Before you get too excited or concerned, don’t worry, I’m going to tell you how to make really good (crackin’) passwords, not how to go about cracking passwords.
A client in South Perth (Hi Sharman) was asking me today if it was possible to make different passwords for each of her accounts that were still complex enough to be secure but easy enough for her to remember.
Private and not so private
Just about every organisation you deal with these days, whether government or commercial, wants you to set up an account via the internet. Most people are pretty vigilant when it comes to keeping their health and financial details safe and secure, so they usually pay a bit of attention to making a good password for these accounts. These passwords will be relatively complicated and certainly won’t use family member’s names or birth dates (I mean, who would do that, right?).
Complex passwords are usually difficult to remember, though, and to make it even harder, we’re told not to use the same password for each account. Consequently, accounts that we don’t think of as important don’t get passwords any more complicated than “password123” or “buster” (the dog’s name).
But that’s a problem because while we may not think the account is important, it is still likely to have some information in it that a hacker will find valuable. Hackers will try to crack accounts that are perceived as unimportant because they know they will have pathetic passwords (let’s not beat around the bush here).
They may only know your name to begin with, but once they crack into a poorly secured account, they may then know your email address. Armed with this information, it is a little bit easier to get into another relatively poorly secured account and get even more information about you. From here they continue on gathering more and more information until, eventually, they may be able to log into your webmail account.
Remember that feature that most websites offer if you’ve forgotten your password? That’s right, they’ll send the password (or a way to reset it) to your email address. So, now that the hacker has access to your email account, they can go wild on all your other accounts!
I’ve seen some incredibly secure but totally impractical passwords. One of my clients was using a WiFi password that looked something like this (23 hexadecimal characters):
Very secure – no-one is cracking that one… but who wants to type that in every time a friend asks if they can connect their laptop to your WiFi? And you can’t memorise it, so you have to write it down which then lessens its security anyway.
But passwords needn’t be that extreme.
Is it always about length?
First of all, I’m going to give you some tips about making a secure password. This on its own won’t make a password any easier to remember, but this will give you some ideas of what to include to make your simple to memorise password hard to crack.
The longer the password, the longer it takes to crack. As computers get more and more powerful, they can crack longer passwords much faster, so keep in mind that the following table is dated from some time in 2009. An 8 character password is okay at the moment, but some more secure organisations are already moving to 10 character passwords. The table below shows how long it would take for a password cracking tool to crack various lengths of passwords.
(By the way, I don’t know where I got this image from so if you know the original author, can you let me know so I can give due credit?)
2. Mixed Case
Password cracking tools actually use dictionaries of words. A list of words that big is daunting to a person, but its nothing to a computer. However, most passwords are case-sensitive these days, which means that an uppercase “A” is treated as though it is a different character to a lowercase “a”. So, if you mix uppercase and lowercase letters in your password, it is no longer the simple task of just trying a list of dictionary words, now the hacking tool also has to try all combinations of uppercase and lowercase for each word it tries.
Including numbers in a password simply adds even more character combinations for a hacking tool to have to try and that just makes it take more time to crack.
4. Non-Dictionary Words
Because hacking tools go through a list of dictionary words first, if you make up a word, or mix numbers into the middle of it or even just mis-spell a word, this makes it harder to crack the password.
Remember your Greek mythology?
Mnemosyne (pronounced with a silent M) is the name of the goddess of memory in Greek mythology. From her name is derived the word “mnemonics” which are special strategies used to help make the task of memorisation easier. One of the commonest mnemonic devices is to imagine crazy images or whacky stories about something you wish to memorise in order to help it stick in your mind.
For example, imagine I’m going to the grocery store and I need to pick up a French loaf, a bunch of celery and a pack of cereal (that’s a normal shopping list, right?). I could imagine holding the French loaf in one hand, the bunch of celery in the other and using them as drumsticks to beat a rhythm on the box of cereal. As the “drumsticks” are hitting the box of cereal, the contents are shaking around and making a sound like maracas. By the time I get to the grocery store, there is no way I’ve forgotten that bizarre image, so I have no problem remembering the three items.
Putting it all together.
Now that you have all the information about what you need to make a secure password and how to help remember it, lets put that all together to make a hypothetical password for a Facebook account.
- Mnemonic: Lets make a crazy phrase related to Facebook. How about, “My face likes to friend books”. You then have to form a weird image of this in your mind. Lets imagine your face searching for books in a library and then rubbing its nose on them in order to make friends.
- Length: Now, remove the spaces (you can’t usually use them in passwords, anyway) and you already have a good password length to start with: “Myfacelikestofriendbooks”.
- Mixed Case: Add some capital letters. For memory purposes, it helps if you use the same pattern all the time. For example, only capitialise the first letter of the words related to the website (Facebook): “myFacelikestofriendBooks”
- Non-dictionary Words: Spell some words incorrectly or use some shorthand (R for “are”, 2 for “to”, etc): “miFacelykes2frendBooks”
- Numbers: Add some extra numbers. In this case, I’ve used the year that password was created: “miFacelykes2frendBooks12”
Test your strength
When you’ve finished making your password, go to Microsoft’s Safety and Security Center to test the strength of your password.
Let us know
We’d love to hear what you think. Please offer us your thoughts, opinions and suggestions below in the “Speak your mind” section.