Your passwords for web-sites - making them memorable but safe and secure
Summary of creating and using password securely
This paragraph summarises Password planning, creation and use with an emphasis on keeping
your passwords separated into levels to avoid criminals being able
to use passwords used for trivial sites to escalate their access to those
that really matter.
The basic threats to creating good passwords:
Brute Force, Dictionary and any variant of Information-based are
described and then the threats to their security when using them
in a variety of scenarios where risks are escalated.
The rest of this page is devoted to illustrating the methods by which
you can create secure passwords for web sites as opposed to
passwords stored on devices where the hacker may gain physical access.
What cannot be expressed here are rules, instructions or algorithms
that would define a method of creating a strong password as the act of
publishing to the web would in itself destroy any security in it's use.
What can you do to make a password more secure
The complexity surrounding the topic of passwords is something that no
"normal" user should need to know although I have tried to articulate
those issues in many web pages over many years - my conclusion is that I
should write a short article (below) which tells readers WHAT they
should DO and NOT WHY! I am also LIMITING my advice here to passwords for
web sites rather then PCs, mobile 'phones, Laptops, Routers
and other devices which could become physically accessible by thieves - see
Passwords for insecure devices if that is also a matter that concerns you.
Consider what threats and in particular the source of them cause the greatest
exposure - a physical thief, a youth with a 'hacking' laptop, a co-worker or an acquaintance;
through to bored kids at college, hackers in Russia / China / Africa...
They all have different 'attack vectors' - physically stealing a laptop,
take over your PC or router (locally to begin with!) or simply scraping data,
including user names and passwords, off a discarded computer hard drive,
only numbered for ease of reference:
- The most important aspect of managing passwords is to treat them in categories
according to their value or risk/consequences to you - the lowest level can be
throwaway in almost all respects and that is that every level is distinct from all
others and cannot act as a 'set of ladders' for a thief to ascend.
If you use the same or similar passwords for banking as you do for small retail
stores on the web then you have given the thief an escalator when you
thought you were playing "Snakes and Ladders".
- For simplicity, let's refer to them as levels as used in a computer game -
Level 1 should be so basic and simple that anyone can play - Level 3 however
has to become part of the game where no-one can follow-you, no matter how
well they know you - personally, historically, by observation/monitoring
and no matter where they attack from or with what weapons.
What might differentiate level 3 from a level 5 password is that
the former might be an "amateur" web site whereas the latter might be for
more trustworthy web sites due to more competence and/or integrity
of the owner, management, designers or operators.
See Password planning, creation and use for more detail, including how to avoid
hackers being able to escalate from one of your low risk
sites to one or more of your higher-risk sites.
- Really good passwords need to withstand the variety of attacks that already exist
(Brute force inc. rainbow tables, Dictionaries, Data harvesting etc.)
and ideally try to anticipate those that are not yet economic for the thief.
However, passwords MUST be EASY ENOUGH! to remember in your head.
- Writing OR just STORING the whole of a password down in one place IS NOT A
GOOD IDEA for protecting resources which are high risk/consequences.
For example - I would not use a single electronic or software safe to store
the whole of a password for any financial (or other important) web site
just as I would not store that in my wallet or mobile 'phone.
That is why our conclusion is that the best building block is based on the first
character of words in sentences as that is a very easy and natural way to replay
a password, even if being asked for specific characters of it.
The extra challenge is that the simplicity of this approach means that it is
necessary to choose sentences:
- that are memorable - if you can't think of one that no-one else
would have said or heard then choose a phrase that is either rude or conjures
up a specific image in your mind
- where there is more than one unrelated word
- for example "blue pigs can't fly".
If you need to make a record a reminder then record them separately and ideally
on separate media / location - paper in your fire-safe at home combined with
an obfuscated text on your mobile would be OK for a low-medium risk password.
Add a third location (+ maybe media) for high risk passwords.
- which very, very few people would know - obviously NOT lyrics, quotations etc..
Think laterally - a sentence could be WHAT you WANTED to SAY to your BOSS
at the Christmas party LAST YEAR!
Don't even THINK of using what you want to say to them THIS YEAR because it will
have gone through your mind dozens of time before then and 'accidents do happen'
- ideally each sentence would not exist anywhere on the Internet!
However, when checking this (using "Google with quotes") you must not research
more than one sentence at the same PC and certainly not in the same week as your
search query strings are logged and it is just conceivable that a hacker could
target this data as a source for a new dictionary!
For rigour I searched for PART of the phrase ("blue pigs") above and got
197,000 hits, one of which was: (Blue) Pigs might fly! - Pinkbike
Forum at www.pinkbike.com/forum/listcomments/?threadid=134426.
However, I have left the example to show the importance of this paragraph!
- To add some complexity, uniqueness AND length (IF! needed!) to the
above you also need a SIMPLE set of rules - ONE FOR EACH LEVEL and VERY
DISTINCT which insert odd characters into the password and IDEALLY make
them broadly unique to the web site you are visiting.
To add COMPLEXITY sometimes referred to
(even by me!) as variety:
- Choose at least one (but not the 1st) character to change to upper
case if one (not 1st) is not already so. Then choose a position for at
least one "special" character (not a-z, A-Z or 0-9) that is commonly
available on all the devices you are likely to use (inc. Internet
cafe abroad!) and where you have a fallback if the character is not
allowed by the web site when you create the password... For instance - if
you chose the '=' sign as a complex/special character then your fallback
might be to use 'EQU' on web sites that don't allow an equals sign.
To add UNIQUENESS for any particular web site:
- Choose a way of selecting, morphing and then positioning 2-4 characters
from the web site that you are logging-in-to so that it is likely to
to result in a relatively unique set and position of characters.
To add LENGTH is easy but again must be
distinct at your (3 or 4?) different LEVELS of password:
- If what you have created above already exceeds 7 characters for
a "level 1" web site or exceeds 10 characters for a very
important (level 5) site then you don't need to add any more.
As long as you have followed the rules up to here then it is OK to extend the
length with a memorable word, acronym or reference number at this point
because any hacker will be unable to use dictionary and other simple methods
- adding length to an already complex and unique password stops what is
called "brute-force" technique of trying every combination of every possible
character in every possible position of a password!
General tips when creating passwords in addition to the above
As a general rule it is better to use passwords which make them unusual
compared to the vast majority, so, for example - where possible,
while retaining memorability etc.:
- Choose uncommon letters and numbers - 1, 2, a, e, i, o, r, s are all common
- When adding special characters - avoid the front (1st) and end (last)
- When adding numbers - avoid the end and bear in mind that some web sites
do not accept them (or specials?) at the front
- When using or making characters upper-case - avoid the front
But as stated above,
for the latest best practice on this topic visit:
Passwords - best practices which is this page if you are viewing it on-line.
This page © Business before Technology 2008-2019 - see the respective sites of the owners for their copyright as well as terms and conditions
Links and other information last validated on 22nd May 2009.
Please use the Contact us page to suggest any additions or revisions.