Lab 99 Web Design

Skip the navigation

How to Create a Secure Password

Not all passwords need to be secure, of course, but a password for any account that identifies you personally, such as your primary email account, an online bank account, or an account with any organisation that holds your credit card details, needs to be as secure as possible.

To understand how to create a secure password, you first need to know what makes a password insecure. By putting yourself in the shoes of a cracker, you will see how to thwart their dastardly plans.

The Problems with Passwords

Passwords have two weaknesses:

How Do You Guess a Password?

The most basic method of guessing passwords involves automated attacks using databases of:

Rule 1: Don’t Use Obvious Combinations of Digits

One of the most popular passwords is, believe it or not, password. Other classics are: 123456, qwerty, and abcdef. It’s fine to use these combinations for throwaway email accounts, but surprising numbers of people also use them for important accounts. They probably store these passwords on Post–It notes attached to their computer monitors. Duh! In fact, storing a password on a Post–it note isn’t necessarily stupid, as will be explained below.

Rule 2: Don’t Use Real Words

Real words are not much better. If you can find a word in a dictionary, so can a cracker. Names of people, names of cities, even relatively obscure words, and variations on them, such as diaspora, d1asp0ra, or ar0psa1d, are likely to be included in the word lists that crackers use. So don’t use real words or simple combinations of digits.

Rule 3: Don’t Use Extended Real Words

Many passwords consist of a root and an appendage. The root is usually either a real word or a pronounceable invented word, and the appendage is usually a short combination of common numbers or letters; for example, d1asp0ra123. This type of password is also easily discovered by an automated attack.

Rule 4: Don’t Use Personal Words

Most cracking attempts are not aimed at a specific individual, but some are. If a cracker stumbles across your name and your email address, he or she may try to guess your password by using your personal details. It’s relatively easy to discover basic personal information about people, especially people who use online social media such as Facebook. You should assume that if you place any personal information online, it is available to everyone, including crackers. Once information is out there, you can’t get it back. So don’t use any personal information in a password: your mother’s maiden name, your favourite film, a childhood pet, your car number plate, your birthday, and so on.

How Do You Discover a Password?

The crackers who try to guess passwords are like opportunistic burglars, who go from house to house trying door handles until they find one that lets them in. As long as you lock your doors by following the rules above and making sure that your password is not obvious, most of the bad guys will try elsewhere and you will be safe.

Rule 5: Use a Secure Password

Serious crackers will make more of an effort to find out your password, by using software that generates large combinations of random characters. These brute force attacks, as they are known, can only be defeated by using a properly secure password.

What Makes a Password Secure?

A secure password needs to be:

How to Create a Complex Password

The most complex passwords will contain a combination of:

There is a fifth category, ALT characters: hold down the ALT key and press any other key, and you will produce odd symbols and accented characters, such as and æ. These are, however, only permitted in a minority of software applications.

Altogether, there are about 90 characters you should be able to use. A password using 5 of these 90 characters will have about 8 billion (8,000,000,000) combinations. A password made from 8 of the 90 characters will have about 7.2 quadrillion (7,200,000,000,000) combinations.

An analysis of 400,000 passwords found that:

So the inclusion of even one non–alphanumeric keyboard symbol will make a password more complex, and hence more difficult to crack, than almost every other password that’s out there.

The Benefits of Using Random Characters

To illustrate the difference between ordinary dictionary words and random characters, this is the maximum time it takes to crack a password of 8 characters (source: lockdown.co.uk):

The more characters a password contains, the longer it will take for a random generator to crack it. Of course, a brute force attack will crack any password eventually, and anyone who really wants to get at your password will do so. The best you can do is put them off for as long as you can.

In practice, there will be restrictions on both the length and complexity of a password: in particular, it may not be possible to use some of the symbols on your keyboard because they are reserved for other uses by the software you are using. You should, however, try to use as many different symbols as you can.

Creating Secure Passwords

There are two elements to a secure password:

Generally, if a password is easy for you to retrieve or remember, crackers won’t have too much trouble discovering or guessing it. Fortunately, there are several tricks you can use to overcome this problem.

Rule 6: Learn the Rule, Disguise the Password

The password itself will need to be sufficiently random that it can’t be simply discovered or guessed. To keep it memorable, you do not need to learn the password itself. Instead, you learn one simple rule so that you can extract the password from a larger combination of characters. This means that unless you have a phenomenal memory, you will need to keep a record, either on paper or on a computer.

Wallets and purses can be stolen, and computers can be hacked into. If you are going to store an important password on a piece of paper in your wallet, or within your computer itself, or on a Post–It note attached to your computer monitor, you must disguise it.

How to Disguise a Simple Password

Let’s take a simple example: a 4–digit PIN. Let’s assume that your PIN is 8639. To disguise it, create a grid of numbers:
9 2 6 3
8 6 3 9
4 1 0 7
9 0 6 4

Write it down and keep it in your wallet. All you need to remember is this rule: look at the second line of numbers.

If you think that is still simple enough to be guessed, create a larger grid of numbers:
6 7 5 0 3 1 8
8 6 0 5 3 2 7
7 6 9 8 3 1 0
9 0 4 7 3 2 8
9 7 2 8 6 3 9
1 4 0 5 2 7 4
8 6 0 4 5 1 7

Now the rule is: go to the fifth line and look at the last four digits. Not too much to remember, and very difficult for anyone to guess, especially as most systems will shut down after three failed attempts.

How to Disguise a Complex Password

First, we need to invent a complex password. Let’s go for Ug_y5R._4wMt — 12 characters, a full range of letters, numbers and symbols, and practically impossible to guess.

Unfortunately, a password as complex as this is also practically impossible to remember, so we need to disguise it.

You are limited only by the complexity of the rule, not by the complexity of the password.

Keeping Your Passwords Secure