammed shut.
Windows user account . Password protecting your user account (Start Control Panel User Accounts) keeps out others, but be sure to create and hide a Password Recovery Disk before you find yourself locked out of your own account. If you're already locked out of your own account, sans Password Recovery Disk, you're not completely out of luck.
Note: For more information about creating, deleting, and managing Windows XP's user accounts, see Windows XP: The Missing Manual .