In the movies, the bad guys pound furiously on a keyboard while techno music blasts and Matrix-style code flashes across their screens. In reality, the bad guys just launch dictionary tools on high-powered computers that make automatic attempts to guess your password. These tools take common words (“happy”, for example) and add simple variations (“1happy” or “happy1” or “1happy1”) to exploit the odds that your password is easily guessed. This technique can be very successful. That’s because many people create passwords using common words. Even if you think you’re being clever—perhaps your password is “1yppah”—it’s still based on a dictionary word, and it only has a single number. It’s a weak password.
You need a strong password: You may have heard the phrase “strong password”. Here’s what that means in practice:
- No dictionary words, combinations of dictionary words, or proper names—even in reverse order
- Contains at least 1 number, 1 upper case character, and 1 special character
- Contains no “QWERTY key strokes” (that is, characters in the order they appear on the keyboard)
This sounds complicated. Here are three methods that make strong passwords easy.
Method 1: Phrase transformation: Think of a phrase that means something to you. Something easy to remember but impossible to guess. For example, I’m thinking of this phrase:
60,000 businesses have chosen Intermedia! For our worry-free experience
To turn this into a password, just use the first letters from every word. Like so:
As easy as this is to remember, hackers will never find it in their dictionary tool.
Method 2: Add some math: For further security, we can to turn our easy-to-remember phrase into a mathematical expression. This adds complex characters to the password. For example, I’ll reword the phrase above to read like a math problem:
(Intermedia + worry-free experience) = 60,000 customers!
And now, here’s the password:
Again, it’s an extremely complex password that’s still easy to remember.
Method 3: Mash the keyboard: The best password is long and random. We can generate one by hitting random keys while pressing and releasing the shift key.
Now, we’ll never remember that in a million years. These kinds of passwords are best used when you have a password management tool to store the passwords for you. (Shameless plug: you can use Terra Nova’s AppID, which offers single sign-on capabilities, to remember all your passwords.)
A password management tool keeps passwords safely encrypted when they’re stored as well as when in transit. You can create strong unique passwords for every web app you use, without having to remember any of them. The weak link—our brain’s ability to remember it—is eliminated from the equation.
The bottom line on passwords: Longer passwords are always better. People have traditionally used 8 character passwords, but many services now support 14 characters or more. A hacker could theoretically guess any password with a random password generator, but it would take thousands of years of computing power. Chances are, they’ll pick an easier target—which is exactly what you want them to do.
One more thing: Don’t get complacent. At least a portion of your password should be changed every few months to protect you from the more advanced attacks.
Some further reading: Security consultant Mark Burnett has studied, researched and written a lot about BAD passwords. He’s compiled a list of the 10,000 most common passwords—which, supposedly, represent 99.8% of all user passwords. If any of these look familiar, you should make some changes immediately.