Creating and Maintaining Strong Passwords

Chris / InfoTech

Chris / InfoTech

Passwords are tough.  If you're like me you probably have registered for online access to your bank, your credit cards, places online to purchase things, etc as well as manage at least one email account, have accounts for your smart devices, and much more.

We're told that each username and password combination should be unique in order to minimize the potential for a breach.  So how can you effectively have unique passwords for each account you have that are both easy to remember and hard to guess?

Before we begin, consider that the best passwords should be both easy to remember and hard to guess (or crack).  In order to accomplish this a good practice would be to choose four common random words that you can remember and use those for a password.  

Image:  XKCD

Image: XKCD

However, many systems that require passwords do not allow for very long passwords AND also require special characters, capital letters, and other things that are hard for humans to remember.  If that's the case, here's an idea:  (note...you have to follow ALL the steps!)

  1. Choose a word that you'll always remember.  For example, "Friday".  Avoid names of spouses, children, pets, or any other word that could be guessed from your social network posts, etc.
  2. Modify your word to make it more complex.  For example, "FR1d@y".  Notice how I've capitalized the first two letters, replaced the "i" with a number one (1), and use the @ sign in place of the "a".
  3. Choose a number to attach to your word.  For example, 5454.  Avoid using your bank pin, your street address, your birth year, etc.  You need to be able to increment this number if required to change your password.  At this point you have the makings of a decent password:  FR1d@y5454  (however, it's still not unique if you simply use that password for all your accounts.)
  4. Develop a pattern that you follow for each account to make each password unique.  Let's say that you determine to add the first three vowels of the account name to the end of your word + your number.  An example password for www.amazon.com would be FR1d@y5454aao.

This is just one example.  Alternatives include using positions on a QWERTY keyboard that correspond to a word you remember (i.e. typing 1 character to the right or left of each key stroke in a legitimate word you remember resulting in a nonsense word) or using phrases in passwords like "I like 7-11 hotdogs" (ILike7-11HotDogs) to make passwords hard to guess but easy to remember.  You could also use a math equation such as "Five+Two=7".

Secure your primary email address!  Consider that many accounts you have also have a password reset procedure that includes a process for sending your an email with a link to click on to reset your password.  This means that if an attacker gains access to your email address, changes your email password and locks your out of it, they can then attempt to issue password resets to your other accounts if they can discover them.

  1. Secure your primary email address with a very strong password that is absolutely unique and document it in a secure, non-electronic location.
  2. Secure your email address, if available, with 2-factor authentication (i.e. Google Authenticator if you use Gmail) which requires not only your username and password but also a numeric always-changing pin code that you get via text message or smart phone app.
  3. Consider setting up a second email address (i.e. a Google account with 2-factor authentication) for your online access to banks, purchasing sites, etc.  Keep this separate and NEVER use it for personal correspondence, social networking, etc. 

"Wait a sec", you say.  "Can't someone also initiate a password reset using special questions?  Indeed, many accounts allow for password reset procedures using special questions; for example, "What is your mother's maiden name?" or "What is your father's middle name?".  My recommendation for security questions is that you never answer them with the actual correct answer to the question but with an answer that you choose ahead of time.  

To put it another way, the answer that I provide when answering security questions NEVER matches the correct answer to the actual question being asked - in fact, it NEVER MATCHES ANY QUESTION that I'm asked.  For example, when I'm asked "what is the model of your first car?" (something that someone might get from Social Media) I'll answer "Timbuktu" which is my word that I always provide (not really, but you get the point).  If you're really security conscious use a pattern on the end of that word...so if I have to reset a password for Chase Bank and I'm asked "what's the model of your first car?" I'll say "TimbuktuChase"...this way each security question is not only easy to remember but unique and impossible to guess.

Happy and Safe Computing!  -Chris