Guide to Creating (and Remembering!) Strong Passwords
Everyone knows the importance of creating strong passwords for your digital data. Many people have very sensitive information on their computers and online accounts, and with technology ever on the rise it is getting easier and faster for nefarious entities to crack your passwords. There have been numerous reports in the news lately of huge data breaches within large corporations, making it even more important that you are doing all you can to personally protect your accounts.
How are passwords hacked?
To help users know the “how and why” of a strong password, it is important to understand how passwords are cracked or stolen in the first place. Many people have the image in their heads that the person performing the hack is sitting at a computer, guessing passwords individually or at a very slow rate. This is just not true; in most cases the hacker can simply “set it and forget it”, letting his specialized computer program guess millions of different users’ passwords every minute until it finds a correct login.
Hackers can guess passwords at the rate of 1 billion guesses a second, and that number is only growing as computer hardware power increases and can perform far more calculations per second. A five-character password will have 10 billion possible combinations; this means a hacker can guess a normal five-character password in only 10 seconds.
Hackers can also do what is called a “dictionary attack”. They try to match passwords with words in a dictionary, and if your password contains words that are found in a dictionary (especially one or two word passwords), there is a good chance a hacker could easily guess it. They can also “mutate” the words to reflect common things people do to try and make their passwords more secure, for example adding an exclamation point at the end or replacing an “O” with a zero. Hackers know all the common mutations people will use, and often try them immediately.
“Here is a list of common mutations a hacker will try to dictionary words:
- capitalizing the first letter of a word;
- checking all combinations of upper/lowercase for words;
- inserting a number randomly in the word;
- putting numbers on the ends of words;
- putting numbers on the beginning of words;
- putting the same pattern at both ends, like *foobar*;
- replacing letters like ‘o’ and ‘l’ with numbers like ‘0’ and ‘1’;
- punctuating the end of words;
- duplicating the first letter, or all letters in the word;
- combining two words together; and
- putting punctuation or space between the words.
Hackers are also smart about which words they choose. They don’t just choose English words, but include most popular languages (i.e., Spanish, French, German). They also choose words from pop culture, like xbox360 or Britney Spears. If they know who you are, they will find words particular to you. Let’s say your name is ‘John Smith,’ you drive a ‘BMW,’ you work for ‘Microsoft,’ and you like to watch ‘The Office.’ A hacker will Google these terms and create wordlists from the resulting Web pages. Thus, ‘Carell325i’ seems like a fine 10-character password to defeat hackers, but will get cracked in only a few minutes by a hacker who knows you.”
Clearly, you need more than just a few simple tricks to come up with a secure password, and it is getting more difficult due to improving computer hardware. Read on to find out how to keep yourself secure!
How to create (and remember) strong passwords
First, let’s go through the traditional password advice that is still smart to follow:
- Has 12 characters, minimum: You need to choose a password that’s long enough. There’s no minimum password length everyone agrees on, but you should generally go for passwords that are a minimum of 12 to 14 characters in length. A longer password would be even better.
- Includes numbers, symbols, capital letters, and lower-case letters: Use a mix of different types of characters to make the password harder to crack.
- Isn’t a dictionary word or combination of dictionary words: Stay away from obvious dictionary words and combinations of dictionary words. Any word on its own is bad. Any combination of a few words, especially if they’re obvious, is also bad. For example, “house” is a terrible password. “Red house” is also very bad.
- Doesn’t rely on obvious substitutions: Don’t use common substitutions, either — for example, “H0use” isn’t strong just because you’ve replaced an o with a 0. That’s just obvious.
“Try to mix it up — for example, ‘BigHouse$123’ fits many of the requirements here. It’s 12 characters and includes upper-case letters, lower-case letters, a symbol, and some numbers. But it’s fairly obvious — it’s a dictionary phrase where each word is capitalized properly. There’s only a single symbol, all the numbers are at the end, and they’re in an easy order to guess.”
Now, it’s very easy to come up with a secure password by typing a lengthy string of random letters, numbers, and symbols, but how is any normal person supposed to remember a password like “p5u7Nm3#!6/B1XC&t$”? The easiest way to create unique, secure passwords for every site is by using a password manager. “There are several competing password managers. These apps will create good passwords, remember them for you, store them safely, synchronize them across your computers and mobile devices, and even enter passwords into your login forms so you don’t have to type them.”
Of course, password managers are also protected by a password, but creating and remembering one long password is much better than dozens of them! Write that down if you need to, store it in a SAFE place (not attached to your computer!) and you will be free and clear without having to come up with and memorize tons of different passwords. Here are some of the more popular password managers:
1Password: Nice interface. Remembers credit-card numbers. Auto-enters passwords in websites. Synchronizes a highly encrypted database of your passwords over either iCloud or Dropbox (or some other homebrew system, if you want). But it’s expensive: $49.99 for the Mac or Windows version, plus $17.99 for the iPhone version. Bundles and deals are sometimes available.
LastPass: Does pretty much everything 1Password does, but it’s not as pretty. Has finer-grained security controls, including two-factor authentication (so even if someone learns your password, she can’t get into your account unless she has your phone, too) and restrictions by country. A good free version, and a decent deal at $12 a year for mobile access.
Dashlane: Probably the most beautiful of the password managers. Works across computers and mobile devices. Free on one computer, $29.99 a year for syncing across devices.
Other password methods and tips
Power of the passphrase
If you don’t want to deal with setting up a password manager (or need to create a strong master password), just start rethinking the way you make your passwords. One way to do this is instead of a password, think passphrase.
When you were in school trying to memorize an ordered list, such as the planets in our solar system, most students were given an easy to remember sentence where the first letters of it corresponded to the first letters in the ordered list. So for our solar system example, to remember Mercury, Venus, Earth, Mars, Jupiter, Saturn, Uranus, Neptune, and Pluto, a good memorization sentence would be “my very empty monster just swallowed up nine planets”.
You can use this same technique to create a strong passphrase. Pick a phrase that you won’t forget, for example “My husband & I met on October 5, 2010 & we got married on April 20, 2014.” Take the first letters, capitalization and all, symbols, and numbers in that sentence and turn it into your passphrase: “Mh&ImoO5,2&wgmoA20,2.” You can customize your sentence any way you like or to make sure it falls within program or website specifications, and it is very long, random, and near impossible to guess plus easy for you to remember! You can even write the whole phrase somewhere you’ll remember without fear of anyone guessing its function.
Another trick that many are turning to is a string of random words in a nonsensical order. The randomness of the words and their order, and the length of the passphrase are what make this a strong choice.
“For example, ‘cat in the hat’ would be a terrible combination because it’s such a common phrase and the words make sense together. ‘My beautiful red house’ would also be bad because the words make grammatical and logical sense together. But, something like ‘correct horse battery staple’ or ‘seashell glaring molasses invisible’ is random. The words don’t make sense together and aren’t in grammatically correct order, which is good. It should also be much easier to remember than a traditional random password.”
Most people aren’t very good at coming up with sufficiently random strings of words, so this website, Diceware, provides a numbered list of words. You roll a dice and match the numbers you get with their corresponding word list. This ensures a completely random set of words and ones that you might not even have thought of! Keep in mind that “Diceware’s creators now recommend using at least six words because of advances in technology that make password-cracking easier”. But even with six words, it is still easier to remember than most users’ passwords.