How to Create a Strong Password

Posted on by

The US government recently revised its password guidelines , dropping support for favorite phrase selection and replacing a couple of characters with characters such as c4tlo ^ eR. These short, hard-to-read passwords seem difficult to humans, but very simple to computers.

Instead, you want long, weird strings that neither computers nor humans can guess. People are bad at making this up – we all choose the same “random” words and don’t remember really random lines well. Follow this tutorial to create good passwords, or better yet, have the app create and remember them for you.

Make your passwords very long

Your enemy isn’t some guy in a ski mask trying to guess your password one at a time. It is a program that automatically scans huge databases of common passwords or random character combinations.

The best answer to this question is a very long chain of words. As the webcomic xkcd famously noted, typing simple words is not bad . But since many hackers use ” dictionary attacks ” to guess common words, it is best to add some capital letters, special characters, or numbers.

Don’t use a general phrase

But don’t use the same set of simple words as everyone else. If your password consisted of the entire Hamlet script, it would be insecure if everyone had the same password. “When in the course of human events” is a crappy password. It’s the same with a famous movie passage, or a Bible verse, or even an abbreviation of a Bible verse.

And don’t be smart about thematic or personal passwords. Sometimes people do try to crack passwords, so don’t help them by using your son’s birthday or the phrase printed on your favorite coffee mug.

Check your password

If you are using a password manager, it will check your password in real time for the security of your computer. Sites How secure is my password? How big is your password? , and how strong is your password? check if your password is long enough. But they won’t warn you about common phrases to guess, like those Bible verses.

Of course, entering passwords on unfamiliar sites is a bad habit. These sites are safe as they are all publicly available under trusted developers who promise that the text you enter never leaves your computer. However, just in case, just use these sites to get the gist before creating your real password.

Don’t reuse your password

When your password is compromised on some web service ( and this will happen ), it is best to hope that you did not use the same password on the other three services. Don’t use a weak password for services that “don’t matter”, because one day you might provide one of these services with your credit card information or use it to authorize more important services, and you won’t think of increasing your password.

Use a password manager

Until you do this, no matter how hard you try to follow all of the above rules, you will still be guessing bad passwords. Here’s how:

  • Your “random” string of words will be something like “dragon monkey baseball princess,” four extremely common password words that the computer guesses.
  • You pick something memorable that will limit your options, and the computer will guess it.
  • You will be able to come up with a password that the computer cannot guess, and you will forget it, and you will have to replace it with a weaker password, and the computer will guess it.
  • You will choose something that is identifiable to everyone who follows you on Twitter or Facebook, such as your dog’s name, and the person will guess it.

Instead, get your computer to create and remember your passwords for you. This is the only reliable but convenient way to manage the huge number of passwords that modern life requires.

At the moment, 1Password is the best in its class. If you’re not interested in the detailed differences between managers, just grab this one and follow the Lifehacker setup guide.

There are several other fantastic full-featured password managers for Windows and OS X that Lifehacker employees and readers will love. All of these apps will create and remember your passwords. And they all tell you how secure each of your passwords is. Some even warn you when the services you use get hacked, regardless of whether you were personally exposed.

Of these favorites, the most distinctive is the open source KeePass . It’s geared towards local storage, not cloud-based solutions, and even lets you use a file to unlock it so you can turn a physical flash drive into your “password.”

Cloud services like 1Password and LastPass are more vulnerable to remote attacks. But since they securely encrypt your data and do not store your master password , you are still safe even if these services are compromised if your master password is too difficult to crack. (You can also sync your encrypted password file with Dropbox or Google Drive; a hacker will still need your master password to unlock it.)

You just need to remember one password: the one that your password manager is blocking. Follow all the rules above to create a strong master password, especially if you’re syncing your data. Otherwise, if your password service ever gets cracked, the hackers will guess your weak master password too and float across all your accounts like in Scrooge McDuck’s money vault.

Now, if you just need to write down this master password, do it on paper and keep it in a safe place like your wallet. Do not write “MASTER PASSWORD” on it. Rip it up as soon as you memorize it (it only takes a day or two, thanks to muscle memory allowing you to type it every time you log into any system).

Don’t forget your master password, or you might end up screwing up.

Don’t store passwords in your browser

They can be hacked too. Some of Opera’s saved passwords were partially cracked in the past year . Even Google accounts are vulnerable. A hacker doesn’t need to break into Google’s security – they just need to trick you , and it’s much easier for hackers to impersonate Google and ask for your login than it is for them to pretend to be your chosen password management app. If your Google account gets hacked you will have enough trouble without also worrying about all the passwords stored.

Follow the rules every time

Of course, your bank, your doctor’s portal, and your library will still follow outdated security guidelines, so they will still force you to follow weird specific rules for creating a password, like making you start with a letter or include a single character. (Ironically, by reducing the number of possible passwords, these rules make them easier to crack.)

First, generate a random secure password with your password manager. Then change this password as little as possible to suit your specific service policy. Change your password in Password Manager so that it can alert you if you turn a strong password into a weak one.

We’ve covered how to create a memorable password if you absolutely must. But since all of our recommended password managers offer mobile apps (KeePass recommends certain third-party mobile ports ), you can save your password anywhere. There is simply no reason to come up with your own password.

Use two-factor authentication

While unsafe, two-factor security provides only minimal loss of convenience. But not all two factor factors are equally safe. Dedicated authentication apps are much more secure than just receiving a code via SMS. But both are safer than one password.

Don’t spoil it all with security questions.

Security questions? More like insecurity questions! I have fun at parties. The point is, the concept of secret questions made some sense when they were used in 1906 and were answered face to face, but now they are ridiculous when anyone can google your mother’s maiden name, where you were in high school or where your favorite ice cream flavor , then call Amazon tech support and introduce yourself as you are.

Treat security questions the same way you treat your passwords: Come up with false answers and save them in a password manager. Security questions are designed to communicate with people, not computers, so you don’t need to add strange characters to your answers. Instead, you want to choose incorrect and unusual answers. What school did you go to? School of Scobert Dubbert. What’s your mother’s maiden name? Blempgorf. This is where you can put all that smart energy you are not allowed to put into your passwords. (It’s also a good strategy for choosing one master password that you need to remember.)

Remember everything is broken

The passwords are bad and stupid. But so is the rest. Fingerprints can be stolen, two-factor texts can be redirected, keys can be copied. As tech reporter Quinn Norton said, everything is broken , and as writer / programmer Dan Nguyen put it, everything (even more) is broken . Security technology is a race between the good guys and the bad guys, and it is impossible to have a completely safe technology without sacrificing many of the benefits of that technology.

So after you’ve set up a password manager, changed all passwords, and turned on two-factor authentication, don’t think your job is done. Someday everything will move to a new security system and you will have to adapt. This is the price we pay to live online.

More…

0
Uncategorized

Leave a Reply