Choosing your passwords (wisely)

Password authentication is a one factor authentication method, by using something you know. Choosing passwords and remembering them are delicate issues that are the base of many compromised computers and systems around the world. You would be surprised by how many people around the world use passwords like “123456” or “password” for their accounts. It’s even worse when these accounts are bank related or enterprise related. It is still debatetable wether to still use passwords or to use password managers but this is a topic for another post. In this post i’m going to show you how i choose my passwords and what do i avoid when doing so.

locked

When i choose my passwords i prefer them to be:

  • easy to remember
  • at least 8 characters long
  • as random as posible
  • as unrelated to me or my interests as posible
  • not based on a pattern

And i always make sure to:

  • keep it ONLY in my head
  • not use hints
  • be careful on what device/page i type it on
  • use it only for one account

Explanations

Easy to remember – what’s the use in having a super-complex-weird password if you can’t remember it?

At least 8 characters long – this minimum can actually be higher, but that depends on each of us on how security-paranoid are you. The reason for more characters in a password is simple – if it’s shorter it’s faster to crack. A desktop PC would need 0,025 seconds to crack a “12345678” password.

As random as posible – there are several sets of characters that you can use – upper and lower case letters, numbers and symbols. Language specific characters can be considered as another set, as they have the symbol status for somebody who doesn’t understand that certain language. So you have 5 sets to choose from when you’re thinking of a password. Many websites recommend using at least one character from each set, which is understandable. I personally do no use all types of characters in my passwords and you’ll see later why.

As unrelated to me or my interests as posible – it wouldn’t be too smart if you name was John and your password was John1234, right? Who wants to know your password will probably try passwords that are related to you. For instance your birthdate, which is still used by many people when choosing their passwords.

Not based on a pattern – because it’s easy to remember, people often use patterns (in most of the cases keyboard patterns) to choose their passwords. That’s why there are a lot of “qwerty” and “12345” passwords. Because they are at hand (literally, at your fingers) and they are easy to remember.

Choosing your password

Now you are probably lost and can’t think of a password that abides by all the rules above. The answer is just under your nose. I like to make password by formulating completely sensless sentences. Imagine the password “myowlhas5legsand1ear“. It completely unrelated to me, it is totaly random, its longer than 8 characters and its not based on a keyboard pattern. It would take a desktop PC to crack it in 105 trilion years. And if i where to change some letters from lower to upper case it would be much stronger. The only flaw in a password like this is probably a pattern like thinking behind it – using random sentences or formulating a sentence can be interpreted as a pattern. To avoid this you can just put random words together and get something like “freshOWLkingnavy33“.

Keep it only in your head – never, ever, ever, ever, … , ever write your passwords down. A password should only be stored in your head. You can probably find a way to write your password on something and hide it and then create a mini-menthal-treasure-hunt to find it again but what for?

password posting

Not use hints – some places allows(or requires) you to use hints for your password, in case you forget it. I always choose not to create a hint or use a random word in my hint. Other people can also have access to that hint and can be a starting point for them to start cracking/guessing.

Be careful on what device/page you type it on – you’ve probably heard of keyloggers and scam pages, right? If not, just make sure that the website your logging in to is the legitimate one. And also try to limit the number of devices that you are using the password – even if its your roomates laptop or your teachers PC.

Use it only for one account – this is the tough one. Most people have more than one online account (email, facebook, etc) and most people use the same login credentials for all accounts. Try to avoid using the same password on every account, because if the password is to be found out, all of your accounts will be compromised.

Dealing with remembering and reusing your password

It can also be human imposible to remember a lot of different passwords. As a solution to this problem, most prefer password managers. I prefer to avoid them, because it breaks the “keep it only in your head” rule.

As a workaround for this i sometimes try to link a generic password to the website/service that i’m logging to. This breaks the “not based on pattern” and almost-breaks the “use it only for one account”  rule because i am basically creating a mind pattern around a generic password that is easily deductible. I’m currently living with it, but i know it’s not the way to go.

For example is have my “generic” password – freshOWLkingnavy33 . If i were to use it for my newly created Facebook account i could modify it as so freshOWLkingnavy33+fb . I just added the “+” character and “fb” which stands for Facebook.

Again, this is not the best way to go and i don’t recommend anybody doing it, but it’s just my way of handling the remembering and reusability issues. Most likely nobody will ever get to crack your passwords, but that doesn’t mean you should not use strong ones.

If you were wondering how i calculated how many years it takes to crack the passwords – nope, i’m not a supercomputer-genius-blabla-something, i just found this nice website called HowSecureIsYourPassword . Try it out with your passwords.

  • Hey Victor,
    what do you think of using password managers?
    I’m using Lastpass, so I just have to remember one (rather complicated) master password and have Lastpass keep track of my other (automatically generated) passwords.

    It has been hacked before I joined them, so I’m pretty confident that they increase their security to a level that should resist hackers for a bit. And since I’m using long passwords where I can, even cracking the hashes of my passwords would take a bit of time (up to not being possible with todays technology).

    Best regards,
    Jan

    • I’m not that a big fan of password managers. The main reason is that i would break the “keep it only in your head” rule. When you use password managers you are trusting a 3rd party app/service to manage all your passwords. That means another way of access towards you passwords.

      On the other hand, it’s very time efficient to use one. People nowadays have so many accounts and passwords that without a password manager it’s imposible to actually remember everything.

      If i would go for one, i would avoid saving my most sensitive accounts/passwords (bank account, main email address etc) and just save all the others. And i would also check that that the app/service i’m using is transfering and storing data in an encrypted fashion.