Continuing our quest for a better password
In the first post of this series, I discussed why you should care about having a better password to keep your sensitive data secure online. In this post, I’ll cover a few tricks that you can use to create a memorable password that passes the 3 criteria we established in the first post:
- My password can’t be simple and popular
- My password can’t say anything about me
- My password can’t be a real word
Before we go further
It’s important to understand that our 3 criteria are good, but they are not an exhaustive list of conditions that the “ideal” password should meet. We’ll get to that.
And you may be thinking that I’m being too basic. My philosophy on passwords is this: If people were robots, they would all have perfect passwords, but people are not robots, and they are often intimidated by the laundry list of conditions that strong passwords must meet. We can’t be perfect, but we can get better than we were yesterday. That’s what this series is about.
So let’s get back to it…
Use a non-word
One way of the easiest ways to make a password memorable is to make it pronounceable. However, we established that a password should not be a real word, so whatever you choose should not be a word that would be found in a dictionary (of any language).
Do you have a goofy word (that’s not a word) in your head that you can remember easily? Words “invented” by you are often inherently memorable because of their funny sound. Let’s give it a shot… how about shloraform? I have no idea where shloraform came from, by the way, but according to Google, it’s nowhere to be found online; however, it probably will not take Google long to find it in this post.
I should also emphasize that you should NOT use it as your password–or use any password that I come up with for illustrative purposes.
Now, you could go a step further and add a number or symbol… or both. This makes your password much, much stronger. So sh!0raform is even better. Adding a capital letter or two (preferably not at the beginning) is even better… sh!0raForM. Now we have a pretty strong password that looks like complete nonsense to anyone but us. The other thing our illustrative password has going for it is its length. Most experts agree that a password should be at least 8 characters in length.
But we can still do better because, ideally, your password should not be pronounceable or contain letters that appear together in real words (e.g. the “form” in our illustrative password).
You may be thinking “geez, are hackers really that good?” Yes, they are, and the programs they use are very smart. You should be smart too.
Phrases are your friends
One of the top mnemonic devices for creating a secure password involves using a memorable phrase to create a non-sensical acronym. Ideally, the phrase is something meaningful to you. The idea is to remember the phrase, which then leads you to your password.
Suppose you like to travel to California in the summertime. Your phrase might be “I love traveling to California in the summertime, especially in July.” From this phrase, you can create an acronym: ilttcitseij. On the surface, that sequence looks meaningless, but as long as you remember your phrase, you can remember ilttcitseij. Like we did with our non-word, we could start adding symbols, numbers, and capital letters to make it even stronger. The longer your phrase, the more characters your password will contain–generally a good thing.
The primary weakness of this approach is that it will typically lead to passwords that contain common letters. Hackers know this, so they have techniques where they focus on the most common letters of the alphabet when trying to guess your password. Letters like a, e, o, and r will appear frequently. In fact, one study analyzed 3 million 8-character passwords and found that half of them contained the letter e.
We’re not done
If you can adopt one of the two approaches above, you’re already doing much better than the average person. But as I noted above, these approaches are still not as good as you can do.
And unfortunately, what I think most people do–even those that use these methods–is that they do it once, and then use the same password for all of their sites. A few years ago, that wasn’t such a big deal. Today is much, much different, however.
Our world is increasingly digital, and we have an ever-expanding list of websites that we frequent. Many of these sites require us to enter a username and password. As the Internet ages, the number of sites that we visit can only increase. You’ve been leaving a password trail through cyberspace since the first time you signed up for email.
Do you have any idea how many sites you’ve visited where a password was required? It’s likely to be hundreds. And do you know how many opportunities there have been in that time for someone to find your passwords–perhaps on some server that was left unattended or disposed of improperly? And what incentive do all those free sites–some of which no longer exist–have to keep your data secure? Very little.
What’s more, we’re much more likely to use multiple computers or devices to access our sites today. The more we have to enter our passwords, the greater the chance of someone else getting them.
I’ll be back shortly with more information on the security perils of modern-day computing, but don’t worry… I’ll eventually arrive at what I believe to be the ideal solution–one that balances security and ease of use.
[Photo by mag3737 via Flickr]