We need passwords to authenticate ourselves to a website or system. That simply means we are proving who we say we are. We do this by providing a piece of information known only between the website and us, a shared secret known as our password.
Good passwords are important because we need to make it impossible for someone to impersonate us online. We need to make it impossible for a bad guy to know or guess our shared secret. But because computers have become better and better at guessing our passwords, we need to make our passwords harder and harder to guess. And in the process of making them harder to guess, they have become too hard to remember.
So good passwords need to be easy to remember, but impossible to guess. And the best way to get your password as close to uncrackable as possible is to follow a set of rules.
Let’s look at the 4 rules to create good passwords and why they are important. Then I’m going to show you a simple way how to create a good password that is easy to remember:
It needs to be long – the longer a password the more tries a password cracking program has to make before it guesses correctly. Keep adding characters and the time to crack a password increases exponentially.
It needs to pull from the pool of all possible characters(a-z, A-Z, 0-9, special) – more characters to choose from means more guesses required from the password cracking programs.
It needs to look like complete gibberish – password cracking software relies on dictionaries to accelerate its guesswork (more on this later), and if nothing in your password can be found in their dictionaries, bad guys have to brute force guess one character change at a time
It should be something only you can know – and therefore unguessable. What’s the first thing a hacker tries in the movies? Pet names and birthdays! And he always gets in. I hate that!
Examples of Good Passwords
Here are some examples of good passwords. DO NOT USE ANY OF THESE AS YOUR PASSWORD – you never want to use anything published verbatim on the internet as a password:
All three are pretty long (seems like a password can always be longer…), they pull from all the characters (a-z, A-Z, 0-9, special), and they are certainly complete gibberish. But guess what? They are all really easy to remember!
Huh? How can I remember something like that?! Simple, when you know the trick. All of them are actually encoded phrases. In each case I came up with the phrase first, and then encoded that phrase into a good password:
AuLx&D3osoS+3lpGs — Goldilocks and the Three Bears + The Three Little Pigs
Kind of bends rule 4 in that everyone knows these stories. But how in the world did I get a pair of children’s stories from that utter gobbledygook?
And that’s the big secret to creating a good password that follows our rules. Let’s look at the other examples…
$k5!1n10-ArfiNlv — $5000 won in a 10 J Q K A royal flush in Las Vegas
gl=3sPu50@+1csU — My goal is 3 sets of 50 pushups and 100 situps
The last good password example contains a bonus: for those passwords you have to type multiple times every day, come up with a personal goal. You are less likely to abandon that New Years resolution if you are forced to type it 5 times a day. One guy even quit smoking by changing his password (although his password could have been encoded better, and I sure hope he changed it before the article was published)!
There are all sorts of ways to encode your personal, only-you-can-possibly-know phrase into a good password. Borrow from all the subjects you now wished you paid attention to back in school: math, science, health, history. Use clever license plates, roman numerals, emoticons, weird abbreviations. Draw from childhood memories, momentous occasions, vacations…
Now the Don’ts
Never include any personal information in your password
If leaked via an attack on a careless website, an otherwise good password such as Zero12-tHree4-56Svn8=mysSn is going to make you wish you’d never been born. Keep any personally identifiable information out of your password.
Don’t use song lyrics
The time has long since past for creating good passwords out of song lyrics. Besides birthdays and pet names, password guessing programs now use dictionaries that take into account movie dialog, bible verses, wikipedia text, keyboard patterns, and text from entire books. You’d be amazed at the strings of characters that a modern password cracking program can come up with.
Never reuse your password on multiple sites/systems
Your good password must only be used to unlock one thing. That one thing needs to be important – a bank account, a computer with important data, or a password database. Why your password must remain so monogamous will be covered in a future article.
What if my company makes me change my password every 3 months?
Some companies make you change your password every so often in case a bad guy might be stealthily using it to gain access to the systems. Change it, and they lose access.
There are several ways of recycling your good password. Consider doing some or all of the following when it comes time to change:
Rotate one character. Take the last character and put it at the beginning
Change a character
Change capitalization on a character
Insert new characters at the beginning, middle, or end
$k5!1n10-ArfiNlv might become k5!1n10-ArflshiNlv$. Totally different as far as password guessing and how it is stored at a website are concerned.
How do I remember this gibberish tomorrow?
Write your good password down on a small piece of paper, then hide the paper. After less than 3 days of decent use you’ll remember the password and you can burn the paper.
Yes burn it.
Please do not just throw it away for a nosy dumpster diver to find. Don’t write it on a fluorescent pink sticky note and then shred it into a pile of white copy paper, either. In case you have snooping children or roommates, or you are particularly forgetful, you might consider further encoding your very temporary reminder by following one of the suggestions on password rotation above… just in case (more on these techniques in a future post).
Burn it. Don’t forget!
Time to change
Once you achieve your 100 situps, rotate characters for 3 years, or otherwise wear out your good password, create a new one. Your old one will come in handy someday. For example, you might have to cascade several good passwords to make a much longer one.
Come up with a phrase that only you could possibly know
Encode it into a good password using all the tricks discussed making sure to follow all the rules
Use your new good password on an important account such as a password database – covered in the next article