By Kim Komando
A strong password is a pain to create, remember and type. That’s why far too many people settle for passwords that are weaker and easier to remember than they should be. But strong passwords are essential for keeping hackers and snoopers out of your online accounts.
Fortunately, I know a few good tricks to make passwords easier to create and remember. Before I get to that, though, let’s refresh your memory on three critical ground rules for creating strong passwords.
1. Don’t make the password easy to guess
Whenever there’s a big data breach and user passwords are exposed, security companies make a list of the most common passwords people were using. In fact, they made one for the Adobe data breach at the end of 2013.
The five most common passwords were “123456,” “123456789,” “password,” “adobe123” and “12345678.” You can read the full list here. Yes, I know what you’re thinking. “Genius!”
Hackers look at these lists, too, and they have computer programs that can guess common passwords, plus millions of other passwords, in minutes. Even passwords you think are “hard” might not be as hard to figure out as you think. If you want an example, see how easily this Microsoft Research site can guess a password from the first few letters.
The Defense Department’s research agency, DARPA, released a study in 2013 that tracked passwords at a Fortune 100 company and found that about half followed five common patterns. Here are three of the most common patterns found in the study:
- One uppercase, five lowercase and three digits (Example: Komand123)
- One uppercase, six lowercase and two digits (Example: Komando12)
- One uppercase, three lowercase and five digits (Example: Koma12345)
These are just things people do without thinking about them. But if you make a password with any of those common patterns, it makes a password-guessing program’s job a lot easier.
Obviously, you shouldn’t use those patterns or anything like them. The same goes for using special dates; names of spouses, children, relatives and pets; or any password using the full name of the service you’re making the password for.
The strongest password is one that contains a random collection of letters (uppercase and lowercase), numbers and symbols. Of course, that’s nearly impossible to remember, but we’ll deal with that further on.
2. Make the password eight characters or longer
Despite what you see in the movies, professional hackers rarely sit down at a computer and try to guess your password; that’s usually done by casual snoops such as relatives. Instead, hackers get millions of passwords at once from company data breaches or other sources.
If the breached company is using better security practices, the leaked passwords will be encrypted so they’re just a jumble of letters and numbers. But with enough passwords to compare, hackers can figure out the encryption scheme and decode the actual passwords. In fact, with modern computers, hackers can crack tens of thousands of passwords in mere hours.
Shorter passwords are much easier to crack, so hackers go for those first. The longer passwords take hackers longer to decode, as long as they aren’t obvious like “123456789.” Hackers scan for the obvious ones first a different way.
Many hackers don’t even bother with passwords that are eight characters or longer because it simply takes too long. Of course, as computers get more powerful, even longer passwords will take less time, so I would think about making your next password at least 10 characters, just to be safe.
3. Don’t use the same password everywhere
As I said, most hackers don’t even try to guess your password. But if they get one of your passwords in a data breach or courtesy of a virus on your computer, they will go after your other online accounts with that same password.
That’s why you want a unique password for every account, especially your bank or other finances. If the password a hacker stole doesn’t work right away, most will move on to easier targets.
Creating a strong password
In summary, the ground rules for a strong password are:
1. It has to contain a random collection of letters (uppercase and lowercase), numbers and symbols.
2. It has to be at least eight characters or longer.
3. You must use a unique password for each account.
That’s a tall order. While something like “Tl|_|,BwwB2R” is really strong, it isn’t easy to remember. Or is it? Let me show you how I came up with it.
Start by thinking up a random sentence. You can use a catch phrase, quote or even a song lyric. I chose a lyric from one of my favorite Bruce Springsteen songs: “Tramps like us, baby we were born to run.”
I took the first character from each word to get “tlu,bwwbtr”. Not bad, but it could be better. So, I added some symbols in place of similar letters. U becomes |_|, the “to” from the original lyric becomes 2. Then, I capitalized a few of the letters to make a strong password that I can easily remember: “Tl|_|,BwwB2R.”
Bonus tip: Setting up consistent symbol replacement and capitalization rules for all your passwords helps keep things from becoming too complex.
Once you have that, you can tweak the same password for multiple accounts. For Facebook, you could make it “Tl|_|,BwwB2RFB.” Amazon can be “AmzTl|_|,BwwB2R.” You can make a consistent scheme there as well, so you always know how you shorten the company name and where it goes.
Now, if you’re like me and have dozens of accounts online, remembering your passwords even using this system can be too much. That’s why a password manager like KeePass or Dashlane can be a great help. These keep your passwords secure, and you need to remember only one master password, which you can make really strong using my technique above. These programs can even generate passwords for you, which means they can be truly random and as long and complex as you want. My IT staff uses 20- to 30-character passwords for our most critical systems.
Note: For those Apple users out there, Apple computers and iOS devices do have Keychain, a built-in password management system that stores your information across all of your devices.
Of course, a secure password doesn’t matter if a hacker can bypass it another way. Learn how to create a strong account security question that hackers can’t guess. Then head over to my Security Center for everything you need to know to secure your computers, smartphones, tablets, Wi-Fi and online accounts.
On the Kim Komando Show, the nation’s largest weekend radio talk show, Kim takes calls and dispenses advice on today’s digital lifestyle, from smartphones and tablets to online privacy and data hacks. For her daily tips, free newsletters and more, visit her website at Komando.com. Kim also posts breaking tech news 24/7 at News.Komando.com.