Creating Strong Passwords

Every year we accumulate more and more website login details that we need to remember. This is about how to create good passwords and where to store them.

Posted 12th November 2014 • Security • #resources

As time goes on, there are more and more and more accounts we have logins for. With the web being tied in to just about everything these days, it's important to keep your data secure, and the first line of defence is having strong passwords. There are all kinds of conditions and limitations on websites on what you should and shouldn't have in your passwords: uppercase, lowercase, length, numbers etc. Here are just a few basic guidelines that I've picked up along the way and some resources you might find helpful in keeping your accounts secure, and your passwords safe.

Some pointers

  1. The single most important factor in password security is the length.
    Keep passwords at least 8 characters long. Most of my passwords are about 20 characters (more on that later), although some websites will force them to be between 8 and 12. The longer the password, the longer it takes to crack.

  2. Character Variation
    Using a mix of uppercase, lowercase, numbers and symbols will increase the complexity of the password and make it harder to crack.

  3. Avoiding weak passwords
    Avoid all of the following when creating passwords:

    • Using any part of your username
    • Anything personal to you (family, birthday, anniversary, car registration)
    • Easily guessable 'strings' (qwerty)
    • Whole words in any language. Password crackers often work through the dictionary first
    • Words in reverse
    • Replacing letters of a word with numbers (such as p455w0rd). These are often checked even before real words as most people think it's more secure.

Managing passwords

Over the years I've used a number of ways to remember passwords. I used to use a phrase that I had more or less picked out of thin air, then modified it slightly depending on which website it was for. This worked for a while but there's a risk that if someone does discover what that phrase is and works out the pattern for how you alter it, you lose access to all of your accounts. It's only a little more secure than using the same password for each site (which you should NEVER do).

The answer to that problem is that you use a completely random string of numbers, letters and symbols as a password which is different for every account you have. However, unless you have super hero memory powers, this is impractical.

If you don't have superhero powers, use a password vault.

To make up for the lack of super powers (one day they shall be mine!), I started using a password vault. A password vault is either hosted online or stored on your computer and is unlocked by using a master password; a single very strong password that you use to log in to the vault which contains all your passwords. You then use randomly generated passwords for all your accounts, and you don't need to remember them. This means that even if someone manages to break one of your passwords, they still have no clue what the others are. Here's an example of what some of my passwords look like:

  • fBqM8A%zTRT3nc1xen
  • GifAM3jGjBXvo&qx)q
  • uYe*LY,WkqUYB2NnY9

Chosen solution: 1Password

In the last 5 years or so, I've used several of the major password vaults including Passpack, LastPass and KeePass. However, all of these have had their issues and recently I invested in one of the best pieces of software I own: 1Password by AgileBits (no association).