# How to create strong passwords and have secure accounts [Tip]

October 28, 2012 37

It seems like with the increasing level of access to technology on a global scale, there are increasing numbers of scam artists, hackers, pricks, punks, assholes, scumbags, etc. that try to find ways to make everyone’s digital life a bigger pain than it needs to be. There are many ways to fight scumbagism, but most of these ways are so complex and unrealistic that most of us just simply ignore them. So, I have decided to write up this article listing five simple-ish rules one can follow to have strong passwords and secure accounts. Living your digital life by the following the following five rules will not guarantee you are hacker proof, but it does greatly mitigate the likelihood of your accounts being hacked.

Remember back in grade school math class when you studied permutations? Remember how adding an extra digit to a number (i.e. going from four digits to five digits) greatly increased the amount of possible permutations of that number? Yeah, well, they didn’t just teach that in school to torture us; permutations have a real-life application.

That said, exactly how long should your passwords be? Current industry standards say at least eight characters. However, personally, I recommend twelve characters or higher. Why? One word: Graphics. In a study conducted by Georgia Tech earlier this year, researchers were able to crack eight character passwords using graphic cards in two hours. Cracking twelve character passwords, on the other hand, was estimated to take over 17,000 years. Two hours vs seventeen thousand years, hmmm….

Now, does that mean all hackers will have the capability to crack eight character passwords in two hours? No. It takes a certain level of sophistication and technology to be able to do what the Georgia Tech researchers did and the average wannabe hacker isn’t at that level of sophistication. However it just goes to show you how important password length is.

Using special characters and uppercase letters is not as complicated as it sounds. All you need to do is go through your password and replace letters with similar special characters and make some lowercase letters uppercase. For example, if your password is bullseyeathome you can make that password a lot stronger by using bu1L\$eye@th*me. Not too hard to remember, is it?

Furthermore, having complex passwords is not only making sure you use a mix of lowercase letters, uppercase letters, numbers, and special characters. Complexity of a password also includes avoiding real words and popular phrases. Cracking a password comprised of real words or popular phrases is very easy using a dictionary attack. So instead of using real words or popular phrases, make up your own words or phrases. That does not mean your password can contain no real words or popular phrases. Rather, it means your password should not be all real words or popular phrases – throw in one or two figments of your imagination.

From a pure security standpoint, having tiered passwords is not as secure as having a different password for each login. However, it is is a doable derivative that serves as a good compromise between the two extremes of using the same password for all logins and using a different password for all logins.

#### Conclusion

Life would be grand if we didn’t have punks trying to access our accounts – either for fun or malicious purposes or whatever; but that just isn’t how it is. So, please, do yourself a favor and use strong passwords in order to keep your accounts secure.

Have any advice on how to have strong passwords and secure accounts? Share with us in the comments below!

Originally posted December 13, 2010.

### Related »

1. karen December 13, 2010 at 3:36 PM (comment permalink) -

I’ve personally given up on trying to remember passwords and usernames. I’ve been using Roboform for a while now and I like it. I have the app installed on my personal laptop, but use the bookmarklet for my browser at work. The bookmarklet is secured by a Roboform online userid/password and I still have to enter my master password to access any logins.

It works great. And for the installed version at home, even if you go directly to the website and try to just type in the password, it doesn’t work unless you enter the master password.

And it has a password generator where you set the length, and complexity. So I have lots of 15 character passwords with upper/lower, numbers and special characters and I only have 1 (or 2 if using the bookmarklet) passwords to remember.

1
2. Ashraf December 13, 2010 at 3:39 PM (comment permalink) -
Mr. Boss

@karen: Roboform Pro FTW! I use it and love it, too. I am actually trying to see if I can get SiberSystems to run a promotion of it on dotTech so everyone can experience Roboform-goodness.

The only problem with using Roboform (or a any password manager) to generate complex passwords and remember them for you is when you don’t have access to the password manager (which is a possibility, regardless of how integrated, connected, and cross-platform the managers may be) you are SOL. Then again, nothing is perfect.

Karen are you using the new v7? I am debating if I should pay to upgrade to it or not.

2
3. Jyo December 13, 2010 at 3:45 PM (comment permalink) -

I’m guessing this post is a result of the recent Gawker attack? Can’t imagine the mess they’re going through right now. I’m quite surprised that such a large organization would have such a big loophole in their security system (or these hackers really know their stuff). This goes to show how cloud-computing can become disastrous because of the bad guys out there.

3
4. Ashraf December 13, 2010 at 3:48 PM (comment permalink) -
Mr. Boss

@Jyo: Well I have been meaning to write such as article for a while, but yes the Gawker breach is what has finally forced me to sit down and write this.

Nothing is hacker proof. As lame as it may it sound, where there is a will there is a way.

4
5. Locutus December 13, 2010 at 3:48 PM (comment permalink) -

Firefox manages passwords just fine for me, thanks.
Also: here’s a really good example of a secure password.
It’s my old Gizmodo/Lifehacker password. (Of course, I have a new one now. :P) Notice how it has a special character, a number, and several capitals.
Learn from when I used to use the same one password on all accounts people!

5
6. Greg Bern December 13, 2010 at 3:50 PM (comment permalink) -

@Ashraf:

I too love rb , free updates for life if paying so just click on icon in taskbar to update free.free 30 day trial but after that you have to only use 10. so could use for banking few more sites for free. only 29.99 but has coupon on steve bass newsletter 10% off.

6
7. Ashraf December 13, 2010 at 3:54 PM (comment permalink) -
Mr. Boss

@Locutus: Did you think of that password yourself? I am impressed =P

@Greg Bern: RoboForm Pro doesn’t have free updates for life – you need to pay for major upgrades. RoboForm Free does, of course, but that only allows you to store 10 logins and that just isn’t enough for me.

\$29.99 indeed isn’t a lot considering how useful the tool is. However, if upgrading, you can get it for \$19.99 so no need for Steve’s coupon. Or, you could use LastPass.

7
8. njwood60 December 13, 2010 at 4:13 PM (comment permalink) -

Thanks for the article Ahsraf

I use KeePass as my password manager (http://keepass.info/)

It has a generate feature for password and auto-type to fill in the login form on a web page

It also has an “auto-type window” feature which allows you to specify a browser title (or part of the title) so that keepass can recognise the website you’re on and insert the correct username and password when you hit a hotkey combination

To solve the problem of not having the passwords when you’re not on your computer, I have KeePassMobile on my phone (http://keepassmobile.com/) It is written in J2ME so runs on most phone that support Java. All i need to do is copy the KeePass file from my PC to the phone to allow me to read my password file on my phone. So just one password to remember for the software.

8
9. David Roper December 13, 2010 at 4:30 PM (comment permalink) -

Roboform is what I came to use when I finally realized I could not remember all those cute password names.
I never have regretted it. Tried the freeware ones like Keepass and Lastpass but keeping going back to Roboform.

9
10. redmaledeer December 13, 2010 at 4:38 PM (comment permalink) -

A small but (for me) very useful aid to remembering passwords, is that a phrase can be a mnemonic for remembering a password, and the phrase is easier to remember. For example, “Four Score and Ten Years Ago” yields the password fsatya. This can be improved in ways given above.

Another gimmick is that rather than remembering a secure and highly scrambled password, I find it easier to remember a simple password plus a simple algorithm for altering it. For example, the highly insecure password “redmaledeer” can become “sggqfrllnoc”. It is left as an exercise for the student to figure out what the algorithm was. It’s actually simple.

10
11. Bruce Fraser December 13, 2010 at 5:22 PM (comment permalink) -

Ashraf,
Good information.
Just one little comment on the last paragraph: “Life would be grand if we didn’t have punks trying to access our accounts.”

Nowadays, the real trouble is not some punk in Mommie’s basement, but professional programmers working for organized crime. It’s a huge and immensely profitable business.

11
12. a simple happy man December 13, 2010 at 5:57 PM (comment permalink) -

Hi Ashraf and all

Creating strong and long passwords that are easy to remember is quite simple and you can do it without having to write them all down.

All it takes is a Personally Adjustable Method or a “PAM”.

In a PAM you choose a set of numbers, a set of characters, a reason or use of the password, a name and/or a place whereyou are using it and a capital letter or two.

For example if I take someone’s birth date as 28th December 1957
(preferably use someone elses and not your own
even though it is very easy for each of us to remember our own
or pick some special date for you like 4th July the year your first child was born etc).

In numbers this is 28121957 which is already an 8 character length password
and depending on the choice of the person it can be written in different ways
like 28/12/1957 or 28\1957\12 or 1957\28\12 or 1957/12/28
and each different way can be remembered by what you are using the password for:

ie, 28\12\1957 can be for bank accounts
28\1957\12 for email accounts
1957\28\12 for online software accounts
& 1957\12\28 for online shopping accounts.

The next thing to do is to add in a couple of special characters like # @
eg, #28\12\1957@ then what type of account it is for
eg, #28\12\1957@email or #28\12\1957@software followed by another special character+
and we have #28\12\1957@email+ and #28\12\1957@software+

and then we add in where we are and the example I’ll give here is dotTech.org
so then we can have #28\12\1957@website+dotTech.org
and the next thing is another special character at the end, one that Ashraf likes a a lot
and we have now #28\12\1957@website+dotTech.org:-)

and finally we add in the capital letters (or even take some away) so for a password for signing into dotTech we can end up with a PAP (Personally Adjusted Password)
that is #28\12\1957@WebSite+DotTech.Org:-)

or with only the end letter of words capitalised it could be
#28\12\1957@weBsitE+doTtecH.orG:-)

My whole point is that you are building your own password in blocks of digits/characters/names that have some form of meaning for you and are therefore easy for you to remember adding in special characters and capitalisation according to simle guidelines/rules that you make up yourself that stay the same but the password changes and is unique according to where you are using it and what you are using it for .

But the most important rule is that You tell no-one what your PAM (Personally Adjustable Method)
is and that way all your PAPs (Personally Adjusted Passwords) will be unique and safe and secure!

Happy Holidays, stay safe, stay secure

12
13. prema December 13, 2010 at 7:07 PM (comment permalink) -

13
14. Ashraf December 13, 2010 at 7:09 PM (comment permalink) -
Mr. Boss

@njwood60: Ah KeePass. Back when I was searching for a password manager, I dismissed KeePass because it had poor integration with browsers. However, that was long ago – has it improved? Not saying I will be using KeePass (it is hard to switch password managers once you have started using one) but it would be interesting to write an article on.

@David Roper: I never tried LastPass (the idea of storing my passwords on the cloud just isn’t a comfortable one) but I did try KeePass. Roboform > KeePass any day in my opinion… or at least that is how it was two years ago; not sure now.

@redmaledeer: Noooo Jedi mind tricks!

@Bruce Fraser: This is very true.

@a simple happy man: =O Too complicated for little ole’ me, haha.

@prema: I believe they are similar products, yes.

14
15. Sparky December 13, 2010 at 7:12 PM (comment permalink) -

I use this
to create passwords with mixed case, numbers, special characters and no similar characters. You can have a password length of up to 64 characters (which should keep the hackers busy) and I keep an encrypted copy of them somewhere, just in case. And I’ve found firefox handles passwords just fine.

15
16. Frank December 13, 2010 at 7:14 PM (comment permalink) -

Good work Ashraf, but all this work is useless if you happen to have a keyboard recorder in s trojan in your computer.

In order to try and combat this possibility I do the following

I have part of my pawwsword written in a notepad file that I practically open every time
The complete password is made up by the partial password plus one ot two characters before and after the partial one

When I enter the password in my bank account I type the extra charachers – copy and paste the partial password and type the remaining ones.

I have been doing this regularly withou problems BUT I AM NOT SURE IF THIS METHOD IS REALLY EFFECTIVE AGAINST KEYBOERD LOGGER SOFTWARE.

That is why I am describing this to you asking your opinion, can you tell me if this is a good measure or anly in my imagination

many thanks and best regards

16
17. Locutus December 13, 2010 at 7:17 PM (comment permalink) -

@Ashraf: Yep. I used to use the same password on ~30 sites. Then I smartened up, now the original password is my throwaway password. On the sites that I cared about, I made variations of it.
pen=first three letters of my username
GAW=name of site (Gawker)
:=special character, also used in original throwaway

17
18. njwood60 December 13, 2010 at 8:31 PM (comment permalink) -

@Ashraf: KeePass may not be as good as roboform but I can use the password file on my phone. If Roboform can’t do that then doesn’t matter how good it is on the PC
Browser integration is fine, but I do use a Firefox addon: “Hostname in Toolbar”, which fills the URL into the title bar, to help KeePass recognise the page you’re on.

18
19. Ashraf December 13, 2010 at 10:58 PM (comment permalink) -
Mr. Boss

@Sparky: Thanks for the tip. Anything special about that particular password generator that others don’t have?

@Frank: Is it effective? Eh, yeah I guess. Is it cumbersome? Yeah! Dude if you are worried about keyloggers, you can

1) Use KeyScrambler
2) Use a password manager like Roboform, LastPass, or KeePass. The password managers paste in passwords for you so keyloggers are useless.

I am not trying to belittle you or anything; I just don’t see the sense in doing what you do when there are so many useful software out there that can help us beat keyloggers.

@Locutus: Clever borg, very clever.

@njwood60: Roboform actually can – you just have to pay extra for mobile integration, haha.

19
20. vyverjet December 13, 2010 at 11:27 PM (comment permalink) -

1) Eight scrambled—> 0OO`8V;.
2)Thirteen scrambled and——–> _\$Kk–Xt6~!/”
3) Twenty one and above (scrambled)——–> Q,>{OOo0Af+D]:3g”“”//1

Vital points!
1) Unless you have a good Keyscrambler like the Zemana (which you should grab from dottech) OR Keyscrambler Pro,if someone is intent and focused on your keystrokes ,the whole effort goes waste!

2)Password managers like Roboform and Lastpass serve you very well! The MASTER PASSWORD (sorry for the bold type) should be more than Twenty one characters and you have to store it on ” “hardware” like on a paper which should be stored in a place accessible only to you! I store all passwords including the Master in a safety vault and i have “memorized” the master P-W thoroughly!
I use LastPass.
3) I have taken a xerox copy of all the passwords (after typing them “back to front” and kept them in my draw which is locked!

4) Never store these on the Lappy or PC (guess it goes without saying).

5) We are most “VULNERABLE”,when we use simple passwords for one or two sites ( for example,and medscape.com and/or (WESTERN DIGITAL) https://websupport.wdc.com) and that one chink in the armor is sufficeint to infiltrate your system!The first site b’cause i am a Doc’ and the second b’cause WD has it’s own Backup wizard and this lap comes with a WD.

5) Now coming to Usernames, that will become a problem area only IF your password is not strong and Stealthy!
Who wants to remember a username like vyv_er-jet(even i can’t remember it!) or dr.vvz( i can tell you that people are so interested in themselves, except Assange possibly)

6) I honestly do not know about virtual Keyboards,but Kaspersky has one!Zemana can protect against screen captures!

7) I change the passwords of gmail,hotmail and zohomail, once in Six months!
Regards,
vyverjet.

20
21. Clodmore December 14, 2010 at 12:00 PM (comment permalink) -

Ashrof,

Thanks for mentioning that RoboForm was up to version 7, as I was stuck on version 6.10. I must have registered RoboForm eons ago (yes, I’m that old!) and received a “life time” update package. I just updated and it was free. I’ve never paid for any RoboForm updates. It makes updating an easy choice.

Again, thanks.

21
22. Ashraf December 14, 2010 at 12:22 PM (comment permalink) -
Mr. Boss

@vyverjet: Thanks for the tips. I was thinking about adding the tip of regularly changing passwords, but that is just a big pain in the *** and my list was directed as “easy-to-do” tips.

@Clodmore: I want free updates :-( – you are welcome!

22
23. Numsekrummen.dk December 14, 2010 at 1:19 PM (comment permalink) -

“who in their right mind could possibility have a different password for every single login?” = me ^^

23
24. Frank December 14, 2010 at 4:16 PM (comment permalink) -

Dear AShraf