Choosing an easy-to-remember strong password

Introduction

The challenge we all face is that cyber attackers have developed sophisticated methods to guess or brute force passwords, and they are constantly getting better at it. This means they can compromise your passwords if they are weak or easy to guess. An important step to protecting yourself is to use strong passwords. The more characters your password has, the stronger it is and the harder it is for an attacker to guess. However, long complex passwords can be difficult to remember. So instead, we recommend you use passphrases. Passphrases are simple phrases or sentences that are easy to remember, but hard to hack, for example Gue55Wh@tI5MyPa55w0rd.

Beware: a passphrase is not necessarily stronger if it is way too easy to crack. A recent social dating website breach incident reveal some examples. Stay away from making the wrong choice. If you are interested to know what are the top worst password, check out the SplashData list ( top 100 worst passwords in pdf) that contains many of the usual suspects (“123456”, “password”, and “qwerty”), but also shows that using common words, personal names, expressions, expletives, consecutive number strings, and one’s year of birth as password is a bad idea.

Also, we must learn hard from public security lessons shared. This is especially critical on why we have to choose a strong passphrase as this serves also as last line of defence if our details do get stolen or leaked out. The classic of service providers and retails claims to protect all customer login credentials but they failed to maintain their promises due to poor practices and governance is to be expected. This is one classic example of telco and retail provider's huge lapse jeoparising 12+ million user records is of no surprises (at least to me). The takeaways are the list of improvements suggested speak explicitly the importance of (everyone) having a strong password - in our case, passphrase instead.

What makes a Strong Passphrase?

What makes this passphrase so strong is that not only is its total number of characters longer than typical password (generally 20 characters or more as compared to a short six- to ten-character password), and it also uses capital letters and symbols. (Remember, spaces are nothing more than another symbol.)
You can make your passphrase even stronger if you replace letters with numbers or symbols, such as replacing the letter ‘a’ with the ‘@’ symbol or the letter ‘o’ with the number zero. If a website or program limits the number of characters you can use in a password, use the maximum number of characters allowed.
If you're are thinking of secret question to augment passphrase recovery in case you forget your passphrase, it is not going to help very much. In fact, it can be its Achilles' heel instead. We choose (most of the time) very straightforward question that have simple and guessable answers (assuming they are true) like your father's middle or last name. Avoid this; it's too easy for thieves to find who your friends and family are. If really required, go for safer questions that are more difficult for even ourselves to recall. These need an answer unlikely to be guessed or found online by attackers.

Good Practices for handling Passphrases

Be sure to use a different passphrase for every account or device you have. For example, never use the same passphrase for your work or bank account that you use for your personal accounts such as Facebook, YouTube or Twitter. This way, if one of your accounts is hacked, the other accounts are still safe. If you have too many passphrases to remember (which is very common), consider using a password manager. This is a special program that securely stores all of your passphrases for you. That way, the only passphrases you need to remember are the ones to your computer and the password manager program.
Never share a passphrase or your strategy for creating them with anyone else, including co-workers. Remember, a passphrase is a secret. If anyone else knows your passphrase, it is no longer secure. If you accidently share your passphrase with someone else or believe it may have been compromised or stolen be sure to change it immediately.
Just like passwords, avoid easy-to-guess or commonly used passphrases. For example, the phrase, “Four score and seven years ago,” is not a good passphrase, because it is so well known. In other words, try to make your passphrases as meaningless and random as possible. Consider the suggestions below:
- Don't use names or numbers associated with you (such as your child’s birth date or your spouse’s name).
- Don't use your user name or login name in any form.
- Don't use a derivative of names or numbers associated with you.
- Avoid using a solitary word in any language.
- Avoid using easily-obtained personal information. This includes your telephone numbers, identification card number, car’s license plate number, and street address.
- Don't answer “yes” when prompted to save your password or passphrase to a particular computer. Instead, rely on a passphrase committed to memory or stored in a dependable password management program.
- If at this point, you see the above is still a hurdle for you, worry no more. There is online generator to help you to generate a phrase that can be meet a substantially longer (go for 16 and above length) than a meaningless key to be equally difficult to guess. Notice its helpful tip "Remember your password".
Do not use public computers, such as those at hotels or libraries, to log in to a work or bank account. Since anyone can use these computers, they may be infected with malicious code that captures all of your keystrokes. Only log in to your work or bank accounts on trusted computers or mobile devices.
Be careful of websites that require you to answer personal questions. These questions are used if you forget your passphrase and need to reset it. The problem is that the answers to these questions can often be found on the Internet, or even on your Facebook page. Make sure that if you answer personal questions, you use only information that is not publicly available or fictitious information you have made up. Password managers can help with this, as many allow you to store this additional information.
Many online accounts offer something called two-factor authentication, also known as two-step verification or 2FA. This is where you need more than just your passphrase to log in, such a passcode sent to your smartphone. This option is much more secure than just a passphrase by itself. Whenever possible, always use these stronger methods of authentication.
Mobile devices often require a PIN to protect access to them. Remember, a PIN is nothing more than another password. The longer your PIN is, the more secure it is. Do not be complacent with this. Many mobile devices allow you to change your PIN number to an actual passphrase.
Change your passphrase(s) regularly. Set up a routine (e.g. change your passphrase(s) on the first of each month).
Finally, if you are no longer using an account, be sure to close, delete or disable it. Just don't make it an "orphan".

One key takeaway for you, minimally, is that this is not just another article to just read and forget. Practice it now (if possible). In simple terms - this is not about just choosing complex, hard-to-crack or strong passphrases that hackers will not be able to guess. It is about making sure that each of our own passwords is unique and different. If one of your accounts is broken into, not all accounts are broken into.

However, I recommend to always go beyond single factor password(s)/passphrase(s) and opt for stronger means such as multi-factor authentication whereby there is additional out of band security, such as a SMS one time password (i.e. something you have) to augment your existing password/passphrase. Read Bruce Schneier's advice on his methods in the choice of passwords. We do want to balance out being short-changed due to security fatigue if the effort to remember complex passphrases backfires by denying your access. I leave you with this as food for thoughts - so have you change your password or passphrase.

Comments (8)

btanExec Consultant

CERTIFIED EXPERT

Distinguished Expert 2022

Author

Commented: 2015-07-16

thanks bro!

Owen Rubin

Consultant

Commented: 2015-08-02

Good article, but I suggest forgetting ever creating or remembering any passwords. As you mention, a password manager makes this much easier. Programs like 1Password or LastPass take the headache out, and lock your passwords in the cloud beind very strong encryption, and many also sync them to most devices. These programs will generate the "random" password for you for each site, different for each site, and then save them in a vault for later use. Then, after unlocking, they will fill in logins for you when you go back to that site. Very easy. Also helps with fishing sites, as password managers will not recognize a fishing site as the real site, and will refuse to fill in the password.
On an iPhone, you need to copy and paste the password, but that is a small hassle for security.

I use 1Password myself (not affiliated) and then use Dropbox to sync all my computers at home and work, and my iPad and iPhone as well. Between a strongly encrypted password vault, and the added encryption security of a system like Dropbox, I have any password at my fingertips, and I only need to remember one, very long and complex password: the one to unlock 1Password . 1Password also saves all the "form" info for you, so your secret question answers are also safe.

Which brings me to one more point: when answering security questions, do not give real answers. Most of the info they ask can be found online, so not very secure. Make up an answer you will remember and use that. For example, when it asked what color was your first car, answer with something like "lightning" or some other unrelated word. Makes it very difficult to discover or guess And many password managers will save that data for you too..

Indeed they are useful way and tactic.
Keepass is another nice one.
Eventually it is the user vigilance to play the active role too as technology play supporting role only.

Andrew Leniart

IT Professional, Freelance Journalist, Certified Editor

Author of the Year 2019

Distinguished Expert 2020

Commented: 2017-06-04

Great article. I personally found it impossible to remember all the passwords I use, so I adopted the password manager strategy years ago. Roboform is one of my favorite password managers and I've always been very happy with it. It contains (literally) hundreds of unique passwords for sites all over the web. As I've always used different passwords everywhere, (regardless how important a site or service is to me) I'd be totally lost without it. Using a password manager means I only need to remember 1 single complicated master password that I've never shared with anyone and I recommend that process to clients frequently.

Like Owen Rubin, I too have always used irrelevant secret answers to questions used for recovery purposes and also actively promote that idea to others. What's my mothers maiden name? It's "Oysters Kilpatrick" of course! What else? :)

Finally, two factor authentication is something I believe should always be used if it's available as well. Hackers will need my mobile if they want to get access to my Gmail accounts for example and using 2FA also foils brute force attempts at guessing a complex password. My thoughts are that if faced with trying to access an account using Brute Force guessing techniques, hackers would most likely just move onto an easier target.

It pays to never be complacent and that doesn't have to be difficult either.

Cheers...

Thanks for the compliments. Good points on the use of manager, invalid answer ro secret qns and 2FA work factor.

We should not rest in laurel though we need to strike a balance in not making the scheme any simpler password but complex enough to still have ahigh work factor against brute force attempts. Lockout is essential but create inconvenience so a self administration for password reset or unlock may be another considered means for win win.