{Th3 UX 0f a Pa55w0rd}
Many people still use easy-to-crack passwords, but complex ones are tough to remember. Here’s how to design a user-friendly password you won’t forget.
Gone are the slack old days of 123456 or password or abc123 as a sensible ‘open sesame’ for online accounts.
These passwords — three of the most common passwords worldwide in 2019, as found by a survey from the UK’s National Cyber Security Centre (NCSC) — have long been useless at keeping light fingers away from the confidential data of internet users.
As hackers continue crafting increasingly sly ways of violating our privacy, we need to crawl from our dens of apathy to outfox them. And we can — easily! One solution, of course, is biometric authentication — using a fingerprint or iris scanner for the purpose of security. But passwords aren’t going anywhere anytime soon.
For that reason, Dr. Ian Levy, NCSC Technical Director, says:
“Password re-use is a major risk that can be avoided — nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band.”
Unsurprisingly, Levy goes on to suggest using “hard-to-guess passwords.” The major problem here is, the harder it is for hackers to guess a password, the harder it is for users to remember it. This means they must be memorable.
I don’t know about you, but I’ve never been guilty of devising a password as basic as the examples above. Thanks to a mixture of my own caution and that of service providers insisting on a wiser choice, it simply wasn’t ever an option.
However, what counts for a wiser choice changes from website to website, many with slightly different requirements. And I will confess, in the past, I’ve got myself into a right muddle with multiple variations of the same password, locking myself out of accounts all over the show. Less than ideal!
Right out of the gate, I should have gone for a nice combo of upper-case letters, lower-case letters, numbers, and special characters, which is now what most service providers ask for. But fear not, I’ve definitely learned my lesson. As author Frank Sonnenberg says in Soul Food: Change Your Thinking, Change Your Life:
“Smart people do stupid things. Stupid people don’t learn from them.”
Since my schoolgirl error, I’ve come up with a password much stronger than any I’ve ever had before: YouMustHeHavingALaugh*666*
Just jesting!
But I have been employing an unusual way of formulating a password that isn’t difficult to remember. While Levy says the NCSC recommends “combining three random but memorable words,” I prefer to build a complex acronym using one memorable verse from a poem or song:
- Step one of the process is pretty self-explanatory: you take the first letter from each word of the selected verse.
- Step two is where things get more interesting: you then swap letters and what we might call their numerical counterparts — that is, numbers that look similar to the letters. For example, you could replace E with 3, S with 5, O with 0, and g with 9. Perhaps there are also others I’ve missed.
- Finally, step three is where you include special characters somewhere logical — maybe as bookends or smack bang in the middle.
Here’s one to give you a sense of what I mean: [IXdKKA5pddWAt5RR]
Bookended by special characters (left and right brackets, in this instance) and incorporating numbers, upper-case letters, and lower-case letters, the above password is based on a few lines from Kubla Khan, a poem by Samuel Taylor Coleridge I remember from A-Level English:
“In Xanadu did Kubla Khan
A stately pleasure-dome decree
Where Alph, the sacred river, ran”
According to the following chart by Mike Halsey at Microsoft, which shows how long it would take an average PC to crack passwords of varying lengths and complexities, my Khubla Khan-inspired password would take 1 quintillion years.
Just to be clear, that’s 1,000,000,000,000,000,000,000 years. And the chart is a decade old, so let that sink in for a moment.
In contrast, 123456, which the NCSC survey found to be the most popular password in the world today, would take no time at all. Literally no time — a modern computer would crack it instantly.
Thus, 123456 and [IXdKKA5pddWAt5RR] are at opposite ends of the crackability scale. It may seem like they’re at opposite ends of the rememberability scale too. And they are — if you don’t care much for Coleridge. You’d also have a comparable experience using password generators like those by LastPass and Norton.
Surely though, you’ve committed to memory a few lines from a favourite poem or song? Whether the words come from Oscar Wilde or Kim Wilde, Robert Burns or Pete Burns, it doesn’t matter — as long as you can remember them. It’s all about what works for you as an individual user.
Now for the tricky part.
Wait, what? That wasn’t the tricky part?
I’m afraid not. You might be able to construct a stonker of a password, but should you use it on all services? Noooo. If the biggest social media breaches have taught us one thing, it’s that, once these sites are compromised, your [IXdKKA5pddWAt5RR] might as well be a 123456.
It’s a far better idea to come up with separate passwords for each service — and to change them frequently too. Unfortunately, this brings you face-to-face with the issue of where to store your gaggle of passwords.
While it would certainly be foolish to note them down on a piece of paper, plenty of people use password managers like those offered by Dashlane and Keeper, accessible using a master password and optional biometrics.
I can understand the lack of trust in these supposedly secure password vaults, especially after a study by Independent Security Evaluators (ISE) found severe vulnerabilities in several earlier this year. However, they’re pretty much the best we’ve got at the moment.
As with everything we do online, there’s always going to be some level of risk in generating, storing, and using passwords. Though, as I said earlier, these digital keys will be around for the foreseeable future, so why not give my method a go?
Take the chance to draw on the creativity of others so you can get creative yourself — only with passwords, which are undoubtedly just as exciting as poetry and music, right? Wooo, internet security — fun fun fun!
