How to create strong passwords and have secure accounts [Tip]
October 28, 2012 37
Email article | Print article 
It seems like with the increasing level of access to technology on a global scale, there are increasing numbers of scam artists, hackers, pricks, punks, assholes, scumbags, etc. that try to find ways to make everyone’s digital life a bigger pain than it needs to be. There are many ways to fight scumbagism, but most of these ways are so complex and unrealistic that most of us just simply ignore them. So, I have decided to write up this article listing five simple-ish rules one can follow to have strong passwords and secure accounts. Living your digital life by the following the following five rules will not guarantee you are hacker proof, but it does greatly mitigate the likelihood of your accounts being hacked.
Make your passwords long
Remember back in grade school math class when you studied permutations? Remember how adding an extra digit to a number (i.e. going from four digits to five digits) greatly increased the amount of possible permutations of that number? Yeah, well, they didn’t just teach that in school to torture us; permutations have a real-life application.
You see most websites store passwords in an encrypted format; anyone who gets hold of the password database of a website can’t simply read everyone’s passwords. When this happens (when a scumbag can’t break password encryption) they apply a technique called brute force attack to try to hack your passwords. (Brute force attack does not require a scumbag to have the password database; it can be used at any time with or without the database. However, typically most websites have anti-brute force security measures in place that temporarily block access to an account if someone fails to login too many times in a short time period.) Brute force attack is the process of systematically trying password combinations until the correct password is found. There are two viable defenses that help protect against a brute force attack; one of them is password length (the other is password complexity – see next tip). The longer password you have, the harder it is for a hacker to get your password using brute force simply because the hacker has to try a greater number of possible passwords.
That said, exactly how long should your passwords be? Current industry standards say at least eight characters. However, personally, I recommend twelve characters or higher. Why? One word: Graphics. In a study conducted by Georgia Tech earlier this year, researchers were able to crack eight character passwords using graphic cards in two hours. Cracking twelve character passwords, on the other hand, was estimated to take over 17,000 years. Two hours vs seventeen thousand years, hmmm….
Now, does that mean all hackers will have the capability to crack eight character passwords in two hours? No. It takes a certain level of sophistication and technology to be able to do what the Georgia Tech researchers did and the average wannabe hacker isn’t at that level of sophistication. However it just goes to show you how important password length is.
Make your passwords complex
Building on the same idea of making passwords long, passwords should be complex. By “complex” I mean passwords should not just be lowercase letters and numbers. You should incorporate special characters (i.e. !, ?, @, #, $, %, ., *, etc.) and uppercase letters (when supported – not all websites support case-sensitive passwords) in your passwords. Think about it. If you use only lowercase letters and numbers, there are thirty-six possible characters your passwords can be comprised of (assuming you are using the English alphabet). In other words, there are 2,821,109,907,456 possible permutations if your password is eight characters long. Once you start mixing in uppercase letters, the number jumps up to 218,340,105,584,896. The possible passwords number skyrockets even higher once you add in special characters.
Using special characters and uppercase letters is not as complicated as it sounds. All you need to do is go through your password and replace letters with similar special characters and make some lowercase letters uppercase. For example, if your password is bullseyeathome you can make that password a lot stronger by using bu1L$eye@th*me. Not too hard to remember, is it?
Furthermore, having complex passwords is not only making sure you use a mix of lowercase letters, uppercase letters, numbers, and special characters. Complexity of a password also includes avoiding real words and popular phrases. Cracking a password comprised of real words or popular phrases is very easy using a dictionary attack. So instead of using real words or popular phrases, make up your own words or phrases. That does not mean your password can contain no real words or popular phrases. Rather, it means your password should not be all real words or popular phrases – throw in one or two figments of your imagination.
Have tiered passwords
Experts tell us we should have a different password for each and every login. While that is sound advice, even with a password manager it is insanity; who in their right mind could possibility have a different password for every single login? If you can successfully manage different passwords for every login you have, kudos to you. However, for the rest of us normal people a doable alternative to having different passwords for each login is having tiered passwords.
Tiered passwords is a simple idea of having a different password for each “group” of logins you have. For example, let’s say you have a login for your bank account, your main e-mail, a spam e-mail, and three websites you visit often. Applying the concept of tiered passwords, you may one password for the bank account, one password for your main e-mail, and one password for the spam e-mail and website logins. Of course the split doesn’t have to be exactly that; it is up to you to decide the importance of each login and how you want to categorize it. The overall goal is not to make sure X type of login gets X password; rather the goal is to make sure your high importance passwords stay different from low importance passwords so if a low importance password ever gets compromised, you don’t have to worry about the high importance ones.
From a pure security standpoint, having tiered passwords is not as secure as having a different password for each login. However, it is is a doable derivative that serves as a good compromise between the two extremes of using the same password for all logins and using a different password for all logins.
Your username/login name is a security tool too!
When you login somewhere, are you ever allowed to login using just your password? Nope – you always need an accompanying username or login name (sometimes it is your e-mail address). So, then, why would you want to share that username/login name with someone else? Sure a username/login name may not be as big of a secret as your password, but to get into an account both a username/login and a password are required. Without one, the other is useless. Think about it this way. Your username is the door-handle lock on your front door while the password is the deadbolt. Anyone trying to get inside your home has to get past both the door-handle lock and the deadbolt; the deadbolt may be the one that is harder to break, but the door-handle lock nonetheless still plays a role in securing your home. So keep your usernames/login names secret! Of course this isn’t always possible; sometimes your username/login name is publicly displayed… such as on a website forum. However, when it is possible, you should be very frugal about giving out your username/login name because, as I already mentioned a couple of times, without knowing your username/login name, a hacker cannot get into your account… even if they know your password.
Avoid similarities between username and password
While this may seem like a no-brainer, it is surprising how many people use their username (or a variant of their username) as their passwords. You should never, ever use your username (or a variant of your username) as your password. The username and passwords should be kept as different as possible – preferably 100% different. This way if a hacker finds out your username or password, they can’t use it to help them determine the other missing piece.
Conclusion
Life would be grand if we didn’t have punks trying to access our accounts – either for fun or malicious purposes or whatever; but that just isn’t how it is. So, please, do yourself a favor and use strong passwords in order to keep your accounts secure.
Have any advice on how to have strong passwords and secure accounts? Share with us in the comments below!
Originally posted December 13, 2010.
![How to crack, open, or unlock password protected or encrypted ZIP, PDF, RAR, XLS, and XLSX files on Windows for free [Guide]](http://cdn.dottech.org/media/2013/05/2013-05-04_225743-134x90.png)
![How to install and use Windows Live Messenger without Skype on Windows [Guide]](http://cdn.dottech.org/media/2013/05/2013-05-02_211628-134x90.png)
Great advice!!
I’ve personally given up on trying to remember passwords and usernames. I’ve been using Roboform for a while now and I like it. I have the app installed on my personal laptop, but use the bookmarklet for my browser at work. The bookmarklet is secured by a Roboform online userid/password and I still have to enter my master password to access any logins.
It works great. And for the installed version at home, even if you go directly to the website and try to just type in the password, it doesn’t work unless you enter the master password.
And it has a password generator where you set the length, and complexity. So I have lots of 15 character passwords with upper/lower, numbers and special characters and I only have 1 (or 2 if using the bookmarklet) passwords to remember.
@karen: Roboform Pro FTW! I use it and love it, too. I am actually trying to see if I can get SiberSystems to run a promotion of it on dotTech so everyone can experience Roboform-goodness.
The only problem with using Roboform (or a any password manager) to generate complex passwords and remember them for you is when you don’t have access to the password manager (which is a possibility, regardless of how integrated, connected, and cross-platform the managers may be) you are SOL. Then again, nothing is perfect.
Karen are you using the new v7? I am debating if I should pay to upgrade to it or not.
I’m guessing this post is a result of the recent Gawker attack? Can’t imagine the mess they’re going through right now. I’m quite surprised that such a large organization would have such a big loophole in their security system (or these hackers really know their stuff). This goes to show how cloud-computing can become disastrous because of the bad guys out there.
@Jyo: Well I have been meaning to write such as article for a while, but yes the Gawker breach is what has finally forced me to sit down and write this.
Nothing is hacker proof. As lame as it may it sound, where there is a will there is a way.
Firefox manages passwords just fine for me, thanks.
Also: here’s a really good example of a secure password.
penGAW:ads3
It’s my old Gizmodo/Lifehacker password. (Of course, I have a new one now. :P) Notice how it has a special character, a number, and several capitals.
Learn from when I used to use the same one password on all accounts people!
@Ashraf:
I too love rb , free updates for life if paying so just click on icon in taskbar to update free.free 30 day trial but after that you have to only use 10. so could use for banking few more sites for free. only 29.99 but has coupon on steve bass newsletter 10% off.
@Locutus: Did you think of that password yourself? I am impressed =P
@Greg Bern: RoboForm Pro doesn’t have free updates for life – you need to pay for major upgrades. RoboForm Free does, of course, but that only allows you to store 10 logins and that just isn’t enough for me.
$29.99 indeed isn’t a lot considering how useful the tool is. However, if upgrading, you can get it for $19.99 so no need for Steve’s coupon. Or, you could use LastPass.
Thanks for the article Ahsraf
I use KeePass as my password manager (http://keepass.info/)
It has a generate feature for password and auto-type to fill in the login form on a web page
It also has an “auto-type window” feature which allows you to specify a browser title (or part of the title) so that keepass can recognise the website you’re on and insert the correct username and password when you hit a hotkey combination
To solve the problem of not having the passwords when you’re not on your computer, I have KeePassMobile on my phone (http://keepassmobile.com/) It is written in J2ME so runs on most phone that support Java. All i need to do is copy the KeePass file from my PC to the phone to allow me to read my password file on my phone. So just one password to remember for the software.
And yes I now have a different password for every login
Roboform is what I came to use when I finally realized I could not remember all those cute password names.
I never have regretted it. Tried the freeware ones like Keepass and Lastpass but keeping going back to Roboform.
A small but (for me) very useful aid to remembering passwords, is that a phrase can be a mnemonic for remembering a password, and the phrase is easier to remember. For example, “Four Score and Ten Years Ago” yields the password fsatya. This can be improved in ways given above.
Another gimmick is that rather than remembering a secure and highly scrambled password, I find it easier to remember a simple password plus a simple algorithm for altering it. For example, the highly insecure password “redmaledeer” can become “sggqfrllnoc”. It is left as an exercise for the student to figure out what the algorithm was. It’s actually simple.
Ashraf,
Good information.
Just one little comment on the last paragraph: “Life would be grand if we didn’t have punks trying to access our accounts.”
Nowadays, the real trouble is not some punk in Mommie’s basement, but professional programmers working for organized crime. It’s a huge and immensely profitable business.
Hi Ashraf and all
Creating strong and long passwords that are easy to remember is quite simple and you can do it without having to write them all down.
All it takes is a Personally Adjustable Method or a “PAM”.
In a PAM you choose a set of numbers, a set of characters, a reason or use of the password, a name and/or a place whereyou are using it and a capital letter or two.
For example if I take someone’s birth date as 28th December 1957
(preferably use someone elses and not your own
even though it is very easy for each of us to remember our own
or pick some special date for you like 4th July the year your first child was born etc).
In numbers this is 28121957 which is already an 8 character length password
and depending on the choice of the person it can be written in different ways
like 28/12/1957 or 28\1957\12 or 1957\28\12 or 1957/12/28
and each different way can be remembered by what you are using the password for:
ie, 28\12\1957 can be for bank accounts
28\1957\12 for email accounts
1957\28\12 for online software accounts
& 1957\12\28 for online shopping accounts.
The next thing to do is to add in a couple of special characters like # @
eg, #28\12\1957@ then what type of account it is for
eg, #28\12\1957@email or #28\12\1957@software followed by another special character+
and we have #28\12\1957@email+ and #28\12\1957@software+
and then we add in where we are and the example I’ll give here is dotTech.org
so then we can have #28\12\1957@website+dotTech.org
and the next thing is another special character at the end, one that Ashraf likes a a lot
and we have now #28\12\1957@website+dotTech.org:-)
and finally we add in the capital letters (or even take some away) so for a password for signing into dotTech we can end up with a PAP (Personally Adjusted Password)
that is #28\12\1957@WebSite+DotTech.Org:-)
or with only the end letter of words capitalised it could be
#28\12\1957@weBsitE+doTtecH.orG:-)
My whole point is that you are building your own password in blocks of digits/characters/names that have some form of meaning for you and are therefore easy for you to remember adding in special characters and capitalisation according to simle guidelines/rules that you make up yourself that stay the same but the password changes and is unique according to where you are using it and what you are using it for .
But the most important rule is that You tell no-one what your PAM (Personally Adjustable Method)
is and that way all your PAPs (Personally Adjusted Passwords) will be unique and safe and secure!
Happy Holidays, stay safe, stay secure
is roboform like sticky password?
@njwood60: Ah KeePass. Back when I was searching for a password manager, I dismissed KeePass because it had poor integration with browsers. However, that was long ago – has it improved? Not saying I will be using KeePass (it is hard to switch password managers once you have started using one) but it would be interesting to write an article on.
@David Roper: I never tried LastPass (the idea of storing my passwords on the cloud just isn’t a comfortable one) but I did try KeePass. Roboform > KeePass any day in my opinion… or at least that is how it was two years ago; not sure now.
@redmaledeer: Noooo Jedi mind tricks!
@Bruce Fraser: This is very true.
@a simple happy man: =O Too complicated for little ole’ me, haha.
@prema: I believe they are similar products, yes.
I use this
http://www.pctools.com/downloads/passutils.exe
to create passwords with mixed case, numbers, special characters and no similar characters. You can have a password length of up to 64 characters (which should keep the hackers busy) and I keep an encrypted copy of them somewhere, just in case. And I’ve found firefox handles passwords just fine.
Good work Ashraf, but all this work is useless if you happen to have a keyboard recorder in s trojan in your computer.
In order to try and combat this possibility I do the following
I have part of my pawwsword written in a notepad file that I practically open every time
The complete password is made up by the partial password plus one ot two characters before and after the partial one
When I enter the password in my bank account I type the extra charachers – copy and paste the partial password and type the remaining ones.
I have been doing this regularly withou problems BUT I AM NOT SURE IF THIS METHOD IS REALLY EFFECTIVE AGAINST KEYBOERD LOGGER SOFTWARE.
That is why I am describing this to you asking your opinion, can you tell me if this is a good measure or anly in my imagination
many thanks and best regards
@Ashraf: Yep. I used to use the same password on ~30 sites. Then I smartened up, now the original password is my throwaway password. On the sites that I cared about, I made variations of it.
Here’s how I made it:
penGAW:ads3
pen=first three letters of my username
GAW=name of site (Gawker)
:=special character, also used in original throwaway
ads3=part of the throwaway password.
(username)(site):(original password). That simple!
@Ashraf: KeePass may not be as good as roboform but I can use the password file on my phone. If Roboform can’t do that then doesn’t matter how good it is on the PC
Browser integration is fine, but I do use a Firefox addon: “Hostname in Toolbar”, which fills the URL into the title bar, to help KeePass recognise the page you’re on.
@Sparky: Thanks for the tip. Anything special about that particular password generator that others don’t have?
@Frank: Is it effective? Eh, yeah I guess. Is it cumbersome? Yeah! Dude if you are worried about keyloggers, you can
1) Use KeyScrambler
2) Use a password manager like Roboform, LastPass, or KeePass. The password managers paste in passwords for you so keyloggers are useless.
I am not trying to belittle you or anything; I just don’t see the sense in doing what you do when there are so many useful software out there that can help us beat keyloggers.
@Locutus: Clever borg, very clever.
@njwood60: Roboform actually can – you just have to pay extra for mobile integration, haha.
Passwords come in three strengths.
1) Eight scrambled—> 0OO`8V;.
2)Thirteen scrambled and——–> _$Kk–Xt6~!/”
3) Twenty one and above (scrambled)——–> Q,>{OOo0Af+D]:3g”“”//1
Vital points!
1) Unless you have a good Keyscrambler like the Zemana (which you should grab from dottech) OR Keyscrambler Pro,if someone is intent and focused on your keystrokes ,the whole effort goes waste!
2)Password managers like Roboform and Lastpass serve you very well! The MASTER PASSWORD (sorry for the bold type) should be more than Twenty one characters and you have to store it on ” “hardware” like on a paper which should be stored in a place accessible only to you! I store all passwords including the Master in a safety vault and i have “memorized” the master P-W thoroughly!
I use LastPass.
3) I have taken a xerox copy of all the passwords (after typing them “back to front” and kept them in my draw which is locked!
4) Never store these on the Lappy or PC (guess it goes without saying).
5) We are most “VULNERABLE”,when we use simple passwords for one or two sites ( for example,and medscape.com and/or (WESTERN DIGITAL) https://websupport.wdc.com) and that one chink in the armor is sufficeint to infiltrate your system!The first site b’cause i am a Doc’ and the second b’cause WD has it’s own Backup wizard and this lap comes with a WD.
5) Now coming to Usernames, that will become a problem area only IF your password is not strong and Stealthy!
Who wants to remember a username like vyv_er-jet(even i can’t remember it!) or dr.vvz( i can tell you that people are so interested in themselves, except Assange possibly)
6) I honestly do not know about virtual Keyboards,but Kaspersky has one!Zemana can protect against screen captures!
7) I change the passwords of gmail,hotmail and zohomail, once in Six months!
Regards,
vyverjet.
Ashrof,
Thanks for mentioning that RoboForm was up to version 7, as I was stuck on version 6.10. I must have registered RoboForm eons ago (yes, I’m that old!) and received a “life time” update package. I just updated and it was free. I’ve never paid for any RoboForm updates. It makes updating an easy choice.
Again, thanks.
@vyverjet: Thanks for the tips. I was thinking about adding the tip of regularly changing passwords, but that is just a big pain in the *** and my list was directed as “easy-to-do” tips.
@Clodmore: I want free updates :-( – you are welcome!
“who in their right mind could possibility have a different password for every single login?” = me ^^
Dear AShraf
thanks for your reply,
At my age cut and paste is much more effective that retyping three times because of dislexia, fumble fingers etc (done here already), AND learning to use a new software is also a pain,
In many years from now you will understand what I mean………. best regards
@Frank:
I can fully understand the travails of typing in a P-W every time! Hey, i am 49 years and getting on! Many websites(email sites to be specific) allow Cut&Paste ,but http://www.zoho.com does not! I consider that strictness on the part of the email site is proof enough of their commitment!! Has anybody come across sites like that?
Regards,
vyverjet.