How to create strong passwords and have secure accounts [Tip]
October 28, 2012 37
Email article | Print article 
It seems like with the increasing level of access to technology on a global scale, there are increasing numbers of scam artists, hackers, pricks, punks, assholes, scumbags, etc. that try to find ways to make everyone’s digital life a bigger pain than it needs to be. There are many ways to fight scumbagism, but most of these ways are so complex and unrealistic that most of us just simply ignore them. So, I have decided to write up this article listing five simple-ish rules one can follow to have strong passwords and secure accounts. Living your digital life by the following the following five rules will not guarantee you are hacker proof, but it does greatly mitigate the likelihood of your accounts being hacked.
Make your passwords long
Remember back in grade school math class when you studied permutations? Remember how adding an extra digit to a number (i.e. going from four digits to five digits) greatly increased the amount of possible permutations of that number? Yeah, well, they didn’t just teach that in school to torture us; permutations have a real-life application.
You see most websites store passwords in an encrypted format; anyone who gets hold of the password database of a website can’t simply read everyone’s passwords. When this happens (when a scumbag can’t break password encryption) they apply a technique called brute force attack to try to hack your passwords. (Brute force attack does not require a scumbag to have the password database; it can be used at any time with or without the database. However, typically most websites have anti-brute force security measures in place that temporarily block access to an account if someone fails to login too many times in a short time period.) Brute force attack is the process of systematically trying password combinations until the correct password is found. There are two viable defenses that help protect against a brute force attack; one of them is password length (the other is password complexity – see next tip). The longer password you have, the harder it is for a hacker to get your password using brute force simply because the hacker has to try a greater number of possible passwords.
That said, exactly how long should your passwords be? Current industry standards say at least eight characters. However, personally, I recommend twelve characters or higher. Why? One word: Graphics. In a study conducted by Georgia Tech earlier this year, researchers were able to crack eight character passwords using graphic cards in two hours. Cracking twelve character passwords, on the other hand, was estimated to take over 17,000 years. Two hours vs seventeen thousand years, hmmm….
Now, does that mean all hackers will have the capability to crack eight character passwords in two hours? No. It takes a certain level of sophistication and technology to be able to do what the Georgia Tech researchers did and the average wannabe hacker isn’t at that level of sophistication. However it just goes to show you how important password length is.
Make your passwords complex
Building on the same idea of making passwords long, passwords should be complex. By “complex” I mean passwords should not just be lowercase letters and numbers. You should incorporate special characters (i.e. !, ?, @, #, $, %, ., *, etc.) and uppercase letters (when supported – not all websites support case-sensitive passwords) in your passwords. Think about it. If you use only lowercase letters and numbers, there are thirty-six possible characters your passwords can be comprised of (assuming you are using the English alphabet). In other words, there are 2,821,109,907,456 possible permutations if your password is eight characters long. Once you start mixing in uppercase letters, the number jumps up to 218,340,105,584,896. The possible passwords number skyrockets even higher once you add in special characters.
Using special characters and uppercase letters is not as complicated as it sounds. All you need to do is go through your password and replace letters with similar special characters and make some lowercase letters uppercase. For example, if your password is bullseyeathome you can make that password a lot stronger by using bu1L$eye@th*me. Not too hard to remember, is it?
Furthermore, having complex passwords is not only making sure you use a mix of lowercase letters, uppercase letters, numbers, and special characters. Complexity of a password also includes avoiding real words and popular phrases. Cracking a password comprised of real words or popular phrases is very easy using a dictionary attack. So instead of using real words or popular phrases, make up your own words or phrases. That does not mean your password can contain no real words or popular phrases. Rather, it means your password should not be all real words or popular phrases – throw in one or two figments of your imagination.
Have tiered passwords
Experts tell us we should have a different password for each and every login. While that is sound advice, even with a password manager it is insanity; who in their right mind could possibility have a different password for every single login? If you can successfully manage different passwords for every login you have, kudos to you. However, for the rest of us normal people a doable alternative to having different passwords for each login is having tiered passwords.
Tiered passwords is a simple idea of having a different password for each “group” of logins you have. For example, let’s say you have a login for your bank account, your main e-mail, a spam e-mail, and three websites you visit often. Applying the concept of tiered passwords, you may one password for the bank account, one password for your main e-mail, and one password for the spam e-mail and website logins. Of course the split doesn’t have to be exactly that; it is up to you to decide the importance of each login and how you want to categorize it. The overall goal is not to make sure X type of login gets X password; rather the goal is to make sure your high importance passwords stay different from low importance passwords so if a low importance password ever gets compromised, you don’t have to worry about the high importance ones.
From a pure security standpoint, having tiered passwords is not as secure as having a different password for each login. However, it is is a doable derivative that serves as a good compromise between the two extremes of using the same password for all logins and using a different password for all logins.
Your username/login name is a security tool too!
When you login somewhere, are you ever allowed to login using just your password? Nope – you always need an accompanying username or login name (sometimes it is your e-mail address). So, then, why would you want to share that username/login name with someone else? Sure a username/login name may not be as big of a secret as your password, but to get into an account both a username/login and a password are required. Without one, the other is useless. Think about it this way. Your username is the door-handle lock on your front door while the password is the deadbolt. Anyone trying to get inside your home has to get past both the door-handle lock and the deadbolt; the deadbolt may be the one that is harder to break, but the door-handle lock nonetheless still plays a role in securing your home. So keep your usernames/login names secret! Of course this isn’t always possible; sometimes your username/login name is publicly displayed… such as on a website forum. However, when it is possible, you should be very frugal about giving out your username/login name because, as I already mentioned a couple of times, without knowing your username/login name, a hacker cannot get into your account… even if they know your password.
Avoid similarities between username and password
While this may seem like a no-brainer, it is surprising how many people use their username (or a variant of their username) as their passwords. You should never, ever use your username (or a variant of your username) as your password. The username and passwords should be kept as different as possible – preferably 100% different. This way if a hacker finds out your username or password, they can’t use it to help them determine the other missing piece.
Conclusion
Life would be grand if we didn’t have punks trying to access our accounts – either for fun or malicious purposes or whatever; but that just isn’t how it is. So, please, do yourself a favor and use strong passwords in order to keep your accounts secure.
Have any advice on how to have strong passwords and secure accounts? Share with us in the comments below!
Originally posted December 13, 2010.
![How to crack, open, or unlock password protected or encrypted ZIP, PDF, RAR, XLS, and XLSX files on Windows for free [Guide]](http://cdn.dottech.org/media/2013/05/2013-05-04_225743-134x90.png)
![How to install and use Windows Live Messenger without Skype on Windows [Guide]](http://cdn.dottech.org/media/2013/05/2013-05-02_211628-134x90.png)
I use XMarks to sync bookmarks and passwords. It works over the cloud and cross-platforms.
Someone on one of the GotD Forums recommends the free version of Access Manager: http://www.accessmanager.co.uk/. It looks to offer a very comprehensive set of options, and I’ve added to my list to try.
Ha! I just realized something: a few days after publishing “how to make strong passwords”, you post (I post) “how to crack passwords”.
I disagree with some of what Ashraf has said.
My advice is to get a password manager and set one kick-ass password to unlock it. This is where you want to go all out on a long, random looking password, or a longer pass phrase. I use the donation-ware Keepass, but there are dozens of free and commercial password managers out there.
Next, computing platform permitting, get the PasswordMaker add-on to Firefox to manufacture your passwords. There is also a simple Windows stand alone version for the desk top, in case you can’t use Firefox.
Set PasswordMaker to the Lowercase-Uppercase-Numbers character set and use the same password as for your password manager to keep things simple (optional).
My reason for not using special characters is that some web sites won’t allow them and banking sites are often the worst. The reduced character set is equivalent to 6 bits per character and adding special characters adds just 0.6 bits more to that, so adding one more character for every 10 in your password is enough to compensate.
The advantage of PasswordMaker is that it creates random looking passwords via hashing your password with the website address, but you can recreate them at any time if you are away from your password database. This may also be useful if you wish to switch to a different password manager. I don’t believe this is any less safe than using fully randomized password creation, providing your master password is a good one.
Once you are using a password manager, there is no difficulty in using a different password for every account, the software memorises it for you.
Lastly backup, backup, backup your database. Store one or more copies off-site at a relative’s place or in the cloud. It doesn’t matter if they fall into “enemy hands” as they are encrypted by your master password. Bruce Schneier recommends writing your master password down just in case. He keeps his in his wallet. You could obfuscate the written version if security worries you.
Store a copy of the master password with instructions with your will at your lawyer’s office. If you’re hit by a truck, this could make it much easier for your loved ones to clean up your affairs.
Hello,
Well, I simply want to offer some hints;
1) Never use just (1) password generator.
2) Steer away from using online password generators.
3) Periodically change-up your passwords; you determine the time interval.
4)Unless absolutely necessary, do not use use just letters, numbers, upper/lower casing but symbols of various kinds if you can.
5) Make passwords lengthy; say between 15/17 to 20/25 characters. I mean not to long that you go ballistic or blind.
6)Never keep data like passwords stored on your internal hard-drive.
7) Keep passwords stored on portable devices like a flash drive/thumb drive, CD (RW) or an external hard-drive.
8) If that is not good enough, I print out hard-copies of my passwords and tuck them away for safe keeping. Sometimes I keep multiple copies. Whenever I make any changes and/or additions, I simply do what I have got to do. Hey, some things take alittle work.
9)Maybe you want to consider keeping passwords stored on your smart phone/cell phone; with encryption of course.
10) I always keep my many passwords stored away in my wallet.
11) There are (3) words I want you to remember; “LENGTHY, DIVERSE & ENCRYPTION”!!!
12) I would suggest you get the best internet security program you can get; hint; I do not; have not nor will not pay for an “Internet Security Suite” package when I know what I know. Believe me, knowlege is precious and expensive; and wise are the people who possess it. I know where to go to get it. If you are smart, you will not have to pay a dime for this type of software. A little word of advice; “KEEP YOUR EYES OPEN”. There is much treasure found in these (3) little words; “FREEBIES, GIVEAWAYS & PROMOTIONALS. But, I will not disclose to any of you where I navigate to regarding this matter. That is my secret! But, by now you should have somewhat of an idea of at least (1) site I am acquainted with.
13) I always make it a habit to store & save (2) things on a CD for archival purposes; “Registration codes/licenses & software installers. When it comes to security of this type, it can really help somewhere down the road if disaster strikes.
14) You might want to keep in mind, these (2) names; “STEGANOS SS 12 & STICKY PASSWORD”!!!
Have a wonderful New Year!!!
:) I use Sticky Password for any online logins required but to open my computer or sticky password itself I use a fingerprint scanner. It came built into the computer. There is a master password of course, which I can remember easily but uses some of the tricks mentioned above. Since I never actually enter it though, it’s relatively hard for someone to discover.
One trick I used with my nephews, when they were grounded from the computer. I took a bonus card out of my wallet and used initials for the store plus the last 8 digits of the card code. Substituting special characters as described above. That way I had a perfectly camouflaged copy of the password in my wallet. Nobody knew that I did it that way let alone which card I used. Their computer accounts have limited privileges anyway and I was only locking them out of it until they were ungrounded.
I think people should use their strengths with passwords, and not ply to the weaknesses of technology, by using more complicated technology. Get a system, and keep to it. For example if you can easily recall movies, use movies:
eg – gonewiththewind1956
hint – I dont give a damn
if you can easily recall sports, use sports
eg – camesecondin1996superbowl-PittsburghSteelers
hint – lost the ‘eat my hat’ bet
if you can easily recall phone numbers, use phone numbers
eg – terry+44915462251mobile
hint – he broke my favourite golf club
if you can easily recall cars, use cars
eg – chryslerdodge1988rustbucket
hint – first car
You remember in human terms what, when combined, is terribly difficult to guess in computer terms.
Simple is good.
Caio.
T
To create very strong passwords, just use one of these great FREE tools:
http://www.softpedia.com/get/Security/Security-Related/JHashPassword.shtmlhttp://pwgen-
http://pwgen-win.sourceforge.net/
http://www.softpedia.com/get/Security/Password-Managers-Generators/PC-Tools-Password-Utilities.shtml
http://www.softpedia.com/get/Security/Password-Managers-Generators/Iobit-Random-Password-Generator.shtml
http://www.zsoft.dk/index/software_details/3
http://www.softpedia.com/get/Security/Security-Related/Bruter.shtml
See also:
http://lifehacker.com/5879117/how-to-build-a-nearly-hack+proof-password-system-with-lastpass-and-a-thumb-drive?utm_source=Lifehacker+Newsletter&utm_campaign=5b0b3cbd5e-UA-142218-1&utm_medium=email
Enjoy!!
As Ashraf pointed out, make your critical passwords, that is, your bank account (this always should be the only time & place you use this specific password) at least 12 characters (actually my studies show 9 characters using a ‘nonexisting-word’ with a mixture of upper & lower & special characters and number to be a solid and brute force unbreakable password). Use KeyWallet (the best & most convenient password manager I’ve tried, amongst all the other popular and also lesser known ones, after more than a decade I still use it) & make that your critical password nr 2 to remember, different from your banking password, which is the one password which should not even be inside your password manager. Inside KeyWallet you can go berserker when setting passwords, for you don’t need to remember any of them — and it allows you to backup your passwords in a KeyWallet backup file (obviously solidly encrypted) which is cleverly exported and imported out of and into KeyWallet, without any other program being able to read the KW backup file.
Since you like xkcd comics: http://xkcd.com/936/
…bullseyeathome…
What the?! O.O
Ashraf you total hacker! You hacked and publicly posted my password! >: (
Naw, just kidding man. : )
Great article though.
I use the LastPass to generate 25+ passswords for my logins, and my master password is much higher. Yeah sounds difficult to remember but its something that i will never forget bar having amnesia. Even then i have something physical to point me in the right direction.
1. Portable Extreme Password Generator Pro 1.5 (free program).
2. Store passwords on word-processor page, > on thumbdrive (+2nd>backup)
3. Enter passwords by ‘drag and drop’, not keystrokes. (Why? Keyloggers).
4. Unplug thumbdrive from computer when not using (passwords).
5. Passwords of 20 characters minimum length. (Longer = better).
6. Change all passwords every couple months (even WiFi) see #1 above.
7. ‘Do Not’ open an unknown senders email, no matter what it says or claims.
8. Store security items and photos on removable disc or thumbdrives(s).
9. Home WiFi min.: WPA2. ‘All’ public HotSpots are (easy to) “Open to public”.