Tips & Tricks for Strong Passwords
Password security (and cyber security, in general) is something we all know is important, yet most of us tend to put it on the back burner. Who wants to memorize a string of random characters and numbers that don’t make sense for every single site they visit? It can be a daunting task to create and memorize something like j8-B%dw^qM*3.
Passwords, in the simplest sense, are th; gates between an entity and a resource. Passwords allow us to ensure the correct person gains access to certain information or admission to something. They allow us to keep private information private and allow us to permit only the information we want to share be shared. They are the gates between users and their emails, account holders and their bank accounts, tweeters and their twitter, programmers and their programs.
Unfortunately, there are plenty of people who would like to gain access to information for malicious purposes, like stealing a private identity, credit card information, and social security number. With the right tools, knowledge, and careless users, they can hack into businesses systems and governments.
Hackers use three common methods to acquire people’s computer passwords:
- Brute Force (‘Dictionary’) Repetition
- Social Engineering (commonly: phishing)
- Administrator Back Doors
Using stronger passwords won’t keep you secure from all the threats out there, but it’s a good first step.
What is a Brute Force Attack?
The term “brute force” means to overpower the defense through repetition. In the case of password hacking, brute forcing involves a program that recombines dictionary words with thousands of varying combination. It is a trial and error method used by application programs to decode data through exhaustive effort (using brute force) rather than employing intellectual strategies. It is the simplest method to gain access a site or server (or anything that is password protected).
Brute force dictionaries always start with simple letters “a”, “aa”, “aaa”, and then eventually move to full words like “dog”, “doggie”, “doggy”. It tries various combinations of usernames and passwords again and again until it gets in. These brute force dictionaries can make 50 to 1000 attempts per minute. This repetitive action is like an army attacking a fort and given several hours or days, these dictionary tools can overcome any password.
The secret is to make it take days to crack your password, but easy for you to remember.
Traditional minimum requirements no longer cut it.
The traditional password requirements on many websites include:
- minimum of 8 characters
- include a minimum of one lowercase, one uppercase, one symbol, one number
While these may be the bare minimum requirements for some sites, they are by no means secure, even with the random gibberish of characters and numbers. The key to making a strong password is length; the longer the better.
Check out this website to see how long it would take to hack your password.
Do’s and Don’ts
The “obvious” stuff…
Here’s a list of the traditional recommendation we’ve all probably heard but maybe still don’t do.
- Don’t use common, single words like… “Password”. Just don’t.
- Don’t use names of your families, friends, or pets
- Don’t use identifying numbers like birthdays, anniversaries, postal codes, phone numbers, social security numbers, addresses of yourself or family members. A common example is using a last name + year of birth combination, like Smith1975.
- Don’t use number substitutions that can easily be guessed, especially for short passwords, like p@ssw0rd or l3tm3in.
- Don’t use consecutive numbers or numbers with a pattern, like 1234567890 or 3939393939.
- Don’t use the same password, security question, and answer for multiple important accounts
- Don’t write down your password
- Don’t share your password with anyone.
The not-so-obvious stuff…
One of the newest advice regarding passwords is to use a passphrase. A passphrase is easier for humans to remember but hard for computers to decipher. They should consist of seemingly random words strung together along with numbers, symbols, upper cases, and lower cases.
Something like… YellowChocolate#56CadillacFi$h is long, secure, and a lot easier to remember than fk-F83^*sU@sl=B.
Comic from XKCD, often
Here are some do’s…
- Make sure the password is at least 15 characters long. Some sites say minimum of 12. Remember, longer passwords are harder to crack.
- For passphrases, choose a minimum of four seemingly random words and put them together. (Some are even saying choose six random words.)
- While the differing length of the words makes brute forcing the password very difficult, you could always complicate things even further with a simple-to-remember pattern — one that would also make the password pass the test for forms that check passwords for complexity. For example, take the sample password from that XKCD comic — “correcthorsebatterystaple” — and apply a pattern where you join words by alternating symbols and numbers like “^” and “2” and then capitalize the second (or whatever) character of each word. You’d end up with the password “cOrrect^hOrse2bAttery^sTaple” — long, complicated, and containing numbers, symbols, and capital letters. But it’s still much easier to remember than a randomized password.
- Another common advice is to start with a base phrase or sentence and use their use the acronym, and add special characters. For example, “You know nothing, Jon Snow” could be yknjs:1776#Win10
- Swap in non-alphabetic and uppercase characters. Note that some advice online may say to not rely on obvious substitutions, like “H0use” — but usually they are referring to shorter passwords (not passphrases). Maybe somethinglike ykNjS:1776#Win10
- Change your password regularly. The common advice is change it every 3 months.
- Consider using a password manager, like LastPass. If we can’t write them down, all your various passwords can be best stored on a secure site. You would only have to remember one very secure password.
- Have fun and add emoticons to your password! Use basic smiley faces.
Debatable advice
There are some advice online contract each other. Here’s some for you to consider….
- Some say not to use dictionary words for your passwords. This is usually from older advice, where users tend to use one word for their passwords. Again, newer advice suggestion minimum of four random words strung together with random characters in between.
- Some say to avoid using common phrases and words that make grammatically and logical sense together, like “CatInTheHat” or “ToBeOrNotToBe.” Something like “purple turkey swimming sky” or “correct horse battery staple” is still easier to remember than a traditional random password. However, I think that if the phrase is varied enough, it can still be secure. (See below for examples.)
- Some say do not use similar passwords where most of their characters are the same, for example, ilovefreshflowersMac, ilovefreshflowersDropBox, since if one of these passwords is stolen, then it means that all of these passwords are stolen. However, I think if the most of your password is strong enough applying the advice from above, you may apply some sort of additional pattern to help you remember which site is for which. (See below for examples.)
Here’s some examples of good passwords.
(But don’t actually use these!)
- 2BorNot2B_ThatIsThe? (To be or not to be, that is the question — from Shakespeare)
- L8r_L8rNot2day (Later, later, not today — from the kid’s rhyme)
- 4Score&7yrsAgo (Four score and seven years ago — from the Gettysburg Address)
- John3:16=4G (Scriptural reference)
- 14A&A41dumaS (one for all and all for 1 — from The Three Musketeers, by Dumas)
- ABT2_uz_AMZ! (About to use Amazon)
- ABT2_uz_BoA! (About to use Bank of America)
- Pwrd4Acct-$$ (Password for account at the bank)
- Pwrd4Acct-Fb (Password for a Facebook account)
The Take Away
Putting some thought into your passwords can go a long way!
You’re now ready to create your own strong, long, memorable mixed-character passwords using one or more of these “T1p$ & Tr1ck$ f0r $tr0ng P@$$w0rd$!” (See what I did with my title?) Or, if you want, create your own system — C?U2canCRE8Pwords;-) (See? You too can create passwords☺).
Have fun with it and create something silly that only you can remember!
Sources:
Lifewire, How-To Geek, WeBroot, the internet, previous work experience in IT.
More Resources:
PasswordsGenerator.net has many more do’s and don’ts on their website, not just on passwords.
Here’s a list of the top 25 most common passwords, according to hackers.
