Over the last few articles in this section of the site, we’ve taken a look at the various ways in which we get password selection wrong. Whilst that’s all very well, we’ve not yet looked at the best ways to create strong, hard-to-crack passwords.
This article is going to take a look at strategies we can employ to improve our password selections and, therefore, their strength.
Part One – Before We Begin
This section contains a list of the things that you need to consider about password creation and use
- Accept that you’re as likely a target as any other online computer/device user.
Due to the myriad of ways that hackers are able to make use of personal information for their own personal gain, everyone (and I mean everyone) has information contained within online accounts that’s potentially of great value to them. Just because you haven’t been targeted up to now, doesn’t mean that you won’t be.
- Keep the whole password affair as impersonal as possible.
Think ‘outside the box’ and don’t choose words or phrases that hold a particular significance for you, such as birthdays or relatives names. Anyone looking to try and hack into your online life will do their homework first. They’ll scan social media accounts, posts we’ve made on forums or within other online services and build a picture of who/what is important to us. This information can then be used to build a list of potential passwords.
- Don’t share your passwords with anyone.
Really, this little gem should go without saying. And yet, there are a surprising number among us who do share our passwords at some time or another. Consider it the equivalent of permanently handing someone a set of your keys to your house. They’re then free to come and go as they please until you change the locks.
Part Two – Choosing Your Password
When it comes to choosing a password, the world really is your oyster and the options limitless. This section contains a few tips for choosing passwords that are both strong and not too hard to remember:
- Use a sentence or phrase as the basis for your password – Rather than choosing a single word or two as a basis for your password, think bigger. Think of an entire phrase as your starting point for what you’ll use to secure something. (More on this below)
- Make It Long – As we looked at in a previous article, password length can make a big impact on the length of time it takes to crack it. At least 8 characters is ok, more than 10 is ideal. (It’s worth noting here that some websites and applications limit password length so in some cases we might have to choose slightly shorter ones)
- Mix It Up – use a variation of CapItAl and lOwErcASe letters in your password, as well as a couple of numbers. At least one of each within your password makes a difference, but jumbling a handful up is even better. Try to avoid grouping them together too much if you can.
- Give It Some Space – Ok, so many password systems won’t allow you to add physical spaces (although there are a few that will). However, the _underscore_ makes a fairly nice alternative to a physical press of the spacebar and is just as efficient.
- It’s All A Bit Symbolic – in addition to CAPITAL letters, lowercase letters and numb3rs, make sure that there’s at least one symbol in there too (@#!*&). This adds another frustrating curveball for any would-be hacker. (In some places, I’ve read suggestions to use the computer’s character map/palette to insert special characters. However, I’d advise against this as entering the password across different platforms might become difficult or impossible. It also adds more hassle for us to enter them at all and, ultimately, won’t increase our password security that much)
- Change Is As Good As Rest – Change your passwords periodically. Once every three to six months should be adequate in the majority of cases, but you might want to change it more often in some circumstances.
NOTE: If you have any concerns that any of your accounts might have been compromised, change it’s password IMMEDIATELY
Part 3 – A Working Example
In this section, I’m going to go through the process of creating a secure and fairly easy to remember password, together with explanations behind the choices.
1. Choose My Sentence or Phrase
For this, I’d suggest using a mnemonic device to come up with something. One such example is the Person-Action-Object (PAO) method. Just go onto the internet and find an image of a person performing an action to or with an object, something that has an appeal or sticks in your mind.
And here’s mine:
And my POA phrase from this is “cute squirrel dances in the woodland”.
2. Use My Sentence to Create a Password
The easiest way to do this is to take certain letters from our phrase to assemble a password that’s not too hard to remember. In this example, I’m going to choose the first two letters from each word, giving me:
Already, we can see that the above password is little more than a random set of twelve letters and on it’s way to being tough to crack. But we’re not quite there yet.
Now we’re going to mix things up a little more with the addition of some random characters. These characters will still hold some meaning though.
a. First of all, lets add a space after what the squirrel is doing, but before we know where he’s doing it:
b. Now, lets throw a couple of numbers in. A useful way to do this is often in place of certain vowels. This will give us:
c. Now, capital letter(s):
d. And lastly, another symbol:
And there we go, we’ve just created a password that’s based on a dancing squirrel. Not bad for ten minutes work huh? Not only that, it’s a password that’s got all the ingredients of being strong, hard to guess and apparently nonsense.
However, the above example I’ve provided might not be the best in terms of being able to memorise it. It’s a random squirrel in a random picture and holds no significance for us. However, we can translate the above into our personal lives.
Say I’ve got 3 children; Larry, Barry and Cornelius (poor bugger) and that their favorite hobby is soccer, which they all play together every Saturday from 11am.
This can give us: “Larry, Barry and Cornelius play Soccer every Saturday at 11am”.
And my password is: “La,Ba&CoplSoevSat@1100”
I’ve stated a series of facts that I’ll remember, I’ve mentioned no full names or other details, the password includes all the right ingredients (upper/lowercase letters, numbers, symbols) and it’s 22 characters long!
Actually, that might be a bit too long. So lets make it a bit shorter: “L,B&CpseS@11”
There we go, now down to just 12 characters and still plenty secure enough.
Part Four – Memorising Passwords
Now that we’ve chosen our password, the next thing we need to do is ensure that we remember it. In some cases, this might not be too much of a problem but what if we have several accounts and we need to remember which one goes with which?
The first thing I’d suggest here is to use a similar “cypher” for all of your passwords. Have certain rules that you use in order to create them. For example:
In any password you create you;
- only use the first two letters of each phrase word
- every ‘e’ in the password is replaced with a 3
- any number is prefixed with # (not including our letter changes)
and so on.
This provides a structure to our password creation and assists in remembering them.
It’s also ok to write them down (in hardcopy) and keep them in a safe place, away from your computer and from any prying eyes. Remember, we’re defending against people trying to remotely access our accounts via a network connection, not from someone rooting through the bottom of your underwear draw. If you do happen to forget a password for a particular account, it’s easily sorted out.
It’s also possible to ‘code’ your written down passwords so that if anyone should happen to see the list, it’s still of very little use. The easiest way to do this is to add an offset pattern, where each coded character is a number of alphabetical letters or numbers higher than the actual character used.
with a +2 offset pattern would become:
where the first character (in this case ‘2’) is the offset number. Notice that I also changed the symbol ‘&’ into ‘(‘, because that’s 2 digits higher on the keyboard.
In any case, be creative. Don’t just use the examples I’ve provided here. As I said at the beginning, think bigger!
Part Five – Password Managers
An alternative to a fair amount of what I’ve described here is to use a Password Manager.
“A password manager is a software application or hardware to assist in creating, storing, and retrieving complex passwords from a database. Password managers usually store passwords encrypted, requiring the user to create a master password: a single, ideally very strong password which grants the user access to their entire password database. Some password managers store passwords on the user’s computer (called offline password managers), whereas others store data in the provider’s cloud (often called online password managers). However offline password managers also offer data storage in the user’s own cloud accounts rather than the provider’s cloud. While the core functionality of a password manager is to securely store large collections of passwords, many provide additional features such as form filling and password generation.”
I’m not going to go into any further detail on Password Managers here, but if it’s something you’d like to consider PC Magazine have reviewed both free and paid versions. I’ve linked both articles below.