How to Create a Secure Password

Not all passwords need to be secure, of course, but a password for any account that identifies you personally, such as your primary email account, an online bank account, or an account with any organisation that holds your credit card details, needs to be as secure as possible.

To understand how to create a secure password, you first need to know what makes a password insecure. By putting yourself in the shoes of a cracker, you will see how to thwart their dastardly plans.

The Problems with Passwords

Passwords have two weaknesses:

  • they can be guessed,
  • and they can be discovered.

How Do You Guess a Password?

The most basic method of guessing passwords involves automated attacks using databases of:

  • real words, taken from dictionaries in many languages,
  • obvious variations on those words, and
  • simple sequences of letters and numbers.

Rule 1: Don’t Use Obvious Combinations of Digits

One of the most popular passwords is, believe it or not, password. Other classics are: 123456, qwerty, and abcdef. It’s fine to use these combinations for throwaway email accounts, but surprising numbers of people also use them for important accounts. They probably store these passwords on Post–It notes attached to their computer monitors. Duh! In fact, storing a password on a Post–it note isn’t necessarily stupid, as will be explained below.

Rule 2: Don’t Use Real Words

Real words are not much better. If you can find a word in a dictionary, so can a cracker. Names of people, names of cities, even relatively obscure words, and variations on them, such as diaspora, d1asp0ra, or ar0psa1d, are likely to be included in the word lists that crackers use. So don’t use real words or simple combinations of digits.

Rule 3: Don’t Use Extended Real Words

Many passwords consist of a root and an appendage. The root is usually either a real word or a pronounceable invented word, and the appendage is usually a short combination of common numbers or letters; for example, d1asp0ra123. This type of password is also easily discovered by an automated attack.

Rule 4: Don’t Use Personal Words

Most cracking attempts are not aimed at a specific individual, but some are. If a cracker stumbles across your name and your email address, he or she may try to guess your password by using your personal details. It’s relatively easy to discover basic personal information about people, especially people who use online social media such as Facebook. You should assume that if you place any personal information online, it is available to everyone, including crackers. Once information is out there, you can’t get it back. So don’t use any personal information in a password: your mother’s maiden name, your favourite film, a childhood pet, your car number plate, your birthday, and so on.

How Do You Discover a Password?

The crackers who try to guess passwords are like opportunistic burglars, who go from house to house trying door handles until they find one that lets them in. As long as you lock your doors by following the rules above and making sure that your password is not obvious, most of the bad guys will try elsewhere and you will be safe.

Rule 5: Use a Secure Password

Serious crackers will make more of an effort to find out your password, by using software that generates large combinations of random characters. These brute force attacks, as they are known, can only be defeated by using a properly secure password.

What Makes a Password Secure?

A secure password needs to be:

  • complex,
  • random,
  • and long.

How to Create a Complex Password

The most complex passwords will contain a combination of:

  • upper–case letters (e.g. A B C)
  • lower–case letters (e.g. a b c)
  • numerals (e.g. 1 2 3)
  • non–alphanumeric keyboard symbols (e.g. _ / ^)

There is a fifth category, ALT characters: hold down the ALT key and press any other key, and you will produce odd symbols and accented characters, such as and æ. These are, however, only permitted in a minority of software applications.

Altogether, there are about 90 characters you should be able to use. A password using 5 of these 90 characters will have about 8 billion (8,000,000,000) combinations. A password made from 8 of the 90 characters will have about 7.2 quadrillion (7,200,000,000,000) combinations.

An analysis of 400,000 passwords found that:

  • more than 99% of the passwords used only alphanumeric symbols;
  • more than 60% of these passwords used only lower–case letters;
  • 9% of these passwords used only numerals.

So the inclusion of even one non–alphanumeric keyboard symbol will make a password more complex, and hence more difficult to crack, than almost every other password that’s out there.

The Benefits of Using Random Characters

To illustrate the difference between ordinary dictionary words and random characters, this is the maximum time it takes to crack a password of 8 characters (source: lockdown.co.uk):

  • 8–letter word, using a network of supercomputers: a fraction of a second
  • 8–letter word, using a typical PC: 30 seconds
  • 8 random characters, using a network of supercomputers: 11 weeks
  • 8 random characters, using a typical PC: 23 years

The more characters a password contains, the longer it will take for a random generator to crack it. Of course, a brute force attack will crack any password eventually, and anyone who really wants to get at your password will do so. The best you can do is put them off for as long as you can.

In practice, there will be restrictions on both the length and complexity of a password: in particular, it may not be possible to use some of the symbols on your keyboard because they are reserved for other uses by the software you are using. You should, however, try to use as many different symbols as you can.

Creating Secure Passwords

There are two elements to a secure password:

  • it must be difficult for an outsider to discover or guess
  • it must be easy for you to retrieve or remember

Generally, if a password is easy for you to retrieve or remember, crackers won’t have too much trouble discovering or guessing it. Fortunately, there are several tricks you can use to overcome this problem.

Rule 6: Learn the Rule, Disguise the Password

The password itself will need to be sufficiently random that it can’t be simply discovered or guessed. To keep it memorable, you do not need to learn the password itself. Instead, you learn one simple rule so that you can extract the password from a larger combination of characters. This means that unless you have a phenomenal memory, you will need to keep a record, either on paper or on a computer.

Wallets and purses can be stolen, and computers can be hacked into. If you are going to store an important password on a piece of paper in your wallet, or within your computer itself, or on a Post–It note attached to your computer monitor, you must disguise it.

How to Disguise a Simple Password

Let’s take a simple example: a 4–digit PIN. Let’s assume that your PIN is 8639. To disguise it, create a grid of numbers:
9 2 6 3
8 6 3 9
4 1 0 7
9 0 6 4

Write it down and keep it in your wallet. All you need to remember is this rule: look at the second line of numbers.

If you think that is still simple enough to be guessed, create a larger grid of numbers:
6 7 5 0 3 1 8
8 6 0 5 3 2 7
7 6 9 8 3 1 0
9 0 4 7 3 2 8
9 7 2 8 6 3 9
1 4 0 5 2 7 4
8 6 0 4 5 1 7

Now the rule is: go to the fifth line and look at the last four digits. Not too much to remember, and very difficult for anyone to guess, especially as most systems will shut down after three failed attempts.

How to Disguise a Complex Password

First, we need to invent a complex password. Let’s go for Ug_y5R._4wMt — 12 characters, a full range of letters, numbers and symbols, and practically impossible to guess.

Unfortunately, a password as complex as this is also practically impossible to remember, so we need to disguise it.

  • You could disguise it simply, for example by adding one character to the beginning: vUg_y5R._4wMt — you can store this on a piece of paper or on a computer, and all you have to remember is this rule: remove the first character.
  • Or you could disguise it more elaborately, by swapping the first 6 characters with the last 6 characters: ._4wMtUg_y5R, giving you a rule that’s very easy to learn but almost impossible to guess.
  • Or you could store only part of the password: g_y5R._4wMt — and learn this rule: add an upper–case U to the beginning.
  • Or you could add several characters to the beginning and the end: 2k^Ug_y5R._4wMt7/Y — and learn this rule: remove the first 3 characters and the last 3 characters.
  • Or you could disguise the password twice, by adding extra characters and using a grid:
    m D i 8 p L - . b W 3 a / f A v ^ 7
    9 N b G 4 ^ m . j O 0 g s X b Y 5 f
    / L p I 8 4 . 6 H b z 6 n V m 3 S e
    2 k ^ U g _ y 5 R . _ 4 w M t 7 / Y
    X g 5 . m p / a r O J ^ 4 9 f Q l 8

You are limited only by the complexity of the rule, not by the complexity of the password.

Keeping Your Passwords Secure

  • Do not use the same password on more than one account. If one account gets broken into, all the others will be vulnerable.
  • Do not share a password with anyone. Even if they are honest, they may divulge your information by accident. In particular, don’t hand over your password in exchange for a Marks and Spencer easter egg.
  • Change each password from time to time. Once a password has been replaced, never use it again.
  • Never tick a box that offers to remember a password for you. This defeats the whole purpose of having a password — anyone who gets access to your computer will be able to get access to the account.
  • If you like being sneaky, you could create documents containing false passwords, just in case your wallet gets stolen or your computer gets broken into!
  • Most importantly, take sensible internet security precautions. Even the most secure password is useless if you are deceived into giving it away, or if you unwittingly install a keylogger on your computer.