Passwords… they’re everywhere. How many passwords do people use everyday? Far too many, that’s for sure. Passwords are the gatekeeper to keeping your business and personal information secure… but are your passwords effective? Do you use complex passwords to protect your sensitive data? Some of us do, but most don’t. Here’s a list of 6 tips to make your passwords better:
1. Use a complex password
What are complex passwords? Complex passwords use different types of characters in unique ways to increase security. If your business uses Microsoft’s default policies, complex passwords are defined as:
- Not containing the account name or part of the displayed name the password is associated to. (Example: Bob A. Smith’s username is bsmith, so bob and smith are not allowed as part of the password).
- Password contains characters from three of the following categories:
- Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- Base 10 digits (0 through 9)
- Non-alphanumeric characters (special characters):
Note: Currency symbols such as the Euro or British Pound are not counted as special characters.
- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages
2. Use at least a 12-14 character password.
Does size really matter? In the case of password length it does!
In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker sets up scripts to systematically check all possible passwords and passphrases until the correct one is found. This kind of attack just takes time and computing power. However, with the growth in everyday computing power, passwords used in the past which would normally have taken years to crack, can now be done in days, hours, or even minutes. Since traditional password brute-force attacks attempt all possibilities for each character of the password, making the password longer just makes the process take longer. At this time a minimum of 12-14 character passwords are recommended by most security professionals.
There are websites available that can estimate the strength of an entered password, but be cautious when using these sites. First, ensure the site is using a secure connection (look for the lock in the address bar). Next, ensure the password is running locally without sending data over the internet. Below this article are a few links to these types of sites (listed in the “Secure Password Check sites” section below), but the results are wildly different from each other.
Want to know if a password was contained in a reported breach? Search your password at Pwned Passwords (https://haveibeenpwned.com/Passwords).
According to Sam Bocetta’s article “It’s (Still) the Password, Stupid!” on Dark Reading’s website, here is a list of the most common passwords exposed in recent breaches:
123456 | 123456789 | password | qwerty | 12345 | qwerty123 | 1q2w3e | 123123 | 111111 | 12345678 | 1234567 | 1234567890 | abc123 | anhyeuem | iloveyou | password1 | 123456789 | 123321 | qwertyuiop | 654321 | 123456 | 121212 | asdasd | 666666 | zxcvbnm | 987654321 | 112233 | 123456a | 123123123 | 123qwe | 11111111 | aaaaaa | qwe123 | dragon | 1234 | 1q2w3e4r5t | reset | zinch | 25251325 | monkey | a123456 | 1qaz2wsx | 1q2w3e4r | 123654 | 159753 | 222222 | asdfghjkl | 147258369 | 999999 | 5201314 | 123abc | qweqwe | 456789 | 555555 | 7777777 | qazwsx | princess | qwerty1 | 1111111 | football | j38ifUbn | asdfgh | 66bob | 888888 | 163.com | 147258 | asd123 | azerty | sunshine | 789456 | 3rJs1la7qE | 159357 | michael | 789456123 | 88888888 | 1234qwer | daniel |Password | abcd1234 | myspace1 | computer | 987654321 | shadow | qqqqqq | 1234561 | killer | superman | pokemon | 987654 | master | q1w2e3r4t5y6 | baseball | 777777 | 123456789a |charlie | 11223344 | 333333 | soccer | x4ivygA51F
… and it goes without saying… try not to use any passwords found here.
3. Don’t use dictionary words or combinations of words.
Out with Webster… and his Dictionary! (I’ve wanted to say that for so long)
The dictionary is a tool normally used to help us communicate, by indicating proper spelling and use of words, and used in this way it is invaluable. But if I’m a hacker, and I was looking for a list of words that someone might use for a password… Where could I possibly find this? Hmmm? Exactly! The dictionary is the first place hackers go to create a list of words they use when attempting to gain access, which is why you shouldn’t use words contained in the dictionary.
4. Don’t use common Substitutions.
When I was younger I created a “secret code” to send messages to my friends, by using a simple substitution cypher. I listed the alphabet and chose a place to start and then numbered all of the letters. I was then able to write a group of numbers in a “secret” message and pass that note on to a friend of mine. As long as my friend knew where to start numbering the alphabet and how to substitute the letters for the numbers they could decrypt the “secret” message.
In the 1980’s leetspeak was used by online gamers and computer hackers. 31337 or 1337 was seen on many bulletin board systems (BBS) or chat rooms. 31337 = ELEET (elite) and 1337 = LEET (short form elite) were used because the characters were roughly mirror images of the original letters (we won’t go into the incorrect spelling at this time). Here are some of other common substitutions currently in use: A = 4, E = 3, 1 = ! or 1 = l, S = 5, 0 = O, T = 7 (I’m sure you get the idea).
5. Use a PassPhrase as a password
Longer passwords are more secure than shorter passwords, but there are only so many 12 character (or more) words, right? So instead of racking your brain for a huge word (and hoping you can spell it correctly once you think of one) we can string some shorter words together to create a passphrase to use as a password.
“The quick brown fox jumped over the lazy dog” could be a passphrase, but since it is from a popular children’s book it will also be widely known. Unrelated words are more secure because they are harder to guess when they are used together, but they are also harder to remember. Random words might be easier to remember if you can relate them to an image in your mind.
For example, as I look out my window I have an image in my mind and I can choose unrelated words from the image… overgrown, stumps, dead neon. Now if I string those words together my passphrase becomes: overgrownstumpsdeadneon (26 characters). But this is not suitable for a password, so let’s go deeper.
Chris Hoffman at How to Geek (https://www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/) used the following example:
“you might find it easier to remember a sentence like “The first house I ever lived in was 613 Fake Street. Rent was $400 per month.” You can turn that sentence into a password by using the first digits of each word, so your password would become TfhIeliw613FS.Rw$4pm. This is a strong password at 21 digits. Sure, a true random password might include a few more numbers and symbols and upper-case letters scrambled around, but it’s not bad at all.”
6. Use a password manager
Once you have decided on a complex password how do you remember it? My best recommendation is… don’t try and remember it. Get a password manager and store all of your account information in the password manager, so you only have to remember one password/passphrase to get access to the manager. Just make it a strong one!
A password manager can make your life so much easier. I have worked in IT for a number of years and I’ve worked on hundreds of client’s infrastructures. There’s no way anyone can be expected to remember a server password for a client whom you haven’t had to work with for over a year. Or the website credentials for your domain registrar when you haven’t needed to go there in possibly 3yrs or more.
A password manager allows you to store all the information about a set of credentials (username, password, web links, notes). I have personally used LastPass (https://www.lastpass.com), and I regularly recommend it to clients. There are several tiered versions (Free, Premium, Families, and Enterprise) available.
One final note on password managers, they are only effective if you use them… and use them properly. Once you get a password manager it will take some time to get your passwords entered, and then you need to train yourself to enter new credentials as soon as you create them. Trust me when I tell you, it will be time well spent!
Putting it all together.
Now that we have the tips, let’s try and put them together. I’m going to use the example from the passphrase section of overgrownstumpsdeadneon as my passphrase which starts us at 26 characters.
Next we add some Uppercase characters, but not in the normal way (just to make it easy for discussion sake I’m capitalizing the last letter in each word). overgrownstumpsdeadneon becomes overgrowNstumpSdeaDneoN
When you are using this process you can use any substitutions you want as long as you can remember them. I’m going to use the following substitutions:
- 5 = s at the beginning of stumps;
- I will use @ = a in any word that has an a;
- I will use # = e in any word that has an e;
- And 0 (zero) = o in grown
Now we have the following transition:
overgrowNstumpSdeaDneoN becomes ov#rgr0wN5tumpSde@Dn#oN
So my final passphrase becomes “ov#rgr0wN5tumpSde@Dn#oN“.
- Most dictionary words have been broken up
- I’m not counting umps and on portions as dictionary like words
- Uppercase, Lowercase, Numbers, and Symbols are included
- Common substitutions and some uncommon substitutions are being used, however I believe the 26 characters offsets the common substitutions.
As you can see, there are many approaches to creating strong passwords. Ultimately once a password has been created, it is important to keep it secure. This means that you shouldn’t write it down on a post-it note and stick it to your monitor as that defeats the purpose… under the mouse pad or keyboard is equally as bad. Again, this is where a password manager comes in handy, and most password managers can make strong password suggestions. When used together, you’ll never have to remember the passwords, and they are kept safely locked away from prying eyes… and nefarious hackers.
I hope this article helped some of you to create better passwords. Now if you’ll excuse me, I have to go get this new password entered in my password manager! Just kidding, I’m not gonna use this one since I know all of you will. 🙂
Sources and more information:
Secure Password Check sites: