Back to Top

Services

Content Samples

passwordsHow to create strong passwords

670 words

If you work in IT, you have certainly encountered people who use passwords such as "123456" or "password". In fact, several recent high-profile data breaches have resulted from the use of weak passwords like these. A survey by the National Institute of Standards and Technology (NIST) found that most people use weak passwords, and just 1 in 5 are confident that they can remember complex passwords.

Computer scientists define a password as being a string of characters which is used to authenticate a user. It is up to the user to create the password, of course. But how do you come up with a string of characters that's unique and strong?

While it is tempting to pick a random word, a combination of words, and even random characters, all of those passwords can be cracked if they aren't long enough. Many hackers can rent computer farms that are specialized in brute-force attacks for pennies, and can even build their own password-cracking systems using one of the many cloud-based platforms that are available on the web. To improve security, passwords should be long enough, contain a mix of upper and lowercase letters, numbers, and special characters.

Passwords should also have a high entropy score; this means that they shouldn't be predictable. A known password has zero bits of entropy, for example, while a password that can be guessed from one or two tries has 1 bit of entropy.

The Australian Information Security Manual advises people to use passwords that have at least 15 characters. So, how can you create strong passwords that are easy to remember and have a good entropy? Start by joining a few words that have meaning to you. Here's an example.

TuesdayIsWashday

This password has 16 characters, but it could be cracked using a dictionary-based attack, so let's add some numbers to it.

Tuesday2Is3Washday

Finally, let's add some special characters at the beginning and end of the string.

@Tuesday2Is3Washday&

Trust me, this 20-character password is almost unbreakable.

The same rules should apply if you need to create and remember several passwords. You want to generate unique passwords for each account, because an attacker who gets access to one of your accounts shouldn't be allowed to take control over all the other ones.

To move on to the next level of security, use a password manager. Don't go for a cloud-based solution, though, because you risk losing all your accounts in case that the service provider is hacked. Choose a password manager which stores the data locally, on your computer, and then pick a strong master password for it. Since you won't need to remember all those complex strings, ensure that each one of your passwords has at least 20 characters.

The security of your password storage solution will depend on the complexity of the software and its encryption algorithm. Choose a virtual security vault that has implemented the AES 256-bit encryption algorithm, which can't be broken using brute force methods.

For even better results, use multi-factor authentication (MFA), which is already supported by most platforms. With MFA, besides a password, you will also need to provide an additional piece of information that's unique to that login. For example, a bank might require a secret 6-digit number that has been sent to your mobile device.

MFA systems are everywhere now, from online banking accounts to Wi-Fi systems, smart thermostats, smart TVs, smart door locks, and more. Since hackers have become quite good at cracking passwords through brute-force attacks, many providers are now actively promoting MFA to their users as an added security measure.

Do not forget to use the same sound security practices for all your mobile devices as well. People tend to be more relaxed when it comes to securing their cell phones and tablets, but hackers can easily get access to passwords that are stored on mobile devices - often, in unencrypted files. Those digital files can be read by hackers who are using fishy browser extensions, free VPN services, etc.