Creating secure passwords. We all have to do it, but are we doing it right? Here are some tips for creating strong, secure passwords that you can remember and your enemies can’t guess.
Tips for Choosing Secure Passwords
There are a lot of factors that go into creating secure passwords, but a lot of times these passwords are impossible to the average person to remember, or simply not secure enough. Best practices involve choosing something memorable to you, but not easily guessed by anyone else. But, this can result in an unsecured password — especially if you are using it all over the web. In this article I’m going to cover some tips and ways to create secure passwords.
Know your password entropy (predictability).
Password entropy is a measurement of how unpredictable a password is. It is based on the character set (lowercase, uppercase, numbers, symbols) and the password length. What most people don’t realize is that because password length is one of the most important factors affecting password entropy and strength, a longer password can be simpler than a shorter one and still be effective. This is good news for those of us with horrible memories and sloppy password creating habits.
Don’t use the same password twice.
Using the same password for every account you have is a recipe for absolute disaster. If all your accounts have the same password and one of them gets hacked, that person can access any information you store online using that same password. Big no no. Instead, use an algorithm or an online password generator to develop strong passwords.
Use algorithms to create secure passwords.
Algorithms are patterns you can develop to create secure passwords that are different from one another, but use the same general formula for password creation. For example:
- 3-4 letters that are meaningful (ex: initials, town, street, child, pet name)
- 1 special symbol or character such as ! % # ^ $
- 3-4 letters of the account or service (if the domain is google.com perhaps using Goo would work)
- 1 special symbol or character such as ! % # ^ $
- 3-4 numbers that are meaningful (ex: birthdate, last 4 of a phone number, zip code, etc.)
- This can produce similar passwords that are difficult to discern. Using a 3 letter website indicator, if I live on Clay Avenue and my childhood phone number was 867-5309 my algorithm could be:
- For Google.com Clay#Goo#5309.
- For Yahoo.com Clay#Yah#5309
- For Overstock.com Clay#Ove#5309
These passwords are significantly different from each other to a computer. But, because you used an algorithm it’s easy for you to remember.
Try password hinting to remember your passwords and keep them safe.
Instead of storing your actual password as a record on your phone or computer, you may try using password hinting. So if your password is your dogs name and your childhood street address number, a password hint for you to remember may be “Bark plus address” — because this is so vague it would be difficult for someone to “figure out”, but the password hint would trigger you to remember that your password was actually Sparky+201.
Use an online password generator.
There are many online websites that will help you to generate random passwords. These are often times difficult to remember because of the randomness. However, my favorite is a unique one called xkpasswd, which I will talk more about below.
Xkpasswd is a tool for generating passwords that are secure, memorable, and easy to read, type, and share over the phone. The creator, Bart Busschots, argues that random passwords and characters are very difficult for humans to remember, but can be quite easy for a computer to figure out. By reversing this method, xkpasswd creates your passwords from random common words separated by different symbols or numbers (that can be randomly generator or you can choose them). There are a lot of settings that you can use to develop a “structure” for your passwords. The passwords are easier for a person to remember or share, and makes it more difficult for a computer to crack. It was inspired by this comic:
Xkpasswd has a “password strength meter” which is titled “Entropy” (remember learning about entropy earlier?). The entropy determines the “bit” amount for a person who is blind about your password generation techniques vs. someone with full knowledge. It also offers suggestions for these bit numbers so you can tell if your creating secure passwords that meet their entropy standards. xkpasswd is inspired by XKCD and Password Hay Stacks
Although not as intuitive to remember as xkpasswd, this is a nice tool for generating passwords. It has options to include or exclude different password options, such as:
- Include Symbols:
- Include Numbers:
- Include Lowercase Characters:
- Include Uppercase Characters:
- Exclude Similar Characters:
- Exclude Ambiguous Characters:
- Generate On The Client Side: ( do NOT send across the Internet )
- Auto-Select: ( select the password automatically )
- Save My Preference: ( save all the settings above for later use )
- Load My Settings Anywhere: URL to load my settings on other computers quickly
A definitive list of our idiocy.
Still don’t believe me? Fast Company actually has a blog post titled “The 25 Most Popular Passwords Of 2015, Or, Humans Suck”. Is yours on there?
There are several password storage utilities that help you manage all of your account passwords in one place. These password managers provide a platform that requires only one complex password to access your secure websites, credit card information and even documents that you keep inside an encrypted database. The data is typically encrypted on your computer before it goes to the company’s server.
Password encryption, in basic terms, is collecting your passwords, dividing them into chunks, putting them through separate algorithms, and then smashing them back together, making them unreadable to humans and difficult for computers and hackers to guess. This means that if the online password manager’s server was compromised, your passwords will be garbled up and potentially still safe. Even the employees at the company can’t read your passwords because of the encryption. The best answer here gives a good example of the encryption process.
How the Data is Stored
Depending on the platform, the database could be stored:
- locally (on your computer only) - the safest option, but also the most inconvenient, because you cannot access your passwords from various computers.
- on the company’s servers — in the cloud
- in your browser (like Chrome, Firefox, Internet Explorer) as an extension that keeps your data in a profile on your computer, and syncing with a cloud server. Because the data is encrypted and transferred through a secure connection, you can be reasonably confident that your data is safe.
- Dropbox - many password managers sync your passwords with Dropbox so you can get to them. However, what if your Dropbox gets hacked? Yikes.
- Thumb drive - some password manager utilities will offer the option to save your passwords on a portable thumb/jump drive that you can you carry around from computer to computer. With this approach you always know where your data is — as long as you don’t leave it in a PC and walk away.
Why I don’t use a Password Manager
I am personally not a fan of these services and would suggest using my algorithm method instead. My major issue with these services is that you are putting all your eggs in one basket. But, they are an option and a lot of people use them. They do get compromised (LastPass did in June, 2015). Even though password managers are generally secure, they will promise you the world and more likely than not, they will break those promises when they are breached. If you use a good company though, they will jump into action and keep you informed of what’s happened to your data. Remember that nothing is bullet proof and using the internet with any password puts you at risk. That’s why I’m not willing to take the risk.
KeePass is a free open source password manager that keeps your data out of the cloud. Because your passwords are only on your computer, there’s no risk of security breaches (for example, if someone (hacker) cracks the main password of your cloud-hosted account). However, because of this security it makes it more difficult to access your passwords on anything but your main computer — how inconvenient for you when you need to buy that Woot item before it sells out and realize you don’t have access to the passwords from your cell. KeePass offers the option to sync with third party browsers, Dropbox and many other programs. The browser extensions allow you to directly integrate KeePass into your browser. Use KeeFox for Firefox or chromeIPass for Chrome. In my humble opinion, syncing defeats the whole purpose of using a local password manager. And remember, if someone has physical access to your computer, they can still get your password database that way.
I’m sure a lot of you are already familiar with LastPass, a security-focused app that remembers your passwords for you and stores them in your online “LastPass Vault” and access with your master password. LastPass automatically fills in your sign-ins for your online accounts, and lets you access the vault across every browser and device by syncing them with their cloud server. The data on their server is sealed with AES-256 bit encryption, salted hashing, and PBKDF2 SHA-256. This sounds very technical and super secure, but remember that they were compromised in June of 2015. Still want to go this route? See how it works.
Want More Options? Check out this article on the the best free password managers for a comprehensive list.
There are a lot of options for creating secure passwords, and it’s important to use different passwords for all of your utilities. It’s also important to change your passwords — I try to go through all of mine at least once a year and update them to something new. Using algorithms and online password generators can help to keep your online accounts secure. Remember entropy and what qualities make your passwords strong (the combination of upper/lowercase letters, numbers, and symbols).
All password managers do have one thing in common: They require you to remember one complex password. So, remember to use the techniques above to create that secure password if you decide to use them. If you forget your master password you can’t access your data, and since the password manager company does not have it, you’ll have to reset all your passwords and start over.
While it can be tempting to use a utility to store ALL of your passwords in the cloud using a password manager, remember that you are putting all your eggs in one basket, and risking that every online account you have can be accessed by cracking one single password. If the benefits outweigh the risks for you, be sure to choose a reputable company that will keep you informed WHEN the security breaches happen (they will happen, and nothing online is 100% secure).