Crafting The Perfect Password
Security geeks, including yours truly, are constantly nagging everyone to use strong passwords. But truly secure passwords can be hard to remember. Today I've got a simple recipe to help you create strong passwords that you can easily remember. Does that sound perfect? Read on... |
How to Create a Strong, Secure Password
The conventional requirements of a strong password are length (the more the better) and complexity (mixture of upper/lower case letters, plus numbers, plus special characters).
Unfortunately, these requirements produce passwords that no one can remember, so they get written down on a Post-It note, or in a spreadsheet or text file that is not encrypted (because that would require another impossible-to-remember password). So much for security; what’s written down in plain text and left where anyone can get at it is utterly insecure.
The perfect password is one that is both a) easily remembered so it need not be written down, and b) sufficiently complex that guessing it by any of the three common hackers’ techniques - brute-force, common words, and dictionary - takes a lot longer than a hacker would care to spend on the job.
I will add one more criterion: the perfect password must be one that the system it is used on will accept. You have probably noticed that most online systems require passwords of at least 8 characters.
In addition to this length constraint, most systems now require at least one upper-case letter and either a digit (1, 2, 3, etc.) or a special character (+, #, $, and so on). That’s not an impediment to creating a memorable password; just tack the same two required characters, such as “A#” or “B$” onto the end of the password you create. You can remember that every password ends in “A#” or “B$,” can’t you?
Putting The Pieces Together
The beginning of the password can be a simple two- or three-word phrase. Sometimes I choose the title of a book on my shelf, such as "Crossword Puzzles" and add the A# suffix. The resulting password "Crossword PuzzlesA#" would take a hacker 41 years to crack using a high-end home computer.
If a system won’t allow blank spaces in a password, just replace the spaces with dashes or underscores, e. g., “Crossword-PuzzlesA#”. To keep things simple, just use dashes or underscores all the time, so you don't have to remember, “Does the password for this system have spaces or dashes?” Just pick “dash” or “underscore” and use it consistently.
You can test the strength of your newly created password at Kaspersky’s Secure Password site. Enter a password candidate (never one that you’re actually using already) to see how long it would take to break it using:
- a 1982 8-bit ZX Spectrum home computer
- a 2012 Mac Book Pro
- the popular (among hackers) Conficker botnet
- the current world's fastest supercomputer, the Tianhe-2.
The Conficker botnet’s time is probably of most interest. The others are just for fun, really. I don’t know what assumptions Kaspersky’s site makes about the number of password attempts per second. The results I get suggest those numbers may be unreasonably high. So take the results as a conservative estimate.
You might be thinking "Okay, a botnet can send millions of passwords per second. But can the receiving server process (either accept or reject) more than 100 password attempts per second?" Here's the answer: it doesn't have to. These brute force password cracking tools are used when hackers break into a web server, thereby gaining access to the encrypted password database. Once inside, they can transfer that cache of usernames and passwords to another location and attack it at will.
Managing Your Paswords
I mentioned in the sidebar above that password managers can be used to create, store and fill passwords. I regularly login to lots of websites, so that's the approach I choose and recommend. The only downside is that you need to install that tool on every computer or mobile device you use. So if you prefer to do it yourself, my recipe for the perfect password is as follows:
Two or three common words that are memorable to you, but not easily guessed by others
One upper-case letter that never changes
One special character that never changes
This recipe produces a password that will take much longer than my lifetime to break. That seems good enough to me, even perfect. Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 26 May 2016
For Fun: Buy Bob a Snickers. |
Prev Article: Geekly Update - 25 May 2016 |
The Top Twenty |
Next Article: [TIP] The Windows 10 Secret Microsoft Won't Tell You |
There's more reader feedback... See all 39 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Crafting The Perfect Password (Posted: 26 May 2016)
Source: https://askbobrankin.com/crafting_the_perfect_password.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Crafting The Perfect Password"
(See all 39 comments for this article.)Posted by:
Granville Alley
26 May 2016
Nearly all the Password Crackers are salted with almost all words, so they will relatively easily crack any password that utilizes words and just one or two special or Capital Letters. The far better methodology is to take a couple of unrelated phrases that are memorable to you but does not necessarily mean anything to someone else and use the first or last letter of each word in the phrase split by a 4-6 digit numeric with a special character at either end of the numeric.
Someone suggested a taking the first letter of each word of a song lyric phrase which is also a good idea although again combine two unrelated ones and put a short memorable to you numeric (not related to your address, birthday, or former addresses and preferably not a numeric you are using for pin numbers for credit cards. These kinds of combinations actually require the true brute force type cracking you discussed earlier.
Again anything using whole words or phrases of whole words will run into the already salted databases of password crackers and will be broken relatively quickly and are really no easier to remember than utilizing the first letter of each word of two or more phrases with a numeric thrown in between.
Posted by:
gcai
26 May 2016
I use a translation table to save my passwords in plain text hints.
eg.
a = vector
d = train
f = tool
t = xray
e = 637
so if the real password is vectoraxraytoolxray
then my password hint is aftf
yes I have to remember the translated values but 5 or 6 words are achievable.
Combine this with capitalization and a reference to the specific website (say always the first 2 characters of the website name in capitals)
you can have a unique PSW for each website without much effort and best of all I can have the hint in plain text
eg. for askbobrankin.com
my hint would be DaE which I know to be
ASTrainvector^#&
if the hint were Dae then
ASTrainvector637
and dae = ASTrainvector637
and so on
mix and match at will and even if you mess up the capitals in the hint you have the base to work with
works for me :)
Posted by:
fbgcai
26 May 2016
Bob
if spelling counts "Managing Your Paswords"
s/b Managing Your Passwords
@monte
I'm mildly offended by your ageism (n.b. I'm 60+)
and and could retort that the let's leave at there people in all age categories who are challenged by different things
Posted by:
Jonathan
26 May 2016
I'm computer savvy and realize that every little bit helps. I do appreciate your insightful articles, but tell me: what good are incredibly strong, secure passwords when hackers break into a company and steal them (for mischief or ransom)?
That's happened to me at least five times this year: my bank, websites where I shop, sensitive data storage sites like credit card companies, little businesses, big businesses--ominous emails inform me that these businesses themselves have been hacked!
I'm told I need to change my password, I may receive a year's worth of free account monitoring (in some cases) and the police have been notified. Really!? Isn't it a bit late for all that, when my unhackable password has still been hijacked by those responsible for keeping it secure?
Yes, I could change my password every day---but I have literally dozens of typed pages of passwords. Let's discuss this larger problem, if you please.
Posted by:
david
26 May 2016
No one has mentioned typing a run on the keyboard; are hackers programs looking for those? IE- 2wsxcde3
Posted by:
Art F
26 May 2016
You say: "You might be thinking "Okay, a botnet can send millions of passwords per second. But can the receiving server process (either accept or reject) more than 100 password attempts per second?" Here's the answer: it doesn't have to. These brute force password cracking tools are used when hackers break into a web server, thereby gaining access to the encrypted password database. Once inside, they can transfer that cache of usernames and passwords to another location and attack it at will."
I don't really get your reasoning here. The bad guys have got hold of an encrypted password database. In that case, what difference does it make how secure my personal password is or isn't?
The critical thing would be how secure is the encryption, or the password that unlocks it, which is not under my control but rather under the control of the site the password database was stolen from. What am I missing?
Posted by:
Bruce
26 May 2016
You almost have it. You forgot those who can't choose their password(s). Also, while users are coming up to speed with developing a "good" password it may be hard for them to remember it. My suggestion for those two scenarios is to use the draft option in the email program normally used at least on a daily basis. This way the password is protected by a password used at least daily by them. This would be a way to store related info such as url, username, security responses etc. for that account.
Posted by:
Paul
26 May 2016
I use and recommend Keepass for storing my passwords which currently number in the hundreds. My password database is stored in the cloud (Dropbox) and syncs to all my computing platforms. On Android I recommend the Keepass2Android app.
Posted by:
KnowPC
27 May 2016
Any decent website will allow only a very limited trials (3-5), after which will not allow any more entries. So, how in the world a hacker can try to decipher the password?! Don't try to worry about complicated passwords. A hacker will have other means to get it, by fishing or other means. So, long or complicated passwords have no security advantages. Please elaborate on this in future.
Posted by:
Mike
27 May 2016
Check out Safe In Cloud. Simple and very effective across all platforms.
Posted by:
Steph
27 May 2016
Am I understanding correctly that using your recipe I can create one password for all of the sites I log on?
Posted by:
Jim
27 May 2016
Using Bob's formula and my own on-shelf book title (20+ characters), I got: Your password will be bruteforced with an average home computer in approximately 10,000+ centuries... and an added comment on the test web site: "Bender Rodriguez would steal everything valuable in the Universe in that time. Including your password." Cute. Some sites I use won't accept that large a PW, tho. A shorter 12+char PW: Your password will be bruteforced with an average home computer in approximately 43 centuries. Seems good to me. Do you agree?
Posted by:
Jim
27 May 2016
Reply to Steph: Using one PW on all sites is not recommended. You especially want to use different PWs on sites where you are more concerned about security, such as checking account, credit cards, home security or any sites where you would worry if someone got your PW by any means (watching you type it, etc.). You could use a little black book that you keep hidden away... or one of the PW managers mentioned above. I like Roboform, myself.
Posted by:
jorge
27 May 2016
I use my own encription method, aplying several rules. Of course, I shall not tell anybody what are my rules, but they work. I don´t like password managers, because they create ugly passwords tha must be written for no forget.....
Posted by:
PhilS
28 May 2016
I use a similar approach to that outlined by Annette above. I use a strong base passphrase (LoveVanillaIceCream, say) and customize it slightly on a per-site basis (LoveVanillaIceCreamBank, say). This enables me to create strong and unique passwords - which avoids the risk of cross-site password attacks in the case of a credential database being compromised - without the need for a password manager.
The problem with password managers - and especially online password managers - is that, sooner or later, somebody will work out how to exploit them. LastPass has already had a couple of scares.
Posted by:
Grogan
28 May 2016
Strength and complexity aren't as important as people think. The chances of somebody attempting to brute-force their way into one of your accounts are somewhere between slim and none. It's not how things happen.
Passwords mainly get compromised in one of three ways:
1. Credential database theft;
2. Phishing.
3. Guessed or otherwise discovered by a dishonest friend/family member/co-worker.
A strong password provides absolutely zero protection against #1 or #2, but does, to some extent, provide protection against #3 – however, so would a simple, non-complex random password that can't be guessed/discovered.
This isn't to say that people shouldn't use strong passwords - they obviously should.
Posted by:
Grogan
28 May 2016
By the way, I somewhat disagree with your comment about not writing passwords down. It'd obviously be a bad idea to do it in a work environment, but at home - depending on who's coming and going - it may not be a bad way of managing your passwords. Especially if your list is securely tucked away.
Posted by:
Citellus
29 May 2016
I am not even sure I should put this out for general consumption. I am a scientist. I tried several simple two scientific word passwords with a space between at the Kaspersky site. Simple does not mean the words are easy, just that they are in my frequent thinking. One of them (one term is outdated) would take the Tianhe-2 supercomputer 10,000 centuries to crack. Most two word technical terms I used with a space in between - and no special characters - would take the Tianhe-2 several months to a few years.
Posted by:
John
30 May 2016
Good grief, thanks so much for the wake-up call, Bob. Kaspersky says my password can be broken in 26 seconds! And that one was for my bank account! My new one says it will take a few hundred centuries. Using very few more characters and just as easy to remember. Am now using just 4 passwords for 4 different classes of online transactions (from junk sites to financial). Anything is far better than before! Being a stubborn ornery 80 year old fossil, I prefer to manage myself without relying on any password management software. Same with web-site writing software, I prefer a pencil, paper and html. Thanks again, Bob, many thanks.
Posted by:
John
30 May 2016
Forgot to mention, Bob, that I stored my new stronger passwords in a text file than took a "screen shot" of them and then deleted the text file. Do you think that an image.jpg is secure storage on my pc for my passwords? (I used to use hexadecimal and java but switched to images do similar to cloak email addresses from harvesting bots on my web-sites.) Thanks again for this article, Bob.