How do you balance the necessity of highly secure passwords with the ease of easily recalling them all? My theory is that the only secure password is one that I would never be able to remember, that is why I recommend the use of a password manager that you can use on all of your devices. We will come back to that concept later.
Do you remember the Heartbleed vulnerability? I wrote a blog post about it when the Heartbleed panic was at its worst because of all the questions and emails i was getting from concerned friends and family. When the Heartbleed vulnerability was discovered, the mandate was for everyone to change all their passwords right away. It's probably still on most peoples to-do list. I'm sure you cringe at the thought of getting hacked, and you probably cringe at the thought of taking the time and mental energy to do a complete overhaul of your favorite passwords. Does this sound like you?
If you happen to have a system in place to manage your unique, random, unbreakable passwords, then my hat's off to you. According to some estimates, you are among a well-protected 8 percent of users who do not reuse passwords. I'm grateful to be counted in the 8 percent.
The rest are still searching for a solution. We all know that creating a safe password is important, but how does someone actually go about changing bad habits and start creating and recalling all those essential, random passwords we need? Hopefully we will solve that problem for those who will read this, and inspire them to make a change that will make their password lives better and more manageable going forward.
The Anatomy of a better Password
First lets start with three important rules to remember about good strong passwords.
- The longer the password, the harder it is to crack. Consider a 12-character password or longer.
- Avoid names, places, and dictionary words.
- Mix it up. Use variations on capitalization, spelling, numbers, and punctuation.
These three rules make it exponentially harder for hackers to crack your password. The strategies employed by password crackers have advanced to an incredibly efficient level, so it's imperative to be unusual with the passwords you create. Here's an example from security expert Bruce Schneier about just how far password crackers have come:
Just how fast can a hacker compromise your password? The following image shows a timeline of how long it would take a hacker to crack three different passwords with varied levels of complexity. Hopefully that will help you understand the importance for mixing up your passwords.
Here is a table with examples of how to turn a week password into a strong password without a tremendous
So we have talked about what we should be doing. We have talked about what constitutes a weak password, and we have talked about the anatomy of a good strong password. So I want to take a little bit of time to show you what the typical user is doing when it comes to password behavior. I think this should put the fear of God into anyone who is responsible for network security in an organization.
If you're curious whether your chosen password is secure or not, you can run it through an online password checker like the one at OnlineDomainTools. To highlight the importance of a lengthy, random, unique password, the online checker has specific fields to show your password's variation in characters, its appearance in dictionaries, and the time it would take for a brute force attack to crack it.
Methods for Choosing an better Password
The only problem with coming up with a random, unbreakable password is that random passwords are hard to remember. If you're solely typing in characters with no rhyme or reason a truly random fashion then you'll likely have as hard a time remembering it as someone will cracking it. So it makes sense to go with a seemingly random password, one that is near impossible for cracking software to recognize but that has meaning or familiarity for you. Here are three methods to try.
The Scheier Method
Security expert Bruce Schneier put forth a password method back in 2008 that he still recommends today. It works like this:
- Take a sentence and turn it into a password.
- The sentence can be anything personal and memorable for you. Take the words from the sentence, then abbreviate and combine them in unique ways to form a password.
Here are four sample sentences that Bruce put together to show how this works.
WOO!TPwontSB = Woohoo! The Packers won the Super Bowl!
PPupmoarT@O@tgs = Please pick up more Toasty O's at the grocery store.
1tubuupshhh…imj = I tuck button-up shirts into my jeans.
W?ow?imp::ohth3r = Where oh where is my pear? Oh, there.
The Pass Phrase Method
This type of password is also called a pass phrase, and it represents a somewhat new way of thinking about security. Instead of a difficult-to-remember string of characters, you can make a lengthy phrase instead. (Note: Bruce Schneier warns that password crackers now put together common dictionary words in their guesses, so if you try the passphrase method, keep it as long as possible.)
The idea for passphrases is captured quite nicely in this comic from xkcd:
How can you create a 12-word seed of your own? It's as simple as it sounds. Come up with 12 random words.
You can start with a phrase such as "Even in winter, the dogs party with brooms and neighbor Kit Kats." Just make sure it is not a simple phrase or a phrase taken from existing literature. You can grab 12 random words, too: "Pantry duck cotton ballcap tissue airplane snore oar Christmas puddle log charisma."
When placed into a password checker, the 12-word passphrase above shows that it will take 238,378,158,171,207 quadragintillion years for a brute force attack to crack.
The PAO Method
Memorization techniques and mnemonic devices might help you remember an unbreakable password. At least, that's the theory put forth by Carnegie Mellon University computer scientists who suggest using the Person-Action-Object (PAO) method to create and store your unbreakable passwords.
PAO gained popularity in Joshua Foer's bestselling book Moonwalking with Einstein. The method goes like this:
Select an image of an interesting place (Mount Rushmore). Select a photo of a familiar or famous person (Beyonce). Imagine some random action along with a random object (Beyonce driving a Jello mold at Mount Rushmore).
The PAO method of memorization has cognitive advantages; our brains remember better with visual, shared cues and with outlandish, unusual scenarios. Once you create and memorize several PAO stories, you can use the stories to generate passwords.
For example, you can take the first three letters from "driving" and "Jello" to create "driJel." Do the same for three other stories, combine your made-up words together, and you'll have an 18-character password that'll appear completely random to others yet familiar to you.
Phonetic Muscle Memory
This method relies on a couple of helpful remembering devices: Phonetics and muscle memory. Here's how it works:
- Go to a random password generator site.
- Create 20 new passwords that are at least 10 characters in length and include numbers and capital letters (and punctuation if you're feeling brave).
- Scan the passwords, looking for phonetic structure—basically try to find passwords that you can sound out in your head. For example: drEnaba5Et (doctor enaba 5 E.T.) or BragUtheV5 (brag you the V5).
- Type out the phonetic passwords in a text file, taking note of how easy they are to type and how quickly you can type them. The easy-to-type passwords tend to get stuck in my muscle memory quicker.
- Keep the phonetic, muscle-memory passwords. Toss the rest. Print out your text file with password keepers.
Pick one of the methods that
The Next Step for a Secure Password
After creating your super-secure password, there is still one huge, all-important step remaining: Never reuse the same password.
I imagine a lot of people get hung up on this part. Creating and remembering a unique password is challenging on its own, much less doing it multiple times. I seem to sign up at a new website or service once per day. That's 30 new passwords a month, and I'm afraid my brain cannot hold all that in.How do you manage to create unique passwords, never reuse a single one, and still log in with speed and efficiency? This is where the question of security versus usability that really hits home for me. Fortunately, there are a number of different approaches you can take to solving this conundrum.
Get A Password Management Tool
This is my personal solution for all my password needs. It will make the password mountain seem much easier to climb. Go get a tool like LastPass or 1Password. These tools will store your passwords for you, and can even provide random new passwords when needed. All you need to do is remember a single master password that grants you access to the stored data. Enter your master password once, and the password management tool does the rest.
Some of these password management tools integrate nicely within your browser and even on a mobile device. The encrypted data is stored safely and passwords are retrieved easily. In almost every instance, a password manager is the best way to go, and you might only notice inconveniences when you're logging in from a foreign device or a spot where you can't access the service. That is when I just look up the password on my phone which I always have with me. Here are a few of the features of the top three password managers.
I have used both LastPass and 1Password. About four years ago I switched completely to 1Password. Even though it is a password keeper that you pay for I have never regretted the investment. You get what you pay for in this case. It has the ability to be an amazing password keeper on both Mac and Windows. It also has apps for both iPhone and Android. It syncs between all your devices so you always have your passwords with you. It was a game changer for me. It has allowed me to have passwords so complex that they could never be compromised, and it even helps you create and generate the passwords inside the app. This video explains very clearly why I picked 1Password as my tool of choice.
Password Management Plus Memorization
Memorize passwords for your most important and most frequently used tools and use LastPass or 1Password for the rest. You could even split it in such a way that you memorize passwords you use most often in places where LastPass and 1Password are least accessible—mobile apps you log in to all the time, for instance.
At the end of the day it's important to remember that even complex passwords can be compromised, and you should never think you are completely secure just because your password is longer than it once was. It takes wits and common sense to avoid phishing scams and other common techniques that can compromise your accounts and you should always enable 2 factor authentication when it's available. Now let's spend some time on 2 Factor authentication and why you should turn it on everywhere that you can.