How to Create a Strong Password

30 Comments

I conduct pretty much all of my business online. I use a dozen different web applications on a daily basis. I rely on these tools to get my work done, which makes it absolutely crucial that I do everything I can to protect my information. I do my best to find trustworthy applications, but in the end, some of my security comes down to something I do for myself — choosing good passwords.

A good password has to balance security with our ability to remember it, because minimizing the number of places that a password is written down or otherwise recorded is a good idea. It’s a tough line — the most memorable passwords are the easiest to crack, while the most secure are a jumble of characters that are impossible to recall. But there are some steps you can take to create a reasonably secure password that you’re less likely to forget.

  1. Forget about amusing passwords. Among the most common passwords are those that seem to amuse the person creating them — there are plenty that use profanity or insults. Some sites, such as Twitter, have actually created lists of words that are banned from use as passwords. A surprising number of them fall into this category. Passwords such as these aren’t secure, if only because they’re relatively common and more likely to be tried first if someone is trying to crack your password.
  2. Try longer phrases. Most of us have an easier time remember actual words and phrases than random assortments of letters and numbers. Using just one word, perhaps with a number tacked on to the end, is often less secure, however — certain methods of hacking passwords include simply running a dictionary through the password system. Using a longer phrase — especially if it includes numbers or other characters — makes it significantly harder to guess.
  3. Use a minimum of eight characters. Longer passwords are better. Most sites require you to have at least six characters in your password these days. Some are moving up to eight, but if you can go for longer, you should. That’s another benefit of using a phrase.
  4. Choose related, but not identical, passwords. You want to minimize the chances you’ll forget a password, but using identical passwords means that if one of your accounts hacked into, you’ll run the risk of having other accounts hacked as well. One option may be choosing phrases about the same topic, while another is changing key parts of your password to reflect the site you’re using it for.
  5. Don’t use personal details. In the event that someone is hoping to gain access to your personal accounts, details like your phone number, employment details and important dates in your life will be among the first passwords typically tried. Instead, you want to use something that may have personal meaning for you — at least enough to help you remember it — but that won’t be easy for anyone else to guess.

How do you create secure yet memorable passwords?

Photo by Flicker user akeg licensed under CC BY-ND 2.0

Related GigaOM Pro content (sub. req.): Can Enterprise Privacy Survive Social Networking?

30 Comments

Bbanda Charles Edwin

very interesting, similarly all users are not keen on how strong their passwords should be but these five points are amazing how they make a difference.
Used the concept to generate a companies access passwords but they truly loved it.

Thank

JimmyDaGeek

Forget all the advice you’ve heard. I’ve been using random passwords for quite a while. One of my e-mail accounts got hacked because I committed a couple of cardinal sins:
1) I used a small set of passwords for different types of websites, ie. shopping, financial, etc.
2) I reused my e-mail password and the associated e-mail address with a blog site.

Well, some hacker probably hacked the blog site, which probably kept my password in cleartext. The hacker then checked to see if the password worked with e-mail account.

I suggest everybody look into pwdhash.com and use password hashing instead. This algorithm combines a reused password (make it strong) with a site’s domain name (for easy recall) and hashes the two. This hashed password is then used as the site’s actual password. This prevents password loss by server-side hacking, as in my case.

There are extensions for different browsers. By using a browser extension, the algorithm is able to thwart client-side phishing by discovering the actual site domain name. The subsequent hash is based on the phishing site domain, not the real spoofed site.

Ammad Alam

Few thing about memorizing password for the different sites.
Some people got a bad habit of using the same password over across different sites. they have the same password lets say on gmail, facebook, hotmail, twitter, yahoo etc…what if some one hack there password then one can easily broke into there facebook hotmail yahoo accounts too….So i came up with a solution of memorizing different passwords over different sites.

lets say i choose a password @mm@d581 what i do for hotmail I’ll write the hotmail word in some where in the middle then the password for hotmail be @mm@hotmaild581 it becomes a long and a strong password. for facebook and twitter it becomes @mm@facebookd581 and @mm@twitterd581 in this way you can memorize different passwords over different sites.

you can make the variations for it… like @mmhot@dmail581 for hotmail pass or @mmface@dbook581 for facebook etc

WhiteKnight

Use LastPass.com to generate and store passwords, that way you can’t lose them and can have non trivial passwords.

Reelix

And then you have the annoying sites…

“Error – Your password cannot contain a hyphen.”

or

“Error – Your password is too long – It must be between 8 and 15 characters”

Sighs

allonym

For online passwords, I use keyboard patterns based around letters or numbers in the URL of the site I’m registering with. Doing this in a consistent way Makes them easier to remember, while still being reasonably secure. What frustrates me is when a website only allows alphanumeric characters in the password – not only does it frustrate my efforts at a consistent system, but it limits password security.

Pranavkumar

I apriciated with most of these comments but nobody have suggested the way of creating ultra strong password.
Ultra strong passwords contains characters which are present into character dictionary but not on keyboard. There characters can be generated by holding Alt key + numpad keys .
ex. Alt+2010, alt + birthdate etc. But you can use random numbers so that no one could guess. Also include phrases
ex : nokia alt +6600 etc. Just try it. Thank you.

Joe Cascio

I use SuperGenPass. http://supergenpass.com . It’s not perfect, but it has a lot of nice attributes.
1. It allows you to use one master password that’s easy to remember. From this master password and the site’s primary domain name (eg, for this page ‘webworkerdaily.com’) it generates a unique strong password. So, for example using the master password ‘baseball’ on this site, it generates the password ‘d3F5bXRXjA’. But on Twitter.com, for instance, using ‘baseball’ generates ‘w9dM795y0W’. A 10 character password is the default, but you can have it generate shorter or longer passwords with a simple length setting.
2. It doesn’t store anything anywhere! So if your machine is stolen or compromised, you’re not out of luck! You can go to any other machine, and using the SuperGenPass bookmarklet, regenerate any password by knowing your master password. It uses a one-way hash algorithm, so it’s impossible to recover the master password knowing the domain name and the generated password. Slick, huh?
3. It works on all popular browsers and even has a mobile version.
Now the downside. If the site uses certain kinds of javascript or flash login popups, the bookmarklet doesn’t “see” the form entry boxes the way it normally does and you have to copy/paste the password from the SuperGenPass popup into the password field manually. It’s not really a big deal, but it can leave the not-highly-computer-literate a bit confused until they do it once or twice.
I’d highly advise giving SuperGenPass a try. It’s free, it works with most browsers and it’s very effective.

Eric

Joe, all I need to do is reverse engineer the password creation algorithm which is deterministic (a fatal flaw). Then I use publicly known information (e.g. the URL for this web site), plus a guessable master password to generate the “strong” password.

It does solve the non-problem of generating and remembering “strong” passwords, but could end up being less secure than my idea of a random string weak password.

Alex

Yeah.. good practices we try do follow and still I am still baffled and keep asking myself: why in the unholly hell does American Express prevents you, me, we all from doing what is best ??? Here’s the offending constraints:
->> Your Password should:
– Contain 6 to 8 characters – at least one letter and one number (not case sensitive)
– Contain no spaces or special characters (e.g., &, >, *, $, @)

Are you kidding me ??? that is total bulls**t and I wish someone from their IT Security dept could read this…

-Alex

Eric

Let me clarify my previous comment. In the 1980’s we had password hash files that were readable by any user on a system. It was fairly trivial to run a dictionary attack against them and obtain most of the passwords if they were weakly chosen. That problem was solved in the 1990’s. It is now 2010. That problem no longer exists unless a system is poorly designed. If a system is poorly designed then it has other flaws (e.g. saves your “strong” password in clear text or a million other possibilities) and you should not be using it.

Another factor to consider is that your password is embedded in an SSL cipher stream that gives a one character password identical security to one with trillions of possible combinations. Of course a one character password would be insecure against a manual password guesser which is why I only use one character passwords in situations where I can be sure that nobody knows I use a one character password.

So can someone enlighten me on a method to perform a dictionary attack these days? Or can someone provide a formal definition of security-in-depth or layered security that can actually be verified?

Should I even bother mentioning how useless it is to change passwords on a regular basis?

Jeff

I like to do sequences on the keyboard that I can remember by muscle memory – that way you can move them around the keyboard if they must change from time to time. For example, one password might be w2ce3vr4b, next password change it could be r4bt5ny6m. Same pattern, just shifted. Safe against dictionary attacks.

Homer Automation

Another suggestion is to create password based on a setence.
For example, I Like The 6 Star Wars Movies A Lot, which represents the password Ilt6SWmal.
Change or insert a non standar character and you have the highest secure password.

Eric

Invent a small non-dictionary word and add “123…” as needed to meet the length requirement.
If a site requires “strong” passwords (i.e. secure against dictionary attack) then it has poor security
by definition and you should not go there. There’s absolutely no excuse for allowing a dictionary attack
so there is no reason to prevent it by “strong” passwords.

George

@eric – Bad idea! We are trying to both prevent/make difficult dictionary attacks against our passwords hash*, and should your password become known, limiting your exposure across all places you use your password**.

Your idea fails on both counts!!

*probably not through a websites user interface – probably through an attacker gaining access to a sites password database

**i.e. the caniconical example of using the same password on a site as your emails passwords, where the site uses your email as the logon name. More responsibily, using similar passwords across sites using techniques discussed in the post.

Eric

George, the first thing you did was change the topic from strong passwords to different passwords. If you want different passwords for different sites, fine, make different weak passwords.

For your second point, why is the hash exposed? If it is protected, then there is no possible dictionary attack. If the attacker gains access to the “password database”, by which I assume you mean hashes, then he might as well get the easier stuff like the CC #’s.

IOW, if the system design and/or database has holes to expose anything like the password database, then it is untrustworthy for any use and strong passwords merely give a false sense of security.

TonyCurtis

I like using somewhat related passwords, in the case of a rotating password like work or project logins, it’s easy to remember the cycle, like rotating the names of members of a favorite band and the first gig I saw them at or instruments (fleabass, keidisvocals, fruscianteguitar, smithdrums, RHCPRadioCity etc) but those real important ones like billing and banking really require true randomness. You CAN learn a complex alphanumeric chain with repetition. I still remember my first online brokerage password which looked like someone tried to type wearing boxing gloves.

Tom Stone

Or use passwordsafe which can be downloaded for free from passwordsafe.sourceforge.net

This application will generate random passwords and store them in an encrypted database. You just need to remember 1 passphrase for unlocking your “safe”.

Geoff

I agree with J. The best password is at least 17 or 18 random characters long, and probably impossible to remember; use technology to store these passwords and retrieve them. I have had very good luck with an online password tool called Clipperz (https://www.clipperz.com) which uses strong encryption in the browser to generate cipher text that in turn is stored on their server. The folks running the website couldn’t reveal your password if they wanted to — all they get on their end is the meaningless cipher text. They’ve got a very good “backup” option that allows you to download a complete, working, local read-only copy of the site to your own hard drive; I keep mine on a thumb drive. It is very, very secure.

j

Really?

Use a password manager. Keepass or KeepassX is a great option. Get one that generates random passwords. Then you only need to remember the passphrase to open your password database and ALL of your passwords are secure and unique. Backup your password database to keep it safe. I can’t be heavy-handed enough in saying that this IS how you should be managing your passwords. It will be awkward at first, but you will adapt and be safe and organized.

Kent

The best password is a long one which isn’t so complicated that you have to write it down to remember it. It’s no secure if it’s written down. Dictionary words are just out. I pick a quotation or line from a movie or song and build a password out of the first and last letters of each word in the phrase. Or I might mix things up and use the first letter of the first word, the second letter of the second word, etc. If I wrote some of my passwords out in a list, noone could use it to figure out my system.

EdgewaterScott

I choose an odd word from another language, insert two numerals somewhere, and add two characters from the url of the site I’m developing the password for.

Comments are closed.