Create the perfect password
Thwart the bad guys with unforgettable and unhackable passwords
Coming up with umpteen different passwords for your various accounts and devices is a major challenge. What's more, hackers are using more and more sophisticated methods to crack passwords, and that makes it increasingly difficult to come up with passwords that'll keep them out.
Here, we’ll explain why seemingly good passwords and pass-phrases are putty in hackers’ hands, and then show you the latest clever tricks for quickly creating passwords that no one will crack and you’ll never forget.
Why your password isn’t secure
Many of us plump for passwords that link a couple of unrelated words and a number (such as the one in our screenshot below). They’re easy to remember and you’d think they’d be hard to guess – but actually they’re scarily easy to crack.
Your average password often fulfils the bare minimum requirements set by the account they're trying to protect. This usually means eight characters, probably including a number and/or a capital letter.
Naturally, you’ll try to create a password you can easily remember, and which isn’t too much of a pain to type. But even if you’ve combined a couple of uncommon words and added one or two random characters, your password will not be very secure.
Password researchers have found that people tend to use certain predictable patterns, and the latest cracking tools exploit this. These tools even try out common ‘keyboard walk’ passwords such as 'qweasd' – key sequences that are easy to type and don’t constitute a dictionary word.
Even if the password is “only” for your PC’S Windows login, remember that this password is also tied to your Microsoft online account and all the tools it links to. Likewise, your phone and tablet passwords are connected to your Google or Apple account – and all these online accounts may be linked to your credit or debit card.
Why your pass-phrase may not keep you safe, either
In theory, longer passwords and passphrases are harder to crack. Every extra character effectively doubles the number of guesses needed to break it. However, that only applies if your pass-phrase is truly random.
Criminals are increasingly savvy to the practice of using phrases as passwords. Cracking dictionaries, such as Crackstation ( www.snipca.com/17315), list all passwords they've managed to harvest from the internet – which now include quotes from literary sources such as The
Bible and the works of Charles Dickens. This is particularly helpful for hackers who use ‘combinator attacks’, whereby they try breaking into accounts using strings of words rather than just letters.
The online comic strip XKCD ( http:// xkcd.com; see screenshot below left) suggested combining random words in nonsense phrases (the ‘correct horse battery staple’ technique, https://xkcd. com/936). Lovely idea, but experts insist this won't make the pass-phrase any less vulnerable, especially from hackers using combinatory attacks.
Turn a phrase into a password
Our favourite method is to use a phrase to create a seemingly random password. This strategy, advocated by Harvard research fellow Bruce Shneier and described on his blog ( www.snipca.com/ 17316), means your phrase becomes a mnemonic for your password.
For example, ‘When I was 16 I went to see Engelbert Humperdinck’ could become ‘WIW16,IWTSEH’. It’s strong, memorable (assuming you actually did see Hump when you were 16) and impossible to crack using a dictionarybased attack.
You can even use this technique along with a simple substitution cypher (code pattern) to create secure numeric keys. For example, ‘My best friend at school was John’ becomes ‘mbfaswj’, which can be mapped against the numbers 0 to 9 to give you ‘2150829’ (see screenshot below left). This helps you avoid the obvious patterns people tend to pick when asked to come up with a numeric code. Be careful, though: never use your original phrase as a password reminder.
Use free tools to generate random passwords
Long, truly random passwords are the gold standard. Random password generators are built into most password managers, including Lastpass ( https:// lastpass.com) and Dashlane ( https:// www.dashlane.com, see screenshot right), as well as offline tools such as Keepass ( http://keepass.info).
There are also online password generators, such as the Secure Password Generator ( http://passwordsgenerator. net) and Random.org ( https://www. random.org/passwords). If you're up for a challenge, try the dice-based password-generation methods explained on the Diceware Passphrase site ( www. snipca.com/17318).
But even random passwords should be long. The hardware used by hackers is more powerful than ever, so an entirely random eight-character password can be broken by brute force in less than an hour ( www.snipca.com/17319). So make sure all your passwords are at least 12 characters, and use a combination of numbers, upper- and lower-case letters and special characters (such as £ and ^).
Password managers, incidentally, are well worth using for storing and remembering your passwords for you, as well as generating them in the first place. All you have to remember one master password, which is only stored in your brain. So make it memorable!
Double-lock your accounts using two-factor authentication
Two-factor authentication (TFA) adds an extra layer of security to your logins by requiring not only your password, but also a secret code that’ll be sent to you by text message, email, app or even using a special hardware token such as those used by many high-street banks.
Many password managers support TFA, so even if someone gets hold of your master password, they won’t be able to log into your accounts. Support is also built into Google, Facebook, Dropbox and Twitter, among many other popular online services. To generate TFA codes and add support to accounts that don’t have TFA built in, use the free app Google Authenticator (Android www.snipca. com/17322, IOS www.snipca.com/17323).
Bear in mind that losing your authentication device – your mobile phone, for example – can lock you out of your accounts, so remember to set a backup contact number.