One of the most important things to keep yourself safe online is having strong passwords. Created by using various methods, a hard to crack password should include everything from numbers to alphabets and special characters arranged in such a way that it’s simple for you but unimaginable for others.
Keeping strong passwords wasn’t a thing if we would go back a decade or more. Back then, few people had the internet access and even fewer had online accounts on various portals. Even if we consider offline passwords, cracking it required physical access to the machine. In most cases, it was an opportunity with very fewer chances of success.
Flash forward to 2017, someone with an idea of your online password could damage you in unimaginable ways. We have seen people losing tons of cash from their bank accounts, getting embarrassed on social media platforms, and whatnot!
Various hacking and social engineering techniques have allowed crackers to trick people into giving their passwords, and eventually, a pass to harm their digital self. Still, 123456 was the most popular password for the year 2016.
Creating a secure password that’s hard to crack is a necessity in today’s time. You might have realized it by now because various online services don’t allow people to use simple passwords including PII (Personally Identifiable Information) and general dictionary terms which are easily discernable for password cracking tools.
Here is the recipe to create secure password
As always, let’s start with the basic things we need to create a strong password that has enough length, which is hard to guess for others, and above all, it should be super easy to remember.
Start with the alphabets
The first thing you require for your password is its basic structure. Start by writing a set of letters. I have already mentioned that it shouldn’t constitute any word from the dictionary or some other known word, like the name of some family member.
You can try to merge two words and create something unrecognizable. For instance, take sarcasm and opportunity and make it sarcasinity.
Now, add the numbers
Don’t include your birth date or phone numbers. For every person, there could be a sequence of numbers he or she can easily recall without putting much pressure on their brain. Try to mix the alphabets and numbers, instead of putting them side by side.
Add a pinch of special characters
Putting special characters like $,#,&, etc. in your password would be a wise move. If efficiently used, it could make your password almost impossible to crack, unless, you have the habit of telling your passwords to your friends.
Uppercase and lowercase
Don’t forget to make at least one of the letters uppercase while thinking about your super strong password. The same goes for lowercase, in case, your password is all uppercase. Other than making it tougher to crack, it also fulfills the password requirements of various online services.
What should be the ideal length?
Well, it’s totally up to you. But it’s advised to keep the length between 12 to 20 characters. I am suggesting a maximum of 20 characters because some websites have an upper limit on the number of characters.
Extra tip – random password generator
It might be possible that some people would find it hard to come up with unique passwords. You can head over to the web and use some random password generator. A reliable one might be able to give you a robust (but hard to remember) password.
Don’t be predictable
Many of the best practices and strong password tips have been derived from a “NIST Special Publication 800-63. Appendix A,” authored by Bill Burr in 2003. His document became a one-stop password guide for governmental bodies and academic institutions.
Years down the line, recently, talking to WSJ (via The Verge), Burr said that his suggestion for making special character replacements might have misguided people actually to create simpler passwords than expected.
It’s not the case that his tips are wrong in any sense, after all, they have managed to survive for almost 15 years. But it’s the password creation habits developed by many people which lead to easier passwords that are too hard for humans but not for the hackers.
For instance, if one has to change the word “password” into its tougher version, one of most replacements in many cases would be [email protected]$$W0rd1!
People who commit cyber crimes have also become advanced and tried to analyze the patterns used by individuals. In contrast, if you use a combination of multiple random words, it would take hundreds of years to guess such a password in comparison to something that’s used widely. So, the goal here is to be as random as possible and stay aside from the common herd.
“Through 20 years of effort, we have correctly trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess,” says the comic xkcd published by Randall Munroe in 2011. The illustration takes a dig at the shortcomings of substitution habits while choosing passwords.
As confirmed by security experts, it would take around 500 years to guess the phrase correct horse battery staple. What’s more is that it is quite easy to remember.
Further, Burr suggests that people should change their passwords every 90 days. But wait, isn’t it more than a year ago since we last changed our digital keys? What’s more important is how to modify the password. Changing [email protected]$$W0rd1! to [email protected]$$W0rd2! won’t do the job. Also, we are too lazy to come up with entirely new options.
In June 2017, Paul Grassi published new NIST standards which take a different approach than the one advised by Burr. However, according to Gracci, Burr is downplaying his password tips. “He wrote a security document that held up for 10 to 15 years. I only hope to be able to have a document hold up that long.”
The new standards emphasize that random long easy-to-remember phrases are more complex to decode than easily guessable characters. Also, it suggests changing passwords only if there is a possibility that they are compromised.
What do the experts say?
Several years ago, a method was proposed by Bruce Schneier, a security researcher, which involves turning general sentences into passwords. His method can still get a password strong enough for most password cracking systems.
Sentences shouldn’t be much general, Schneier has warned that hackers tend to use a combination of dictionary words and they might end up getting yours. The twist here is to cut the sentences short, so they aren’t recognizable after adding stuff like numbers and symbols.
Here are some examples:
My secret Santa is hiding in the closet: [email protected]$
Oh! My God, John, Did you try to steal my dog?: O#!MyGJhn…..D!DuTr2$tlMDogo?
PAO (Person-Action-Object) is a memorization technique primarily used to remember decks of cards and long random number strings. The researchers at the Carnegie Mellon University concluded that the same could be used to create strong passwords and remember them.
The method goes as follows: take the photo of a person, a place you like, and think of an action that person is doing at that location. For instance, let the person be Tony Stark, the place is Central Park, and action is flying the suit.
So, the sentence would become: Tony Stark is flying his suit over the Central Park.
Shrink the sentence down by including initial characters of every word.
Now, this is a 16 character strong password that you can further improve by adding numbers and special characters if you want.
Remembering these visual scenarios can help you create secure passwords than only using random letters and figures. Moreover, it would be hard for other people to make rough guesses.
You can also combine multiple scenarios in one password. The whole point of this method is that humans tend to remember visual references better.
Another recipe to prepare a hard to guess password is to create a phrase out of unrelated words – it’s commonly known as a Passphrase.
For instance, you can pick up some random words, like:
Sam dakota scarcity glued numbers might fortune sprinkle some poor mud night
Make sure that the word arrangement is total nonsense, not picked up from an existing piece of text. Modern password crackers do consider dictionary words, but a pass phrase of this length, maybe 12 or more words, would take ages to break down.
How to deal with tons of passwords I have?
Practically speaking, remembering all the passwords is a bigger problem than creating a strong and uncrackable password. Because, in the age of the internet, one doesn’t even know how many accounts he or she has opened.
There can be a couple of ways which can help you manage passwords for dozens of accounts and apps you have.
Use a password manager
Password management apps like LastPass, DashLane, TrueKey, iCloud Keychain, etc. could be the easiest ways to remember passwords. Because you don’t have to remember all of them but one master password, the software does the rest.
The login credentials you give to such apps are cryptographically signed before getting saved in the app’s database. You can throw almost any type of password, it doesn’t matter, how tough it is.
Many web browsers have an option to save passwords and credit card details. For instance, in the case of Google Chrome, the details are encrypted and tied to your Google account. So, your passwords go along if you set up Chrome on a new device.
Tip: Don’t use password management apps for the passwords you want to remember. Type the passwords whenever required so that you get the same by heart and recall it even while you’re asleep.
Split your passwords into levels
You might be overwhelmed with the ease offered by the password managers. But the hard truth is that you tend to depend on these apps, and it’s pretty hard to recall password on a new device, in case, you don’t have access to your password manager.
Why don’t you divide your passwords into levels? Let’s say you need passwords for 30 different websites, tools, bank accounts, etc. It won’t be the case that all of these passwords should be fool-proof.
The account you created on a casual gaming website, online radio portal, or some other thing that doesn’t matter enough can fall into level 1. And if you’re comfortable, you can use the same password across such services and apps. You can give the task of handling less important digital keys to the password management apps.
Now, level 2 can include accounts for websites like Facebook, Twitter, Instagram, LinkedIn, etc. Also, services for ordering meals, subscription services, cab services, and others that store your payment details.
The password for the services in level 2 could be similar but with an unpredictable variation, maybe a couple of letters or numbers in such a way that you can remember which password belongs to which service.
This level is for the most important passwords you have, mainly the ones related to your internet banking accounts. These passwords shouldn’t resemble with any of your other passwords. And it’s highly recommended not use remembering apps for such passwords or write them somewhere.
So, after all of this, you might end up with around five or six passwords to remember which I guess won’t be a tough job. At least, you don’t depend on some technology to remember the digital keys for you.
There is another thing that could make your life easier. Limit the number of email IDs you use to sign-up for online accounts. On an average, two emails would be enough, one for casual accounts and another for important ones.
Did you find this post on making strong passwords helpful? If there is anything you would like to add, Drop a line.