Passwords are a necessary evil. They’re a pain to create and a struggle to remember – as this comedian hilariously explains. But if you decide to take shortcuts, you make a hacker’s job much, much easier.
Fortunately, I know a few tricks to make the whole thing simpler. Before I get to that, though, it’s good to refresh your memory on a few ground rules for creating strong passwords. Let’s start with the most basic rule:
Don’t make the password easy to guess
Whenever there’s a big data breach and user passwords are exposed, security companies always make a list of the most common passwords people were using.
Among those studies, the five most common passwords were “123456,” “password,” “12345678,” “qwerty” and “12345.”
But weak passwords aren’t the only thing to watch out for. Hackers have computers that can “guess” for them. And chances are good that even security-conscious folks might make a common mistake in creating their password.
DARPA released a study not long ago that tracked passwords at a Fortune 100 company and found that about half followed five common patterns. Here are three of the most common patterns found in the study:
- One uppercase, five lowercase and three digits (Example: Komand123)
- One uppercase, six lowercase and two digits (Example: Komando12)
- One uppercase, three lowercase and five digits (Example: Koma12345)
These are just things people do without thinking about them. However, if you create a password with any of those patterns it makes a computer’s job a lot easier.
Obviously, you shouldn’t use those patterns or anything like them. The same goes for using special dates, names of spouses, children, relatives or pets, or any password using the full name of the service you’re making the password for.
The strongest password is one that contains a random collection of letters (uppercase and lowercase), numbers and symbols. Of course, that’s nearly impossible to remember, but we’ll deal with that later on.
Make the password 8 characters or longer
Despite what you see in the movies, professional hackers rarely sit down at a computer and try to guess your password; that’s usually done by casual snoops such as relatives. Instead, hackers get millions of passwords at once from company data breaches or other sources.
You might have seen my coverage of a security vulnerability in Google Docs recently, a service that lets you save spreadsheets, text files and other productivity files online.
The flaw allowed crooks to potentially look at any document that they wanted without any password at all. Now normally this wouldn’t be such a big deal, but many users had passwords for other websites, bank account numbers and other information stored in a Google Doc file or spreadsheet.
If a hacker came across the right file, they would have stumbled across a goldmine. While remembering your passwords can be important – and forgetting them can sometimes be disastrous – it’s important to keep track of where you’re storing passwords.
Usually, if the breached company was being good, the leaked passwords were hashed so they’re just a huge string of letters and numbers. However, with enough passwords hashed the same way, hackers can figure out the scheme and decrypt many of them.
In fact, with modern computers, they can usually crack tens of thousands of passwords in mere hours.
The shorter passwords are easier to crack and hackers go for those first. As passwords get longer, it takes longer – as long as they aren’t obvious like “123456789”. Hackers scan for the obvious ones first a different way.
Many hackers don’t even bother with passwords eight characters or longer, although as computers get more powerful, it will take less time. So, 10 characters would be better.
Don’t use the same password everywhere
As I said, most hackers don’t try to guess your password. But if they get one of your passwords in a data breach, or from a virus on your computer, they will go after your other online accounts.
That’s why you want a different password for every account, especially your critical financial accounts. If the password they have doesn’t work right away, they’ll usually move on to someone else’s that does.
Creating a password
So, in summary, the ground rules for passwords are:
- It has to contain a random collection of letters (uppercase and lowercase), numbers and symbols
- It has to be eight characters or longer
- You have to create a unique password for every account
That’s a tall order. While something like “Tl|_|,BwwB2R” is really strong, it isn’t easy to remember. Or is it? Let me show you how I came up with it.
Start by thinking up a random sentence. You can use a catch phrase, quote or even a song lyric. I chose a lyric from one of my favorite songs: “Tramps like us, baby we were born to run.”
I took the first character from each word to get “tlu,bwwbtr”. Not bad, but it could be better. So, I added some symbols in place of similar letters. U becomes |_|, the “to” from the original lyric becomes 2. Then, I capitalized a few of the letters to make a strong password that I can easily remember: “Tl|_|,BwwB2R”.
Bonus tip: Setting up consistent symbol replacement and capitalization rules for all your passwords helps keep things from becoming too complex.
Once you have that you can tweak the same password for multiple accounts. For Facebook, you could make it “Tl|_|$,BwwB2RFB.” Amazon can be “AmzTl|_|$,BwwB2R.” You can make a consistent scheme there as well so you always know how you shorten the company name and where it goes.
Now, if you’re like me and have dozens of accounts online, even using this system can be too much. That’s why a password manager can be a great help. It keeps your passwords secure, and you only need to remember the one to open it.
Of course, a secure password doesn’t make a difference if a hacker can bypass it another way. Learn how to create a strong security question that hackers can’t guess.
Then head over to my Security Center for everything you need to know to secure your computers, smartphones, tablets, Wi-Fi and online accounts.