How to Create a Good Password

Posted on July 31, 2014

0


More and more I see friends having accounts hacked. As computing power increases and the price drops further, direct “brute force” attacks that try every possible password combination are going to become more prevalent. Too many people use 6-8 letter passwords for Facebook and email accounts. Even if you use some uppercase and some lowercase letters, an 8 letter password will take the average desktop PC about 3 hours to break by simply trying every possible combination of letters.  So, I’m on a mission to inform the world about password security.

How secure is my password?
I’m going to show you 3 ways to make a strong password that you can easily remember.  But first let’s look at the concepts that make a strong password.  We’ll start by testing your existing password.  To test out your existing password here’s what you can do:

  • First, make an equivalent password to your own.  To do this, simply replace every lowercase letter with a different lowercase letter and every number with a different number … and so on for uppercase letters and punctuation.  For example, if your password was “HiMom79” then one equivalent password could be “JsObo65”.  This will create a password of equal strength that we can insert into a test site, without giving away your existing password.
  • Now go to HowSecureIsMyPassword.net and enter your equivalent password.

If your password was “HiMom79”, you’ll notice that any interested hacker could get access to your account in about 14 minutes.  So that’s not really a password.  It’s a tiny speed bump that allows hackers to have open access to your account. 
Note: because the password “HiMom79” contains two English words, this will probably only take a bout 2 minutes in truth, because usually a hacker will begin an attempt by using a dictionary, since most passwords unfortunately are made easier to guess because they contain words.

What does a secure password look like?
To make a secure password, you must focus on three concepts: complexity, length and lack of words.  Now most people avoid making a secure password because they feel that they cannot remember a complex and long password unless it has common names.  But there are many strategies that make this very easy.  I’m going to go over three of them, but first, let’s discuss what is meant by complexity.

For the purposes of making strong password complexity only comes down to one question “How many different types of characters are used in the password?”  The password “HtxOpwHoM” might seem complex, but it only contains two types of characters: uppercase and lowercase letters.  Because adding character types makes “brute force” hacking attempts exponentially more difficult, “HtxOpwHoM” only takes 8 days to crack, while “HtxOpwH.9” takes 1 year, even though they are the same length.

So for the most secure passwords we always want the password to:

  • Contain uppercase letters
  • Contain lowercase letters
  • Contain punctuation
  • Contain numbers
  • Be at least 10 characters long…the longer, the better
  • Contain no words

OK, so how do I make a strong password?
A strong password must still be memorable.  So the method that you use to make the password should still mean something to you, although I recommend it doesn’t include your SSN or DOB. Here are a few ways to go about this.

First I’ll show you my more complex method.  If you can do this, you’re set!  I usually begin with a sentence that I will remember.  For the purposes of this example, I’ll use the sentence, “I usually begin with a sentence that I will remember”.  I simply take the first letter of each word, which in this case comes out to, “iubwastiwr”.  So that looks like a set of characters that doesn’t include any words.  Well, ok … the word “was” is in that set of characters.  But honestly, the rest of the random letters means that using the word “was” will not help anyone very much. So I won’t worry about it.

I will use “iubwastiwr” as the base of my password and add complexity with numbers, uppercase and punctuation.  First I’ll capitalize a few letters so I have “iubWasTiwR”.  Then add punctuation and numbers.  You could add them at the beginning, end or in the middle.  For best results, I try to be a bit random where I add them.  Although, you probably don’t have to worry too much if you want to just group them at the end.  I’ll add my area code and a few extra periods for punctuation.  So now I have “iu.b253Was.TiwR..” and if I type that into HowStrongIsMyPassord.net, I get that a Desktop PC will take 2 quadrillion years to hack that password with brute force.  That’s what I want.  And with a few minutes of practice I’ve been able to remember this password without writing it down.

But you may ask, “Isn’t 2-quadrillion-years-password-strength a bit paranoid?”  And the answer is NO!  Hackers don’t just use computers like your laptop or desktop PC.  Companies like Amazon have servers for rent and other powerful computers that allow this time to be cut down 1000 or 10000-fold very quickly.  And with the rapid increase in computer power and network speeds, the lengths of time that brute force hacking takes is dropping.  I want a password that will last me for years to come.

But let’s do this another way.   Let’s take my phone number, “253-555-9876”.  I’ll take out the dashes and then I’ll hold down shift on my keyboard while using the number keys above my letters on the keyboard. I get “@%#%%%(*&^”. I’ll add my favorite number “9” and the first two letters of my dog’s name “Mu”. Now I have “@%#%%%(*&^9Mu”. That takes less time to create and memorize. And it still gives you 26 million years of protection from today’s PC Desktop strength trying to break down your wall with a constant stream of guesses.

Here’s an even quicker one. I’ll use the sentence “Eat at Joe’s” for this one. I’ll add one number and I’ll add punctuation in the beginning and end. Lot’s of it. My password is now “++++++eAj9++++++”. Checking this one gives us a whopping 12 trillion years of protection from a single Desktop PC! That’s pretty good.

The only reason I do not use a password like this for banking or for protecting my servers is that it uses an algorithm that is too simple. Although, most hacking attempts are not going after this type of password currently, if this was to become a common scheme with lots of the same punctuation or other character type, hackers would target their attempts to factor in simple concepts like this.  I wouldn’t be afraid to use this on Facebook.  But I would NEVER use this for my email account.  Don’t forget that if you lose control of your email account to a hacker, they can get access to just about every service for which you’ve ever used that email account to sign up.

Lastly…
I am not saying a strong password will protect you forever.  There are infinite ways to compromise your own security on the Internet.  But to have a good password is to remove the most common attack vector.  It’s the first important step against the increasing battle for your own privacy.  Use the ideas of this guide as concepts that you can combine and mix, and you’ll do a lot to protect yourself.  Good luck out there!

Advertisements
Posted in: Uncategorized