By now we all know (at least we should) that passwords based on birthdate, children’s names, personal interests, or that use words in the dictionary are relatively easy to compromise. Passwords containing random strings of upper- and lowercase letters, numbers, and symbols are a generally accepted way of creating a secure password. Those passwords are difficult, if not impossible, to remember. People end up writing them down in a notebook or keeping them in a file, which lowers their security. In this post, I’ll share with you a technique I use that keeps my passwords secure, as well as easy to remember.
According to Webopedia, a strong password is:
A strong password consists of at least six characters (and the more characters, the stronger the password) that are a combination of letters, numbers and symbols (@, #, $, %, etc.) if allowed. Passwords are typically case-sensitive, so a strong password contains letters in both uppercase and lowercase.
One thing the Webopedia definition doesn’t call out is that a strong password should not contain words, or even derivations of words. For example, “ChristmasEve” is not a strong password. This is because hackers often use what is known as a dictionary attack. It is quite common for people to use words in their passwords, so a hacker will try to compromise a password by using words from a dictionary file, along with variations, to guess your password. The attacks will often substitute symbols inside the words, making “Chr!$tm@sEve” only marginally more secure.
Instead, create a sentence or phrase that you can easily remember to generate a strong password. For example, you might use “I want to learn how to touch-type in ’16. Practice EVERY DAY will help me achieve it!” From that, take the first letter of each word (in this case, I did use 2 in place of one of the t’s for the word to), and you can generate this password: Iw2lhtt-ti’16.PEDwhmai!
I checked this password on howsecureismypassword and it calculates an automated computer attack on this password would take 3 octillian years to crack this password – or 3,000,000,000,000,000,000,000,000,000 years. Compare that to a password like a birthday (03/31/16) which would take 13 seconds to compromise. A phrase like “Ilovetoski” would take a month, and a child’s name and their birthday (Chris03/31/98) would take 5 million years WITHOUT the use of a dictionary attack, but a hacker using a dictionary attack could potentially compromise this password within hours.
Another important security principle is not to use the same password on multiple sites. If the site is not securely encrypting your password, and an attacker is able to compromise it from that site along with your email address, many of your web site passwords are compromised.
To solve this problem, I recommend using a utility like LastPass or 1Password. These applications will easily generate completely random passwords for all of your accounts and enter them into your web browser automatically. I use LastPass, and I secure that account with a password using the method I described above.