Blog

How to create Strong Password

How to create strong passwords and improve your cyber hygiene

Cyber incidents continue to trend upward daily. A significant amount of personal and company breaches occur due to poor cyber hygiene practices by users. One of the major contributors to poor cyber hygiene has to do with users failing to:

  1. Creating strong passwords. A strong password is characterized by the use of upper and lower case letter, numbers and special characters, that is not easily tied to dictionary words and is at least eight characters long. The more complex the password, the harder it is to guess or crack using brute force.
  2. Unique password per account. To make life easier users tend to use the same password across multiple platforms or use close derivatives of a base password. By reusing a password or derivatives of it, once an attacker manages to identify one account’s password, that information is used to gain access to other accounts using the same password or pattern. 

Let me share a personal example of a password reuse breach. Many years ago I would use the same password for online accounts to services that I was testing, or to gain access to resources that required creating an account. These were accounts I considered unimportant. A few weeks ago, I got an email from one of these services, which I hadn’t used in years. The email was a geolocation trigger notification, stating that a new login was detected from a device in Indonesia. 

There have been many services that have been breached, and the usernames and passwords from their databases leaked or sold online to persons who have ill intent. My account credentials ended up being in one or more of these leaked data breaches. Someone who had access to these datasets, would try and gain access to other services using the usernames and passwords. This is what happened in my case. I logged into the account with the old password and changed it. Another example is the LinkedIn breach that occurred in 2012. In 2016, security researchers got access to the dataset with account credentials of millions of users, which was floating around on the interwebs, and were able to log into Donald Trump’s Twitter account, because he used the same password for both platforms.

You can use the online tool Have I Been Pwned to check if your email address has appeared in a data breach. The tool identifies what service/company breach data your details appeared. You can go further and go to the passwords section of the site to see if any of your usual passwords appear in any of these breaches.

Sample of the 14 breach datasets that my email address appears in.

Creating strong passwords

The challenge that exists with creating strong passwords, lies with making the password complex enough that it’s not easily guessed, while still allowing the user to easily recall the password when needed. This can be very frustrating for users. Let’s take a look at some options to remedy this.

Password Phrase or Passphrase

Based on the characteristics stated above, this is what a strong password should look like at a bare minimum:

LX5$pw7a

That password can take quite some time for any user to commit to memory. Imagine having to remember multiple passwords of similar make up.

Passphrases are built on the concept, that the longer the password, the longer it will take a computer to crack. A passphrase uses at least six words to build a phrase that would be easier for a user to recall. Your passphrases can be a complete sentence but a randomized set of words is recommended. 

There are 3 approaches you can take with passphrases:

  1. Text Only Phrase – prettyhummingbirdflewacrossmywindowswiftly
  2. Case adjustment with character substitution – pr3ttyHumm1ngbi4dflew@cro$smyw!ndowSwif7ly
  3. The first character of each word with case adjustment and character substitution – pH6f@mw$

For each of the approaches above, the passwords generated would take a computer 2 hundred duodecillion years, 13 novemdecillion years and 8 hours respectively. 

How long a computer would take to crack approach #2 password.

Password Manager

Passwords managers are applications that provide the functionality of generating unique and strong passwords for you and saves them in a personal database. Generally, the password manager will store the URL of the login page, the username and password to gain access to the service. The credentials can later be accessed by logging into the manager and view the details or they can be served up to you when needed, as you browse the web if you opt to use the accompanying browser plugin. These managers also provide the option to store credit card information, identity information and secure notes.

With a password manager, you only need to remember one password, and that is the master password to gain access to the application. Ensure that this password is very strong. There are quite a few password managers on the market. Examples include:

Some options are free, while others have a free tier with the option to upgrade to premium feature subscriptions.

Now armed with this information, go forth and create secure passwords for your new and existing accounts, especially those where you are reusing passwords. You can utilize the online tool How Secure Is My Password, to test the strength of passwords you manually generate or those generated by a password manager. 

You may also like

Leave a Comment