How to create a good password?
To answer this question, we must establish what a good password is.
1. Must be long. At least 16 characters or as long as possible, so an automatic tool can’t easily bruteforce it by going through every possible combination in a short time. Let’s say you are only using lowercase letters for the 8 character long password “friendly“. A hacking program have to go through 200 billion combinations maximum to find this specific arrangement of letters. But if you add two more, making the password “imfriendly“, the possibilities will increase to 141 trillion. These numbers seem high, but four off-the-shelf GTX 1070 video card together are capable to run 26 billion tries per second (in case of SHA-1 hash function). This means “friendly” can be cracked in less than 8 seconds and “imfriendly” in 90 minutes. This leads to our next point:
2. Should be complex. You can add more complexity to your password by introducing uppercase letters. Changing the password in the previous example to “Friendly” is instantly doubling the 26-letter alphabet to 52, and bumping the possible combinations from 200 billion to 53 trillion. Add numbers into the mix to make “Friend23“, one in 218 trillion. Finally, adding a symbol creating “Friend2!” makes it one in 7.2 quadrillion. This looks like a proper password and somewhat harder to crack by brute force, but still can be done with the mentioned ordinary hardware within 77 hours. And it can be hard to remember too. I hope you noticed that adding 2 more letters we made a stronger password than swapping one to uppercase (one in 141 trillion vs 53 trillion).
3. Must be unique. Not only it shouldn’t be in a dictionary, but it shouldn’t be on any password list. There are multiple size password dictionaries around the internet that contain the most common passwords. Next to brute-forcing, using password dictionaries is the most popular method for hacking accounts. For example “qwertyuiop” is somewhat long and random, but it is the first row on the keyboard and it is ranked as one of the 2500 most popular passwords. You can lose your account if someone else has used the same password as you and it’s on a password list.
4. Must be used once. One password for one account, do not reuse it. Ever. Data breaches happen all the time, and even if you have a strong password it can end up in a password list. Then it just a matter of time someone will run an automated script on different accounts with known username and password pairs. This could lead to losing control of multiple accounts if you have used the same password for them.
Now that we know the basics, time to make a good password. The best way to do this is using a password manager, which can generate these for us and will also remember all of them. We only need to remember one, a master password for accessing the password manager itself. The most user friendly way to create this is using a passphrase.
What is a passphrase?
A passphrase is a type of password that is generally easier to remember. It’s just a series of unrelated words, but it is long enough to make most password cracking attempt futile. You can make up your own, but there are websites like this one and this one, that can generate random word combinations for you. Five or six words are easy to remember, but if you still find it hard you could use a phrase e.g. “Automatic-transmission-and-4wheel-drive“. I could recall that any time while it is 39 characters long, including uppercase, lowercase letters, number and symbol.
This example is a strong password/passphrase, but obviously you should create your own.
What is a password manager?
A password manager is a program, mobile application or browser extension that can generate and hold your passwords in a strongly encrypted database. To access the database someone must provide a master password. The most popular password managers are:
How often should I change my password?
The only time you should change your password when it is compromised. Unfortunately some companies still have a policy for regular mandatory password change. This can easily lead to employees writing down their new password on a post-it note and leaving it on their desk or use incremental numbering, like “Password_14” changing to “Password_15“.
Some accounts requires you to provide answers for security questions, in case you forget your password. These are generic questions, like “What’s your mother’s maiden name?”, “What is your pet’s name?”, “What was your first school?”. As you are not the only one who could answer these questions, never answer these honestly and treat these answers as separate passwords, generate and keep them in your password manager. Another option is to use a passphrase, like “MyDogIsCalledSammy“.
Writing down passwords
There can be a time when you may want to write down your password on paper. It is only acceptable if it’s temporary and you destroy that paper later or you can keep it in a safe place where nobody else can access it. If you are already at your computer, use a password manager. Never write passwords in email, in a text file or any document that someone else can open or copy.
Two factor authentication
It is an additional safety feature that can protect your account, even if your password is compromised. To learn more about it, click here.