The contents of this publication are available under the Creative Commons Attribution-Share Alike 3.0 Unported license.

Mozilla is putting out this guide as a public service. No approach to security can guarantee 100% security, and nothing in this publication is meant to provide any warranty or guarantee of the security of your passwords.

Passwords

It's hard to get through a day on the internet without encountering dozens of requests for your username and password. With more and more of our work and leisure time spent online, most people find that remembering a unique password for each account they have is an impossible task. It's made harder when sites have strange rules about how you must form your passwords. Some sites prohibit special characters like &, %, #, and @ in passwords. Other sites require them. Some sites have maximum length limits on passwords that are shorter than the minimum length required by other sites. What is the modern, internet-savvy user supposed to do?

Are there little yellow notes stuck to the side of your monitor with usernames and passwords scribbled on them?
Do you have at least one computer or online account where the password is "password"?
Do you use your pet's name as a password, and tell yourself you're making it more secure by adding "123" to the end?
Do you have dozens of website accounts and log into all of them with one of three favorite, easy-to-remember passwords?
Did you last change the password for your bank account shortly after the turn of the century? Before?

If you've secretly answered "yes, but..." to any of these, don't worry. We won't tell anyone, and in this guide we'll show you how to create and manage strong, secure passwords without breaking a sweat. We'll also show you how to memorize only one password and still have a unique password for every site you visit.

You'll sleep better at night knowing you're safer from identity theft, and with the tricks you'll learn here you can help your friends and relatives be safer online as well.

Passwords Are Compromises

Any password is a compromise between a secure (long, random and unique) string of characters and an easy to remember word or phrase. As we need more and more passwords to get through the day, we all tend to push the compromise in the direction of easy to remember more than we should. A bit later, we'll show you a technique creating passwords that will keep your's memorable without making them easy to guess. We'll also show you ways to let your computer manage all your passwords so you don't have to remember them.

Threats to Your Passwords

The threats to your passwords fall into three major categories:

Social Engineering: The more an identity thief knows about you, the less secure passwords associated with your everyday life become. Don't assume that the names of your children, pets or friends make secure passwords. They aren't. Similarly, if you keep passwords written down in a "secret place", anyone watching your day-to-day activity will quickly learn where they're hidden.

Brute Force Attacks: If your passwords are insecure, an identity thief needs little more than your username to mount an attack against your accounts. Cracking software that uses lists of dictionary words in combination with common password configuration information quickly opens accounts with passwords such as "Jennifer3" and "Bobcat123". A security audit of a university computer system found that 20% of the accounts could be accessed using only a list of the 20 most popular female names followed by a single numeric digit.

Breaching Insecure Systems: If the administrators of a website use poor security practices, such as storing passwords unencrypted, identity thieves that manage to breach system security can steal the entire list of passwords and usernames. That's a huge security problem for you if you've used the same password on other sites, particularly ones with access to your bank account or other sensitive information.

The lessons are clear:

Use as secure a password as possible
Change your passwords periodically
Try not to reuse passwords between sites

If that last rule is impossible to follow, then be sure that sites holding sensitive information don't use shared passwords.

What Not To Use In Your Password

There are some things you should not use when you're creating a password. All of the following are chosen as passwords so frequently that password cracking software has been developed to take advantage of their inherent weaknesses:

An Internet user named Nero,

Set his on-line bank password to "Hero",

After lunch he came back,

To a password attack,

And a bank account balance of zero.

...and one more thing to remember. You should never use a password that has been used as an example in an article about how to create good passwords. That includes this guide. Once a password has been published, it's no longer useful.

If this seems like we've eliminated any password that has a prayer of being memorable, don't worry! We'll show you how to avoid all of those pitfalls.

Choosing a secure password

Good passwords have a fairly simple set of properties:

They have both upper and lower case letters
They have digits and/or punctuation characters as well as letters
They are easy to remember, so they do not have to be written down
They are at least seven or eight characters long, but the longer the better.
They can be typed quickly, so someone else cannot easily look over your shoulder

So the puzzle before us is to create a password with all of the good properties without having any of the bad properties.

Passwords from a Passphrase

You can create a memorable, secure password starting with a simple phrase. We call these "passphrases". For example, let's use a quote from Ogden Nash:

"Happiness is having a scratch for every itch."

This is a reasonably strong password but we can improve it a bit by adding some special characters:

Associating Web Sites

We can use our new password on several different websites by adding a suffix with a mnemonic link to a particular site. Let's use the first letter and the next two consonants in the site name.

Just to add a bit more randomness we'll alternate upper-case and lower case, and if the first character in the site name is a vowel we'll start with upper-case. To mix things up a bit more we'll use the same rule to decide whether to add the site mnemonic to the left side or the right side.

#Hihas4ei:AmZ	for Amazon
fBk#Hihas4ei:	for Facebook
#Hihas4ei:YtB	for YouTube

This is just one possible rule for picking the prefix or suffix that you use to customize your password for each web site. Reversing the order of the letters in the suffix, using only vowels, only consonants or adding some other characters that come to mind when you think about the web site are all possible approaches that would improve security.

While this technique lets us reuse the phrase-generated part of the password on a number of different websites, it would still be a bad idea to use it on a site like a bank account which contains high-value information. Sites like that deserve their own password selection phrase, perhaps something like the old English proverb:

This password lacks numeric characters because our phrase contains neither numbers nor the words "to" or "for". We could strengthen it a bit by adding a rule to put in a digit or two if none are provided by the phrase:

But even without doing that our rule based system gives us strong, easy to remember passwords that are unique to each website.

The Power of Rules

Notice that by using a simple set of rules, we're able to construct a longer than average password tht's still easy to remember. Here are the rules we used:

Memorizing Your Passphrase

You will find that passphrases are more memorable than simple passwords. However, if you have trouble remembering the passphrase you can resort to an old-fashoned memorization trick from elementary school. Take a piece of paper and write down your passphrase 10 times in a row. Real paper and pen work better than typing, but any form of repetition will help. Just be sure to dispose of the paper securely.

Changing Your Passwords

If you work for an organization that requires you to change your password periodically, you should consider changing all of your passwords at that time as well. You don't have to visit all your sites, just choose a new secret phrase and as you visit each site make the change.

If nobody requires periodic changes, you should consider changing your password at least twice a year. A convenient way to remember to change is to pick a new secret phrase when you set your clocks when the time changes in the spring and autumn.

Password Recovery Questions

Many websites use a "secret question and answer" to allow you to reset or recover your password. These are often implemented in less than a secure manner. The security problem exists when the site requires you to select from a limited set of questions. Choosing a question such as "In what city were you born?" presents an obvious security hole. Knowing where you were born gives anyone access to your password. If the site doesn't let you write your own question, and many don't, you're better off tricking the system into being secure. Here's how:

Select a passphrase create a password you will use for password recovery.
No matter which "secret question" you select, use your new password as the "secret answer".

The answer doesn't make sense in the context of the question, but the password recovery system doesn't know this. It only checks that the answer you give when you ask to recover or reset your password matches the answer you supplied when ou set up the account. This trick will ensure that even a website that chooses insecure "secret questions" won't compromise the security of your account.

Passwords in Email

Emailing passwords is always a bad idea. Most email systems transmit the body of the message in plain text, and so an identity thief could look inside messages addressed to you. This means that if a website "recovered" your password and emailed it to you, you should consider that password compromised and change it immediately.

Managing Your Passwords

Even with tricks like using phrases to generate passwords, remembering passwords for dozens of sites can be a bit taxing. There are software tools that will manage your passwords for you. There are online services and stand alone programs that will save your passwords, and you can ask most modern web browsers to remember passwords. But you should choose your password management software carefully and only use a program or service that you're sure you can trust with your most sensitive information.

The Firefox browser from Mozilla, the most trusted name on the Internet, has secure, world-class password management. When you enter a username and password into a website, Firefox asks if you want to remember that password. If you answer yes, Firefox stores the password in your user profile. You can (and should) turn on Firefox's Master Password feature to ensure that your saved passwords are securely encrypted.

Combining Firefox's Master Password with Firefox Sync lets you manage all your passwords on all the machines you use securely and effortlessly. Best of all, if you use the password manager, the Firefox Master Password is the only password you'll ever have to remember yourself.

The Firefox Master Password

To keep the passwords you save in Firefox's password manager secure, you should turn on the Master Password. If you haven't already set a Master Password, it's easy to do.

Before you start, carefully choose a phrase to create your Master Password. Since the Master Password is used to secure all of your other passwords, a long phrase would be advisable.

In Firefox for Windows:

From the Tools menu select Options.
Click on the Security icon and check the "Use a master password" checkbox.
The Master Password dialog box will appear.
Enter your Master Password into the "Enter new password:" and "Re-enter Password:" text boxes and hit the OK button.

in Firefox for MacOS:

From the Firefox menu select Preferences.
Click on the Security icon and check the "Use a master password" checkbox.
The Master Password dialog box will appear.
Enter your Master Password into the "Enter new password:" and "Re-enter Password:" text boxes and hit the OK button.

Many people prefer to have Firefox ask for the Master Password only once at the beginning of each session. There is a Firefox Add-on called StartupMaster that enables this behavior. To add StartupMaster to Firefox, pick Add-ons from the Tools menu, click on Get Add-ons, and then type StartupMaster into the search box.

All Your Passwords On All Your Computers

Firefox Sync can ensure that all your passwords are saved on all the computers you use. Tell Firefox to remember a password on your desktop computer at home, Firefox Sync will make that password available to Firefox on your notebook computer, and any other computer (or mobile device) on which you use Firefox.

Firefox Sync not only synchronizes your passwords, but also your bookmarks, browsing history, preferences, and tabs across all of your browsers.

One thing that Firefox does not sync across all of your computers is your Master Password, so be sure to set that up on each machine when you configure Firefox Sync.

Firefox Sync is built into Firefox 4, and is available as an add-on for Firefox 3.5 and later. To add Firefox Sync to Firefox, pick Add-ons from the Tools menu, click on Get Add-ons, and then type Firefox Sync into the search box.

When you set up Firefox Sync, it will ask for a password and pass phrase. You can safely use your Master Password and the phrase you used to create it here.

When you have Firefox Sync installed on all your machines it will ensure that passwords you remember on one machine are available on all of the machines on which you run Firefox. That includes Smartphones and mobile devices running Firefox Mobile and Firefox Sync, so you can carry all your passwords with you all the time.

Become a Password Security Ninja

Faithfully using the tips and techniques in this guide will put you in the top 10% of all internet users when it comes to password security awareness.

Use your newfound power wisely and help spread the word by showing your friends and family how they can be safer online by using more secure passwords.

Colophon

Characters from Simon "Gee" Giraudot's Geektionnerd.net are remixed from the Wikimedia Commons under the Creative Commons Attribution-Share Alike 3.0 Unported license.

Tim Buckley's CTRL+ALT+DEL cartoon is remixed from the Wikimedia Commons under the Creative Commons Attribution-Share Alike 3.0 Unported license.