Passwords. So annoying, yet so critically important. Without passwords, your friends would be spamming your Facebook wall with lolcat pictures. Or worse… So, we need passwords. Better, we need strong passwords. A weak password is guessable, and a potential attacker could compromise your online identity and access your personal data easily. I’m sure you’d like to avoid that. I say avoid, not prevent.
Prevention is not really possible since even a strong password could be compromised if the site you input it on is insecure, or has some undiscovered vulnerabilities, such as the one that recently affected the Gawker network: its users’ passwords were exposed to the world. If the site takes appropriate precautions, you’re pretty safe, but still, the risk is there.
Without further delay, let’s see what’s a strong password, how to create one, what you shouldn’t do with passwords, what the guidelines are and how you can manage your passwords. A lot, yes.
[toc=”2″ title=”Table of contents”]
What is a strong password?
A strong password would be a word of around 10 characters, made up of letters, numbers and symbols in some random order, and avoiding repeating the same characters. The longer and more complex your password, the safer you are, but the more difficult it is to remember and type. The trade-off is between security and ease-of-use, so try to find a right balance and see what works for you.
“Tough!” you say? Not really, once you know a few tricks to create such passwords. Before we get to that, let’s see the things you absolutely shouldn’t do when it comes to passwords.
The Don’t-Do-These List
The cliché: put your password as “password”. Or some variation like “pa55word”. Don’t do it. Don’t even try it in reverse: “drowssap”.
2. Names / Personal information
Your password shouldn’t be your name, your wife/children/pet names or any other personal information related to them. So no birthdays, no nicknames, no house number, telephone numbers, addresses, National ID. Nothing related to you or people close to you.
3. Dictionary words
Don’t use passwords that can be found in a dictionary, such as “baseball”. Don’t try to use words found in foreign-language dictionaries too, like “manzana” (apple). There are programs out there that will take in a list of dictionary words and run through them, trying to find your password in those. Given enough time, they will find your weak password in their dictionary.
4. Consecutive letters / numbers
For example, “qwerty” or “mnbvcxz” or “34567”. Don’t use sequences of consecutive letters or numbers, especially those found on the rows of keyboards as passwords.
5. Don’t start or end a password with a number / special character
Some password crackers will strip off the first and last letter of your password before attempting to brute-force their way into guessing the remaining letters. So, you don’t want a potentially strong character to go to waste. So, don’t put a number at the start or end of your password.
6. Simple substitution
You could think that “pa55w0rd” is a great password, but it isn’t. Such simple substitutions are guessable and are often found in dictionaries used for brute-force attacks.
7. No passwords
It’s common-sense I think, but I’ll state it here: given the option, don’t choose to use “no passwords”. You’re only asking for trouble. If a system asks for a password, it’s not to annoy you: there must be a good reason. So, take the safer route, and choose to use a password. The only exception is if you’re using the system on some machine not connected to a private network, which is not connected to the Internet. Then maybe, you can get off with using no passwords for convenience.
8. Share your passwords in emails, text documents, etc…
You get an email saying your bank has just suspended your account and that the officer in charge needs your password to re-activate your account. Classic phishing attack. Don’t send your password! System administrators don’t need your passwords to do anything, they already have it in the first place. Also, they’re in control of the system, so they can do pretty much what they want without needing a normal user’s password.
Don’t send your passwords via email, SMS, etc… where somebody can read the password, or it can get intercepted easily. Treat your password as you would your bank PIN code.
9. Re-using passwords
Once you have changed a password, don’t reuse it for a long period of time. Say one year. Ok, maybe you can re-use them on sites you need one-off registration, but make an effort towards not re-using any passwords.
10. Same passwords for different sites
This should be avoided, especially for sensitive sites. There is an exception, and you’ll know about it in the next list. For now, remember not to use the same passwords for different sites.
11. Writing down your passwords
It’s an IT admin’s nightmare: walking around in the office and seeing that users have written down their passwords on post-its and stuck it to their screen. This totally defeats the purpose of a password. Don’t write your passwords on paper! They can and will be found…
Ways To Create Strong Passwords
So now, the fun part: creating strong passwords. Here’s 7 ways to get a strong password. Choose your favourite methods and create your own now!
Password Strengths are tested with PasswordMeter.
1. A sentence (passphrase) and emotions
Think of a sentence, say: “Steve Jobs makes killer presentations huh? Yeah great ones”. Now what? We’ll turn that sentence, called a “passphrase” into a password. Ok, here you can do pretty much what you want, but here is what I came up with: “StJoMkph?Yg1s”.
Alright, you don’t have to create such complex passwords in most cases. This example was just to show you how a very strong password can be made using a simple sentence.
You might find: “I would like to visit Paris one day” – “!wl2vP1d” to be a simpler password.
Do try to keep the passphrases short and complex. Long passwords are difficult to type fast and accurately, increasing annoyance!
Try to put in emotions as symbols in the passphrases. For example, you can use ! to mean surprise and @ might mean anger. For example, “That surprise birthday party today was great” might become “T!bEEp2wG” (That ! Bee party 2day was Great)
2. Based on the site name
Some people find it easier to remember passwords that they create according to the site they are on. For example, say your banking site is “mybank.org”. You could make up a passphrase: “I deposit money at mybank.org” which becomes: “Idepo$@myBank”.
The weakness with these passwords are predictability. You shouldn’t make every password the same. So don’t make your ebay account: “Ib5tuff@ebay” or similar. Try to vary the sentence if you’re using this method.
3. Using generators
4. Substitution in weak passwords
You could try to turn your weak password into a strong password, if you feel you’re already used to it. For example, “baseball” might become “9a5eb4L1”. Check the difference:
Another technique here is to think of a simple word for e.g. “fishpond” then substitute with letters and symbols around those letters. For e.g. I’ll alternate substituting letters and symbols to the top and bottom of the actual letter. “fishpond” becomes “” with some strengthening. The disadvantage? You’ll probably be typing this password very slowly and thus, someone might guess what the password is.
5. Keyboard patterns
If you’re a visual person, you can try to visualize patterns on your keyboard and then make passwords from those patterns. Here, say your birthday is the 28th day of the month. Let’s say you start the pattern on the numeric key 2 and 8.
From this pattern, your password could be: “2#4EsXc” or “6YJnhU87” or something like that.
The problem with this method is if you have a different kind of keyboard, such as an AZERTY or DVORAK keyboard. You wouldn’t be able to use your pattern with those keyboards since the key layouts change.
You can make a complex password out of a few letters if you use phonetics. Here is an example: “3ct” might become “Fr3eSeeTeA”.
The Do-These List
1. Frequently change passwords for critical sites
This must be one golden rule when using passwords for high-security sites, such as your banking or online payment account. Try to change your passwords for those sites every month or so and don’t reuse passwords.
You could do a variation of the current password and set it as the new password. This provides some ease-of-use but is not recommended. Also, you can confuse between variations and end up forgetting your password, so better make a new password.
2. Layers of passwords – not-so-secured to secured
Do you really need complex and tough-to-remember passwords for all sites? Probably not.
You can create what I call “layers of passwords”. The layers might be: unsecured – secured – most secured. Or some other set of your choosing, like unsecured – a bit secured – secured – most secured.
Now you can create passwords based on these layers:
- “fishpond” – Unsecured passwords would be used for sites you register once just to download something or comment. You don’t really care what happens if the password is found. Think of those as throwable passwords. You can even re-use those if you want. (The exception I metioned in #10 of the Don’t-do-these list). For those sites, you may consider using fake personal data too.
- “FishPonD” – Use a somewhat secured password for sites you often access, but are not very critical. For example, some forum or blog where you usually go to ask questions or comment on.
- “F!5Hp0Nd” – Secured passwords would be used on sites you use frequently such as your blog, twitter or social site account. You’d definitely not want those passwords to be compromised.
- “EfF!5Hp0nDe3” – Most secured passwords would be more complex than any of the other layer passwords. You’d only use those on a few sites which require high security like banks, online shopping etc… The less sites you use these on, the more secured they are.
Now hopefully, this will save you from remembering many of “strong” passwords (eveyone finds that difficult). You just need to vary the strength of the password according to the site you’re visiting and its importance.
3. Beware of people behind you
This “attack” is called shoulder-surfing. Basically, while typing your password, someone behind you is seeing what you’re typing and can try to guess the characters. There are a couple of ways to defeat this attack:
- Check if there is someone behind you: Kind of obvious, no?
- Type your passwords fast
- Use complex passwords: uppercase/lowercase letters, symbols, numbers – it becomes difficult to know which is uppercase and lowercase and whether symbols are numbers or vice-versa.
4. Don’t sign in on public computers
Another golden rule: to the extent possible, don’t use sensitive sites on public computers, such as those at libraries or schools. There are software (and hardware devices) called keyloggers that can record whatever you type at a keyboard and send this data to whoever planted the thing there. There is a high risk of finding keyloggers on public computers, so don’t access secure sites off public computers.
If you really must access a site in a public (you mustn’t!), do it, but change the password as soon as you’re back home and hope for the best. Don’t change the password right there on the public computer – the keylogger would record the new password as well – making the operation pointless.
Some sites have implemented sinle-use passwords which you can use on public machines, for example, Hotmail can SMS you a single-use password if you want. The password will become invalid after a single use. You must have registered a phone number in your account prior to using the service though.
4 Ways To Store Your Passwords
For example, Keepass will store your passwords in an encrypted database so no one can access without a password and/or a decryption key. It has many other functions too such as pasting your passwords to forms securely and suggesting (very) strong passwords to you. It’ll even tell you how strong your current password is when you create a new entry in the database.
The good thing about Password Mangers is that you only need to remember one Master Password to have access to all your other passwords. This means you can use a different, strong password for every site you visit, have the Password Manager remember those and when you need to login, just put in your Master Password and the software does the rest for you.
The other apps out there provide as many functions and sometimes even more, so find one you like and use it! If you want a cross-platform, mobile-compatible app, check out 1Password.
2. In-browser + Master Key
If you don’t want to make use of a desktop app to save passwords, you can have your browser remember passwords for you. If you’re using a cross-platform browser such as Firefox, you can even use addons like LastPass to sync your passwords across browsers.
If you’re using the built-in Password Manager in Firefox (or some other browser), make sure you’ve enabled the “Master Password”, otherwise everyone who can access your browser can see your collection of passwords. Not good. Oh, make sure you never forget that Master Password, or you wouldn’t be able to access any of the stored passwords!
There are a couple of sites which allow you to securely store and access your passwords online. Personally I don’t trust those since they come and go really fast. And if tomorrow they decide to shutdown, they take all my passwords along with them.
4. Offline safekeeping techniques
There are people who still want to write down their passwords, finding software annoying to use or not trusting online services. Maybe they know their passwords by heart but want to write them down for remembering, just in case.
There are a couple of reasons NOT to do this: the passwords can easily be found, and people who write passwords down don’t usually change them… Anyway, if you want to do this, at least follow a few security measures. Your passwords won’t be completely safe, but still safer than a post-it stuck to your computer screen!
Devise your own coding scheme a-la Da Vinci code and use it to encrypt your passwords! You can use any of the coding systems out there for e.g. substituting ciphers or one from this page. This step will probably stop a snooping brother from finding your WoW account password, but it will not stop a determined attacker, since most of those “historical” encryption methods can be broken given enough time (e.g. through statistical analysis).
If encryption is not your thing, you can make an effort and hide that password sheet somewhere it’s not easily found. For example, among the pages of a book. Especially an obscure book no one is likely to open.
Lifehacker has a trick about storing passwords in an old dictionary margin. You could example write down your work password near “stress” or your school password near “mathematics”. Even if someone is patient enough to go through all the pages of the dictionary and collect all the passwords, they wouldn’t know which one applies to which site. This would demand some serious trial-and-error. Feasible but boring and time-consuming.
Ok! This is done! By now, I hope you have a fairly good idea on what a strong password is, how to create them, what to do and what not to do with passwords.
Do remember that no system is completely safe. For example, if you’re using a software to remember passwords, there might be bugs in it to allow an attacker to gain access to the passwords. However, taking some precautions is still better than nothing, and anything at all is better than using “password” as your password!
Thanks for reading! If you have suggestions, comments or other tricks, the comments section is open for discussion! 😀