Choosing secure and memorable passwords

You’ve most likely encountered registration forms which show the strength of your password as you type it. These systems try to guess your password security based on several factors. Usually, you need at least one number and a capital letter for a safe password, and there may be even more requirements. They might even offer to generate a password for you, which will be something like “f843E9Hda32”. While secure, it’s impossible to remember without a photographic memory. So, how does one choose a password which is strong but memorable?

Why does a password have to be memorable?

There is nothing less secure than password that is written down. A password you can’t remember will get written down – there is nothing you can do about it. That’s why a good password is not just hard to guess, but also easy to remember.

Passwords to avoid

Your password should never be connected to you. You should avoid using any personal formation, such as your name, date of birth, and so on. Thomas82 is easy to guess, if your name is Thomas and you were born in 1982.

You should also avoid using a common password. There are many words often used as a password. This makes them easy to guess. Hackers often use software that tries to log you in with any of the most common passwords.

It’s especially dangerous if your password should leak. All secure modern web services hold passwords in hashed form. A hashed password is permanently scrambled – your password can’t be retrieved from the hash. The hash function will always generate the same sequence of letters and numbers from same input. This means that no one can see your original password, even if they have access to the database. While logging in, the system will generate a hash of your entered password. It then checks it against the hash stored in the database. That’s how it can check if you entered the correct password without ever storing the password a form that is readable by humans.

When the password hash is leaked, the hacker can compare your password against a list of the most common password hashes. The word “password” hashed with the Sha-256 algorithm (There are many hashing algorithms; I picked a random one) is “5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8”. You can never get the word “password” out of 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8, but it will take a fraction of a second to check, if it’s part of a database of the most common hashes. This is called a “rainbow table attack”.

For example, you should never use any of the following as your password:

• “12345

• “password

• “username

• “god

• “secret

• “princess

• “Your date of birth

• “Your address

• “Your birthtown”

• “qwert

It’s not just “qwerty” you should avoid. Any sequential characters and numbers like “abc” are easy to guess. There is another problem with using such combinations. They are very easy to remember should someone see you entering the password. They are easy to guess even when someone notices just part of the password. A more complex password is much harder to guess by the first few characters. Combining sequential letters and numbers like “Abc123” or “qwe321” is not safe either.

What makes a strong password?

A strong password is resistant to two types of attacks.

The first type is using your personal information to guess the password. This could come from someone who knows you or has researched you. The attacker will try to use personal information such as your name, date of birth, and address to guess your password. That’s why passwords should never include any personal information.

The second type of attack is called “brute force”. A brute force attack means trying out different combinations in the hope of stumbling on your password. Brute force attacks are executed using special software, which tries out many password combinations quickly. It usually tries the most common passwords first, and then resorts to trying out random character combinations.

Based on these two threats, we can define two properties of a strong password.

1) A strong password is not something common or easy to guess.

2) A strong password is as long as possible. The shorter the password, the easier it is to guess by brute force.

A longer password is much harder to hit using brute force software. Every additional character makes the password exponentially harder to guess.

A brute force attack can be used against the service’s login form. That’s why most forms limit the number of login attempts. Sometimes a form might not keep count on attempts or have a bug, which lets you bypass it. Attackers can easily exploit these cases. This might even occur at a large company like Apple. In 2014, anonymous hackers discovered that iCloud didn’t limit the number of login attempts in some cases. That led to hundreds of celebrity iCloud accounts getting compromised. While most forms are not vulnerable to direct attack, there might be coding errors. Even the largest players might sometimes slip. That’s why it’s always important to use a strong password with every service.

Another more common form of brute force attack is against the password hash. I described the rainbow table attack earlier, but a hacker might as well try out different hashes. Once the hacker has your password hash, there is nothing limiting the number of guesses he can take. It’s a matter of how long it takes to stumble on your password.

How long it takes to brute force the password depends on the hashing algorithm used and speed of the hacker’s computer. Let’s look an example based on the MD5 hashing algorithm. MD5 is an old and relatively weak algorithm, which is sadly still used often. Let’s say the hacker can try 8783 password combinations a second. With that in mind, the time to crack a password would be:

5-character password – 14 minutes and 50 seconds

6-character password – 23 hours, 29 minutes, 45 seconds

7-character password – 93 days, 6 minutes, 36 seconds

8-character password – 24 years, 69 days, 15 hours, 56 minutes, 57 seconds.

Every additional character in the password makes it significantly more secure.

It’s important to note that modern computers can guess weak hashes like md5 much faster than 8783 times per second. A 10–12 character password is essential to defending yourself against brute force attacks. It should be even longer, if possible.

How to pick a memorable password?

So far we’ve concluded that a password has to be as long as possible. Most systems require passwords to have at least one capital letter and one number. That makes remembering the password difficult.

A good strategy is to start by choosing words you’ll easily remember, but are not connected to you, such as “yellow, car, beach, and Saturday”. These are easy to remember and can be formed into a sentence with capital letters and a number. For example “2CarsDriveToBeachOnSaturday”. That’s 26 characters – pretty much impossible to guess using brute force. If someone sees you typing the password, it’s very hard to remember it. If someone sees you type the first 10 characters, they won’t be able to guess the rest. It’s also not hard to remember. It has all the properties of a strong password.

But what to do if the form requires a special character in the password? Just add a comma to a logical part in the “password sentence”. For example, “2CarsDriveToBeach,OnSaturday”. That makes the password even longer and should match any rule.

Does a password have to be unique?

Yes. You should never use reuse one password. That’s very important because of two reasons.

You can never be sure that the database with your password won’t leak. Data breaches have sadly become common. Many large companies have been attacked and their user account info leaked, including Yahoo, Adobe, and Dropbox, just to name a few. You can check if your account information has leaked at https://haveibeenpwned.com/. Just insert your e-mail address and it will list all the leaks you have been part of. It is very likely your account information has already been leaked or will be in the future. Unique passwords ensure the safety of your other user accounts in case of a leak.

You can’t be sure smaller services handle your password in a safe way. The internet forum or e-store you’re registering with might not even hash the password. Even if it does, you can’t be sure it’s done with a secure algorithm. Plus, the owner or someone else who has access to the database might brute force your password. The database of an internet forum might also leak “quietly”. The owner might never know a hacker made off with user data. Whatever happens, unique passwords keep all your other accounts safe.

Don’t tell your password to anyone

Even the strongest password becomes useless if everyone knows it. No one apart from you should know your password, and that includes your family, spouse, and best friend. I’m not saying you shouldn’t trust the people closest to you, but they might accidentally leak your password. For example, their computer might get infected by a password collection virus, or they might use an unsafe WiFi network or fall victim to a phishing attack. Your head is the only safe place for your password.

If you need to give someone access to your account, do so with a temporary password. Always change the password after whoever needed access is done with it. Also, be careful sending passwords with unencrypted e-mail. Regular SMTP e-mail is not encrypted, which makes it easy to eavesdrop. All devices connected to the same network can see the content of every unencrypted e-mail.

Use two-factor authentication when possible

Most services let you activate a security feature called two-factor authentication. Two-factor authentication means you have to confirm each new login from a different device. With two-factor authentication active, the criminal won’t be able to access your account even if he has the password.

Google, for example, sends you an SMS whenever a new device tries to log in with your account. It’s unlikely a hacker will steal your password and your phone. Most services that you use daily support two-factor authentication. For example, Google, Apple, Microsoft, Sony (Playstation), and Twitter all have two-factor authentication, but it’s not always active by default. Two-factor authentication is a tool which might save you from getting hacked.

Guidelines for choosing a strong password

Based on the previous points, make sure your password complies with all of the following rules. Your account is in danger if even one of the following points doesn’t apply to it:

• The password is unique. You have never used it anywhere else;

• The password is not easy to guess (check the section “Passwords to avoid”);

• The password is at least 12 characters long. If the service defines the maximum length of the password, aim for the longest one possible;

• The password is so memorable that you don’t have to write it down;

• You have never told the password to anyone.

Password managers

Password managers are an alternative solution to strong and memorable passwords. A password manager generates and remembers strong passwords for you. It keeps track of passwords and inserts them to forms using a browser plugin. This means you only have to remember the password manager’s password. It will automatically handle your passwords for all the services that you use.

The passwords that password managers generate are long, random combinations of letters and numbers. Each password is unique and strong. Should your password leak from one service, it won’t affect the others. Also, the passwords are almost impervious to brute force.

Password managers are not created equal. Local (browser or computer-based) password managers are not secure. You should choose a password manager that holds your passwords in the cloud, not locally. There are several good reasons for that:

• A hacker can get full access to your computer should you get infected with a virus/trojan. This means he will gain access to all the stored passwords. There is no such risk with a cloud-based password manager. Some local password managers, most notably Mozilla Firefox’s, encrypt passwords with a master password. While that makes it a bit more secure, it still doesn’t have any of the advantages listed below.

• A cloud-based password manager synchronizes passwords between all your devices. Better password managers (and you should only use the best!) have extensions for all browsers and applications for smartphones. This lets you use the same generated password on your computer, tablet, and smartphone.

• A central password manager makes changing passwords painless. All it takes is to generate a new password on any of your devices, and it’s synced with all the rest. Normally, you’d have to type in the new password everywhere.

Most cloud-based password managers use a so-called premium business model. Using the password manager on one device is free, but the synchronization between devices and browsers is for a monthly or yearly fee. The fee is usually small and well worth it. The following are a few of the best password managers available:

LastPass is probably the best-known cloud-based password manager. The free version lets you manage and share passwords between one type of device (computer or smartphones). Synchronizing data between different types of devices costs less than a cup of coffee – $1 per month. It also lets you conveniently share passwords with other LastPass accounts.

LogMeOnce lets you synchronize passwords between any number of devices for free. Their pricing is based on limiting single actions like sharing passwords. It’s the cheapest option if you don’t want to share your passwords. However, their user interfaces are not on par with their competitors, which makes using LogMeOnce less convenient.

Dashlane is very similar to LastPass. It has the same functions and business model. The biggest difference is that Dashlane also works offline. LastPass is designed to always be online. That convenience comes with a price tag. A yearly subscription to Dashlane costs $40 while LastPass is just $12. It also has the best user interface of all cloud-based password managers.