The man accused of one of the juicier hacking cases of the past few years is no Internet mastermind. On June 24, a French citizen who goes by the pseudonym "Hacker Croll" will face charges that he broke into Facebook pages, e-mail accounts, and the Twitter feeds of then-Sen. Barack Obama, singer Britney Spears, and other celebrities.
How did he break in? Police say that he's just a good guesser.
By cruising through blogs and social-networking pages posted online by his victims, he allegedly dug up enough information to guess people's passwords and security questions.
This trick is pretty easy to pull off. Try combinations of family names, graduation dates, birthdays, favorite bands or sports teams – all information that many of us share willingly online.
This isn't a call to scrub down your Face book profile until it's pointless. But Hacker Croll's story is the latest of many (often-ignored) reasons to improve your online passwords. But since doing so is such a nuisance, here's a simple, easy-to-remember way to craft secure passwords for all the websites that you visit.
Before we roll out the grand plan, let's walk through why most passwords stink.
First, do not use common words or patterns. The most frequent password on the Internet is "123456" – nearly 1 in every 100 people uses it. It's simple, can be typed quickly, and is the first thing hackers will try. Throw in the next 4,999 most popular terms and they make up 20 percent of all passwords used online.
These numbers come from computer security firm Imperva in Redwood Shores, Calif. The company stumbled upon a list of 32 million passwords posted by a bragging hacker who had recently snatched the data from RockYou, which designs software for Facebook and MySpace.
This rare look into people's password habits showed how lax or at least unoriginal people can be, says Rob Rachwald, who helped write Imperva's report.
Hacker Croll's tactic works well when targeting specific people, but Mr. Rach wald says that most online thieves cast wide nets.
"It's not me trying to guess individual passwords," he says. "Hackers use so-called 'dictionaries,' " lists of common terms and phrases that a computer tries one after another until it finds a match.
Since 1 in 5 accounts draws from the same pool of 5,000 passwords, an automated program has pretty good odds – especially since Imperva estimates that modern PCs can race through 110 tries each second.
That leads to the second rule: The longer a password, the better. Eight to 10 characters work best.
Why? Even if you avoid common terms, some hackers could still attempt to "brute force" their way into your account. This means telling a computer to try every permutation that it can think of until it busts in. On average, a five-character password will last a couple of hours against such a barrage, according to John Pozadzides, CEO of software company iFusion Labs. Eight characters will hold up for centuries. (See chart, above.)
This also explains why sticking to lower-case letters is a bad idea. "Adding just one capital letter and one asterisk," Mr. Pozadzides says in his report, "would change the processing time for an eight-character password from 2.4 days to 2.1 centuries." (While he calculates hacker speeds differently from Imperva, the scale is what's impressive.)
The solution? To pick a lengthy string that's easy to remember, but gibberish to others, think of a phrase. For example, Hamlet's line: "To be, or not to be: that is the question." Boil this down to an initialism: TbontbTitq. Now swap in some numbers and special characters: Maybe "2" instead of "to" and "?" to replace "question". (Zeroes make nice "O's" and "3" works as an "E".) You've now got 2bon2bTit? – a 10-character chain with all the fixings.
Add another layer of security by extending it for each website. That way, if someone figures out one of your passwords, they don't gain access to all of your accounts. Attach Fk to your Facebook password or maybe Hm to Hotmail. Better yet, reverse the order of these additional letters to further obscure their meaning.