A good password consists of two elements: strength and memorability. A hacker or computer can easily guess a weak password. And if it isn’t memorable, well… it’s useless. These requirements seem easy enough, but if you’ve ever experienced a security breach or were unable to recall your password you’ll know that it isn’t exactly as simple as it seems. But don’t worry, we are here to lay out everything you need to have in mind while creating your next password.
The first step to creating a strong password is knowing the definition of one. Here are guidelines for a traditionally “good” password.
– Must be at least 12 characters long. This is an absolute minimum. The longer the password, the stronger it is.
– Includes all different types of characters, both upper and lower case, numbers, and symbols.
– Doesn’t use obvious substitutions such as swapping numbers for letters (“0” for “o”, “1” for “l”, “@” for “a”). While this can be a clever alternative for your user-name, it’s too obvious for your password. Any hacker or hacking software will quickly cycle through these substitutions to guess your password.
– Doesn’t use dictionary words, names, or places. As mentioned in the previous rule, hackers can try any possible variations of characters. To do this they cycle through many different dictionaries, which includes but is not limited to the English dictionary. This process cracks about two-thirds of all passwords.
Now that you’re familiar with the standards for an acceptable password, we’ll move on to the methods to create a password that will be both strong and easy to remember.
Method 1:
All you need to do is think of a sentence that is true for you, such as: I live at 25 King William street. My dog is named Rex! He was $75 to adopt., then you take the first character in the sentence and you’ll have Ila2KGs.MdinR!Hw$7ta. This is a strong password, at 20 characters long, and utilises all the aforementioned rules in a very easy and memorable way, since it uses a factual sentence as a mnemonic device.
Method 2:
This one throws out the traditional advice but is still strong, due to the sheer randomness of it. The way to create this one is to simply string random words together (the words should not form a sentence). The words apple door scarf dog go grass will become appledoorscarfdoggograss and you can increase the strength by adding in uppercase letters and punctuation like this: AppLe?Door_scarf_goG_go_grass. This is easy to remember because it’s so unique to you, which also makes it difficult to guess. Make sure to use at least six words with this method due to how much technology has advanced in the years since it was introduced.
Method 3:
Use a password management service. This method can be used in conjunction with either of the previous methods, or it can be used alone with randomly generated passwords. It takes away the need to commit each and every one of your passwords to memory and makes everything much easier and more secure in general. You can use services like Dashlane, Lastpass, or Avast which all have free versions and are available across most platforms including PC, Mac, iPhone, and Android.
—
Remember, use multiple strong passwords. Using just one would give anyone who obtains the password for one account access to all your accounts. So now that you’re equipped with all the information you need, go forth and make good passwords. Your future secured self will thank you.
Computer hacker hacking password safety security Tips user experience
For more information on choosing strong passwords visit the BU’s IS&T page
General Guidelines:
So, how do you have a “strong” password that is easy to remember? While it may seem tough to do this, there are a few simple tips that can make it easy.Note: the examples below illustrate just the concepts being discussed. No single technique should be used on its own, but rather should be used with other techniques. The combination of several will produce a strong password.
- Use a mix of alphabetical and numeric characters.
- Use a mixture of upper- and lowercase; passwords are case sensitive.
- Use symbols if the system allows (spaces shouldn’t be used as some applications may trim them away)
- Use a combination of letters and numbers, or a phrase like “many colors” using only the consonants, e.g., mnYc0l0rz or a misspelled phrase, e.g., 2HotPeetzas or ItzAGurl .
- Pick something obscure:
- an odd character in an otherwise familiar term, such as phnybon instead of funnybone;
- a combination of two unrelated words like cementhat
- An acronym for an easy to remember quote or phrase (see below)
- a deliberately misspelled term, e.g., Wdn-G8 (Wooden Gate) or HersL00kn@U (Here’s looking at you).
- Replace a letter with another letter, symbol or combination, but don’t be too obvious about it. Replacing o with 0 or a with 2 or i with 1 is something that hackers just expect. It is definitely better than nothing, but replacing 0 with () would be stronger as it makes your password longer and is not as obvious
- An easily phonetically pronounceable nonsense word, e.g., RooB-Red or good-eits .
- Two words separated by a non-alphabetic, non-numeric, or punctuation character, e.g., PC%Kat or dog,~1#
Choose
You want to choose something that is easy to remember with a minimum of 8 characters that uses as many of the techniques above as possible. One way to do this is to pick a phrase you will remember, pick all the first or last letters from each word and then substitute some letters with numbers and symbols. You can then apply capitals to some letters (perhaps the first and last, or second to last, etc.) You could also perhaps keep or add punctuation.
Some examples:
| So long and thanks for all the fish” | slatfatf | 5L@tf@tF |
| “Best Series Ever: Terry Goodkind’s Sword of Truth” | bsetgsot | B53:tg’Sot |
| “You Can’t Have Everything. Where Would You Put It?” | ychewwypi | Uch3Wwup1? |
If you are selecting a password for a website, you may want to incorporate the first few letters of the website name into your password so that every password is different and if one gets out, you don’t have to change them all. This approach has good and bad points.
For example, if you have a standard password like B53:tg’Sot (see above) that you like to use most places (this not recommended), you may modify it by placing the first and last letter of the website around it:
| www.ebay.com | eB53:tg’Soty |
| www.amazon.com | aB53:tg’Sotn |
| www.webshots.com | wB53:tg’Sots |
Do Not Choose…
- Your name in any form — first, middle, last, maiden, spelled backwards, nickname or initials.
- Any ID number or user ID in any form, even spelled backwards.
- Part of your userid or name.
- Any common name, e.g., Sue, Joe.
- Passwords of fewer than eight characters.
- The name of a close relative, friend, or pet.
- Your phone or office number, address, birthday, or anniversary.
- Acronyms, geographical or product names, and technical terms.
- Any all-numeral passwords, e.g., your license-plate number, social-security number.
- Names from popular culture, e.g., Harry_Potter, Sleepy.
- A single word either preceded or followed by a digit, a punctuation mark, up arrow, or space.
- Words or phrases with all the vowels or white spaces deleted.
- Words or phrases that do not mix upper and lower case, or do not mix letters or numbers, or do not mix letters and punctuation.
- Any word that exactly matches a word in a dictionary, forward, reversed, or pluralized, with some or all of the letters capitalized, or with any of the following substitutions:
- a -> 2, a -> 4, e -> 3, h -> 4, i -> 1, l -> 1, o -> 0, s -> $, s -> 5, z -> 5
WHY!?
If you only use words from a dictionary or a purely numeric password, a hacker only has to try a limited list of possibilities. A hacking program can try the full set in under one minute. If you use the full set of characters and the techniques above, you force a hacker to continue trying every possible combination to find yours. If we assume that the password is 8 characters long, this table shows how many times a hacker may have to before guessing your password. Most password crackers have rules that can try millions of word variants per second, so the more algorithmically complex your password, the better.
| Dictionary words (in english): (It is debatable but lets generously say ~600,000 words) |
— | 600,000 |
| Numbers Only | 10^8 | 100,000,000 |
| Lowercase Alpha Set only | 26^8 | 208,827,064,576 |
| Full Alpha Set | 52^8 | 53,459,728,531,456 |
| Full Alpha + Number Set | 62^8 | 218,340,105,584,896 |
| Full Set of allowed printable characters set | (10+26+26+19)^8 |
The longer your password the more secure. If we take the full set of allowed printable characters set (the last line above) and increase the password length, the possible combinations jump exponentially (odd, considering that the calculation includes exponents…)
- 8 Characters > 645,753,531,245,761 (645 Trillion) Combinations
- 9 Characters > 45,848,500,718,449,031 (45 Quadrillion) Combinations
- 10 Characters > 3,255,243,551,009,881,201 (3 Quintillion) Combinations
When we refer to character sets, they are typically numbers, upper and lowercase letters and a given set of symbols. For example:
| 0123456789 | 10 |
| abcdefghijklmnopqrstuvwxyz | 26 |
| ABCDEFGHIJKLMNOPQRSTUVWXY | 26 |
| `~!@#$%^&-_=+[{]}. | 19 |