Creating strong passwords

As time goes on, there are more and more and more accounts we have logins for. With the web being tied in to just about everything these days, it's important to keep your data secure, and the first line of defence is having strong passwords. There are all kinds of conditions and limitations on websites on what you should and shouldn't have in your passwords: uppercase, lowercase, length, numbers etc. Here are just a few basic guidelines that I've picked up along the way and some resources you might find helpful in keeping your accounts secure, and your passwords safe.

Some pointers

  1. The single most important factor in password security is the length.
    Keep passwords at least 8 characters long. Most of my passwords are about 20 characters (more on that later), although some websites will force them to be between 8 and 12. The longer the password, the longer it takes to crack.

  2. Character Variation
    Using a mix of uppercase, lowercase, numbers and symbols will increase the complexity of the password and make it harder to crack.

  3. Avoiding weak passwords
    Avoid all of the following when creating passwords:

    • Using any part of your username
    • Anything personal to you (family, birthday, anniversary, car registration)
    • Easily guessable 'strings' (qwerty)
    • Whole words in any language. Password crackers often work through the dictionary first
    • Words in reverse
    • Replacing letters of a word with numbers (such as p455w0rd). These are often checked even before real words as most people think it's more secure.

Managing passwords

Over the years I've used a number of ways to remember passwords. I used to use a phrase that I had more or less picked out of thin air, then modified it slightly depending on which website it was for. This worked for a while but there's a risk that if someone does discover what that phrase is and works out the pattern for how you alter it, you lose access to all of your accounts. It's only a little more secure than using the same password for each site (which you should NEVER do).

The answer to that problem is that you use a completely random string of numbers, letters and symbols as a password which is different for every account you have. However, unless you have super hero memory powers, this is impractical.

If you don't have superhero powers, use a password vault.

To make up for the lack of super powers (one day they shall be mine!), I started using a password vault. A password vault is either hosted online or stored on your computer and is unlocked by using a master password; a single very strong password that you use to log in to the vault which contains all your passwords. You then use randomly generated passwords for all your accounts, and you don't need to remember them. This means that even if someone manages to break one of your passwords, they still have no clue what the others are. Here's a short example of what some of my passwords look like:

  • fBqM8A%zTRT3nc1xen
  • GifAM3jGjBXvo&qx)q
  • uYe*LY,WkqUYB2NnY9

Chosen solution: 1Password

In the last 5 years or so, I've used several of the major password vaults including Passpack, LastPass and KeePass. However, all of these have had their issues and recently I invested in one of the best pieces of software I own: 1Password by AgileBits (no association).

I'm always on the lookout for good software by developers who care about the little details, and I couldn't praise them more highly. Instead of being hosted online, 1Password has software for all your devices (I'm running it on OSX, Windows and iOS) and keeps a copy of your vault on each one, locked up with your master passphrase. Your vault is synced between devices automatically using iCloud or Dropbox (or any other service if you set it up).

All your passwords are organised by category, and you can copy and paste passwords from the vault in one click. There are also browser extensions for all major browsers which will automatically log you in with the click of a button.

I've tried lots of solutions over the years, but 1Password has made it a hundred times easier to manage the hundreds of passwords I have far more efficiently than the other solutions.

It doesn't just stop at passwords though. Particularly as a web developer, I have far more logins to deal with rather than just my personal web accounts; my password vault also contains server details, database connections, SSH, secure notes, software licenses, the list goes on.

Resources - This site will demonstrate how strong your password is and will give you some idea of how long it would take to crack depending on what method was used. Obviously this only applies when hacking a password, and ignores the fact that some passwords are so insecure they can be guessed by a human. The most common way people have their accounts breached is by writing down their passwords, sharing them, or having easy-to-guess security questions.

← Back to articles

Like what you see?

Starting a website project can sometimes be a daunting task. If you've got questions about how it works, or if you've got all your plans laid out in front of you and just need someone to build it; I'd love to talk to you.

Get in touch