How to Set More Secure Passwords


Over the weekend, the servers of Gawker Media —  the company behind many popular blogs, including Lifehacker, Gizmodo, Jalopnik, Jezebel, Kotaku and io9  — were hacked. Account data, including usernames and passwords of blog commenters, have been stolen. While that’s an issue in itself, it’s now causing wider problems, because many people use the same password for more than service. Twitter is currently dealing with a surge in spam that appears to be related to the Gawker breach, for example.

If you have an account on a Gawker blog and use the same password anywhere else, it’s imperative that you change those passwords immediately (you can find out whether the details of an account associated with your email address have been stolen here). Use this as an opportunity to set more secure passwords on all of the services that you use. Even if you’re currently breathing a sigh of relief because you don’t have a Gawker account, now is a very good time to review your password strategy.

How to Set Secure Passwords

For a password to be secure, it needs to be difficult to guess, as long as possible and consist of a combination of letters, numbers and characters. It also needs to be unique for each service that you use. The trouble is that the longer and more difficult to crack a password becomes, the harder it becomes to remember, which is why many people use the same password everywhere. The good news is, there are a few strategies that you can use to set secure and unique, yet memorable, passwords:

  1. Use a password manager. This is probably the easiest and most secure option, and so it’s the one I recommend. There are several excellent tools available, such as LastPass, 1Password and KeePass, that can generate and store extremely tough to crack unique passwords for every service you use. Because the tool manages the passwords for you, you don’t need to worry about forgetting a tricky long password.
  2. Use a password hashing tool. A password hashing tool will take your password, combine it with a parameter (perhaps based on the site’s name or domain) and combine the two using a hashing function to create a very tough to crack password. As the tool deals with the hashing for you, you only need to remember the master password. There are several free password hashers available as browser add-ons.
  3. Use a rule-based password strategy. Gina Trapani posted a great rule-based password strategy on Lifehacker back in 2006 (if only all the Lifehacker readers had actually heeded her advice!). The idea is that you take a base password and combine it with the name of the service the you’re creating the password for using a set of rules. For example, my password for WebWorkerDaily might be %shjk80aily% (an easily memorable master password of shjk80, plus the final four letters from the service name, surrounded by % characters for extra security). Applying the same rules, my password for Amazon (s amzn) would then be %shjk80azon%. You can also reverse or reorder the letters from the service name, or interweave  them with the letters from your master password, for even greater security.

All of the suggestions above require you to set a master password. It’s always a good idea to make this as tough to crack as possible; Thursday posted some tips for setting secure passwords here.

Share your password tips below.

Related content from GigaOM Pro (sub. req.):


John K.

I like the password hashers the best. One tool that few people seemed to have picked up on, is a password chart, see: It creates a small hashed password table that you can print out and leave in plain sight. You simply translate your password into the complex hashed password.

David Roberts

Apologies – the site did not come up with the comment.

The HMACPass3 page does not fully reflect the latest version – I prefer updating code.

David Roberts

“All of the suggestions above require you to set a master password. It’s always a good idea to make this as tough to crack as possible”

Have a look at HMACPass3 at the above site.


David Roberts

Dave Sawyer

The problem with hashing tools and whatnot is when you need to login from a different machine. The prefix or suffix is a good idea – provided the sites only store a salted hash, not your password. I have 3 levels of master password and use the lowest for sites where I really don’t care if the password were to become known. If someone gets my password to read the NYT, do I care? They may even figure out the “NYT” at the end could be substituted with “CNET”, but they won’t get to my bank account, paypal, etc. Every so often we hear of brain-dead sites that store passwords in the clear or as unsalted hashes so be sure they don’t get your *good* password. What about phishing sites that exist simply to ask you to create a login and password :-) e.g. “join our site and we’ll donate $1 to fight cancer.”


Excellent advice.

I wouldn’t favor the rule-based approach. Because once any password is disclosed, there is a chance that the rule be guessed and the whole cards castle falls apart.


Seems to me that cracking and uniqueness are separate but related problems. If a site is so poorly secured that it allows password hashes to be obtained and thus cracked, then it probably has other problems and it should not be trusted for any purpose. But sometimes a one-off event like an insider might allow hashes or (if the site is really bad), clear text passwords to be spilled. In that case, uniqueness will help since revealing that password won’t compromise the rest of a person’s passwords.

But even in those two conditions, complexity is useless. A poorly secured site does not deserve to be visited, never mind be given a complex password. Uniqueness likewise does not require complexity. Therefore we should drop the idea that complexity makes us more secure.


Unfortunately, these techniques won’t work for “sites” that require passwords to be changed every n days – like logging on at work. Our company requires your logon password to be changed on a regular basis, and the new password to not be “similar” to the list of your previous passwords – password hell!


a single site that limits password character length, or prohibits some common characters, means you have to start using exceptions, and this system unravels…

a lot of bloggers, commentary sites and forums could hep solve this problem by dumping login requirements and dealing with spam some way other than shifting the spam-fighting burden onto their users via login requirements.

Comments are closed.