It seems like with the increasing level of access to technology on a global scale, there are increasing numbers of scam artists, hackers, pricks, punks, assholes, scumbags, etc. that try to find ways to make everyone’s digital life a bigger pain than it needs to be. There are many ways to fight scumbagism, but most of these ways are so complex and unrealistic that most of us just simply ignore them. So, we have written this guide on how to create and use safe, secure passwords you can remember. Living your digital life by following the rules we have outlined here will not guarantee you are hacker proof, but it does greatly mitigate the likelihood of your accounts being hacked. Read on to learn more.
BEFORE WE BEGIN
Before we go on, let me point out that this article is broken up into three parts:
- Part 1 is how to have safe and secure passwords — traditional-type passwords that you have probably used until now, such as cat123, dog456, etc.
- Part 2 tells you about a new type of password — passphrases — and informs you as to why you should use passphrases instead of regular passwords.
- Part 3 provides general tips you should use regardless of if you employee regular passwords or use passphrases
That said, let’s begin.
Make your passwords long
Remember back in grade school math class when you studied permutations? Remember how adding an extra digit to a number (i.e. going from four digits to five digits) greatly increased the amount of possible permutations of that number? Yeah, well, they didn’t just teach that in school to torture us; permutations have a real-life application.
You see most websites store passwords in an encrypted format; anyone who gets hold of the password database of a website can’t simply read everyone’s passwords. When this happens (when a scumbag can’t break password encryption) they apply a technique called brute force attack to try to hack your passwords. (Brute force attack does not require a scumbag to have the password database; it can be used at any time with or without the database. However, typically most websites have anti-brute force security measures in place that temporarily block access to an account if someone fails to login too many times in a short time period.) Brute force attack is the process of systematically trying password combinations until the correct password is found. There are two viable defenses that help protect against a brute force attack; one of them is password length (the other is password complexity – see next tip). The longer password you have, the harder it is for a hacker to get your password using brute force simply because the hacker has to try a greater number of possible passwords.
That said, exactly how long should your passwords be? Current industry standards say at least eight characters. However, personally, I recommend twelve characters or higher. Why? One word: Graphics. In a study conducted by Georgia Tech earlier this year, researchers were able to crack eight character passwords using graphic cards in two hours. Cracking twelve character passwords, on the other hand, was estimated to take over 17,000 years. Two hours vs seventeen thousand years, hmmm….
Now, does that mean all hackers will have the capability to crack eight character passwords in two hours? No. It takes a certain level of sophistication and technology to be able to do what the Georgia Tech researchers did and the average wannabe hacker isn’t at that level of sophistication. However it just goes to show you how important password length is.
Make your passwords complex
Building on the same idea of making passwords long, passwords should be complex. By “complex” I mean passwords should not just be lowercase letters and numbers. You should incorporate special characters (i.e. !, ?, @, #, $, %, ., *, etc.) and uppercase letters (when supported – not all websites support case-sensitive passwords) in your passwords. Think about it. If you use only lowercase letters and numbers, there are thirty-six possible characters your passwords can be comprised of (assuming you are using the English alphabet). In other words, there are 2,821,109,907,456 possible permutations if your password is eight characters long. Once you start mixing in uppercase letters, the number jumps up to 218,340,105,584,896. The possible passwords number skyrockets even higher once you add in special characters.
Using special characters and uppercase letters is not as complicated as it sounds. All you need to do is go through your password and replace letters with similar special characters and make some lowercase letters uppercase. For example, if your password is bullseyeathome you can make that password a lot stronger by using bu1L$eye@th*me. Not too hard to remember, is it?
Furthermore, having complex passwords is not only making sure you use a mix of lowercase letters, uppercase letters, numbers, and special characters. Complexity of a password also includes avoiding real words and popular phrases. Cracking a password comprised of real words or popular phrases is very easy using a dictionary attack. So instead of using real words or popular phrases, make up your own words or phrases. That does not mean your password can contain no real words or popular phrases. Rather, it means your password should not be all real words or popular phrases – throw in one or two figments of your imagination.
What is a passphrase?
A ‘passphrase’ is a password that uses a combination of words or phrases instead of random letters, numbers, and special characters. For example, ‘dog123zty’ is a traditional password but ‘dogpenchair’ is a passphrase. Passphrases can be as long or as short as you want and can contain any words or phrases that you desire.
Why are passphrases better?
When you need to create a password, you should always consider using a passphrase instead of a traditional password. Why? Two reasons.
Firstly, passphrases as easy to remember. For example, ‘oilplutowhacktoss’ is longer but is a lot easier to remember than ‘kplVE7IZ’.
Secondly, passphrases are more secure than traditional passwords. Thanks to the power of mathematics, the length of a password always makes a password stronger than its complexity. Keeping with the same example, ‘oilplutowhacktoss’ is a more secure password than ‘kplVE7IZ’ due to its longer length, even though it uses only lowercase letters whereas the second password uses uppercase letters, lowercase letters, and numbers. It is the power of permutations, people.
How to come up with passphrases?
When coming up with a passphrase, it is generally recommended to use four words of five letters each so you have a total password length of twenty characters. However, if you are having trouble thinking of four words of five letters each, you can mix and match different length words. For example, you can use one three letter word, one four letter word, one five letter word, and one six letter word; or three six letter words; or three five letter words and one three letter word; etc. How many words of whatever length you decide to use, you want to make sure your total password length is not lower than sixteen characters. Sixteen characters is the minimum; the more characters you have above sixteen, the better off you are.
Passphrases can contain any words or phrases you want but the key to passphrases is to select four unrelated words.
If you use a passphrase that contains similar words, a modified dictionary-based attack (a type of cracking technique that tests a password to see if it contains words from the dictionary) could potentially crack your password easily. For example ‘dogcatfishturtle’ is easy to remember and is long but is easy to crack because dog, cat, fish, and turtle are related — they are all common house pets. On the other hand, ‘dogwalletdiskairplane’ is a relatively secure password not only because of its length but also because the four words used have no major relationship between them.
Improve security further
While a passphrase in and of itself is one of the better types of passwords, you can have an even more secure passphrase by simply adding in one uppercase letter and one number. It is possible to modify a passphrase to have one uppercase letter and one number without making it difficult to remember, and adding in one uppercase letter and one number increases the strength of the passphrase by a huge magnitude.
For example, ‘oilplutowhacktoss’ can be turned into ‘oil4plutoWhacktoss’; both are easy to remember but the second number is more secure because now instead of 1.18 x 10^24, password strength is 1.86 x 10^32 (assuming uppercase letters are counted as separate from lowercase letters — some systems don’t differentiate between uppercase and lowercase). In other words, while it would take 3.75 centuries to crack ‘oilplutowhacktoss’ at one hundred trillion guesses per second (which, by the way, requires a massive amount of computing power and likely isn’t going to be used for the average Joe’s account), it takes 5.92 hundred million centuries to crack ‘oil4plutoWhacktoss’ at one hundred trillion guesses per second. See the difference one uppercase letter and one number make, without making the password very much more difficult to remember?
Aside from enhanced security, getting into the habit of modifying a passphrase to include one number and one uppercase letter is very good practice because many websites require that passwords include a minimum of one number and one uppercase letter.
Improve security even further
Once you have a passphrase with sixteen characters or more that includes one uppercase letter and one number, you have a passphrase that will withstand brute-force and dictionary attacks, which constitute 99% of all attacks. However, there are some extremely sophisticated attacks out there that try to guess your password based on trends in the English language. For example, as dotTechie AFPhy6 points out, in English the letter ‘L’ is more likely than the letter ‘D’ to follow the letter ‘P’ in a word, such as in “pluto”. So a more sophisticated attack would guess ‘L’ after it discovered ‘P’ before it guesses ‘D’, which cuts down on the time it takes to crack a password.
So what to do to counteract this more advanced type of attack? There are two things you can do:
- Make up words vis-a-vis bad spelling and/or grammar. Keeping with the same example, instead of ‘oil4plutoWhacktoss’ the passphrase can be ‘yil4plutyWhacktyss’ where I simply replaced all the ‘O’ in the passphrase with ‘Y’. ‘yil4plutyWhacktyss’ is, admittedly, harder to remember than ‘oil4plutoWhacktoss’ but it is more secure and also easier to remember than a similar length randomly generated password. [Thanks dotTechie AFPhy6 for pointing out this tip!]
- Use non-English words. While most systems won’t let you use non-Late alphabets, you can use Romanized words from other languages in your password. For example, instead of ‘oil4plutoWhacktoss’ I can make the passphrase ‘oil4plutoWhackpaika’ with ‘toss’ being replaced with the Urdu word ‘paika’ which means throw. You can even combine this method with the previous one and do ‘yil4plutyWhackpaika’. [Thanks dotTechie thegreenpixel for pointing out this tip!]
Making up words and/or using non-English words does make a passphrase noticeably more complicated and harder to remember, which defeats one of the major purposes of using a passphrase — ease-to-remember. However, it also makes passphrases stronger while still being easier to remember than similar length randomly generated passwords.
I’d recommend utilizing the trick of making up words and/or using non-English words if you feel you need the enhanced security. Truth is most people likely don’t need the enhanced security. Using a passphrase of sixteen characters or more with one uppercase letter and one number is highly secure, and the type of sophisticated attacks that making up words and/or using non-English words counteracts are not as common as you think — the people that have the resources for them typically have agendas that target a specific type of people, not the average Joe. However, if you feel you need it, then do it.
What you don’t want happening is you using a passphrase with sixteen characters or more that has one uppercase letter, has one number, uses fake words, and uses words from another language and you stop remembering it and/or using it because it has become too complicated. Passwords are all about trade-offs and if you feel you can easily remember a passphrase with sixteen characters or more that has one uppercase letter, has one number, uses fake words, and uses words from another language, then use it; if you feel you cannot, then stick to a passphrase with sixteen characters or more that has one uppercase letter and one number — don’t bother with fake words and words from another language.
Have tiered passwords or passphrases
Experts tell us we should have a different password/passphrase for each and every login. While that is sound advice, even with a password manager it is insanity; who in their right mind could possibility have a different password/passphrase for every single login? If you can successfully manage different passwords/passphrases for every login you have, kudos to you. However, for the rest of us normal people a doable alternative to having different passwords/passphrases for each login is having tiered passwords/passphrases.
Tiered passwords/passphrases is a simple idea of having a different password/passphrases for each “group” of logins you have. For example, let’s say you have a login for your bank account, your main e-mail, a spam e-mail, and three websites you visit often. Applying the concept of tiered passwords/passphrases, you may one password/passphrase for the bank account, one password/passphrase for your main e-mail, and one password/passphrase for the spam e-mail and website logins. Of course the split doesn’t have to be exactly that; it is up to you to decide the importance of each login and how you want to categorize it. The overall goal is not to make sure X type of login gets X password/passphrase; rather the goal is to make sure your high importance passwords/passphrases stay different from low importance passwords/passphrases so if a low importance password/passphrase ever gets compromised, you don’t have to worry about the high importance ones.
From a pure security standpoint, having tiered passwords/passphrase is not as secure as having a different password/passphrase for each login. However, it is is a doable derivative that serves as a good compromise between the two extremes of using the same password/passphrase for all logins and using a different password/passphrase for all logins.
Your username/login name is a security tool too!
When you login somewhere, are you ever allowed to login using just your password? Nope – you always need an accompanying username or login name (sometimes it is your e-mail address). So, then, why would you want to share that username/login name with someone else? Sure a username/login name may not be as big of a secret as your password/passphrase, but to get into an account both a username/login and a password are required. Without one, the other is useless.
Think about it this way. Your username is the door-handle lock on your front door while the password is the deadbolt. Anyone trying to get inside your home has to get past both the door-handle lock and the deadbolt; the deadbolt may be the one that is harder to break, but the door-handle lock nonetheless still plays a role in securing your home. So keep your usernames/login names secret!
Of course this isn’t always possible; sometimes your username/login name is publicly displayed… such as on a website forum. However, when it is possible, you should be very frugal about giving out your username/login name because, as I already mentioned a couple of times, without knowing your username/login name, a hacker cannot get into your account… even if they know your password/passphrase.
Avoid similarities between username and password/passphrase
While this may seem like a no-brainer, it is surprising how many people use their username (or a variant of their username) as their passwords/passphrase. You should never, ever use your username (or a variant of your username) as your password/passphrase. Usernames and passwords/passphrases should be kept as different as possible — preferably 100% different. This way if a hacker finds out your username or password/passphrase, they can’t use it to help them determine the other missing piece.
Life would be grand if we didn’t have punks trying to access our accounts – either for fun or malicious purposes or whatever; but that just isn’t how it is. So, please, do yourself a favor and use strong passwords or passphrases in order to keep your accounts secure.
Have any advice on how to have strong passwords and secure accounts? Share with us in the comments below!
Originally posted December 13, 2010. Updated October 30, 2013.