Due to high visibility security breaches in the news recently like Heartbleed and EBay, it is paramount that you evaluate your methods for creating secure passwords. Having weak passwords can expose your online accounts to unauthorized use and takeovers. This is common with public webmail accounts like Yahoo, Gmail and Outlook online (formerly Hotmail). Often times the attacker will gain access to an account and change the password and verification information like security questions and alternative email addresses. This makes it very difficult to regain access to your account.
Weak Password Methods
People often use weak password methods because of the burden of trying to remember multiple complex passwords. Some of the weakest methods use the following:
- Dictionary words (trains, dogs, golf)
- Names with numbers appended (john316)
- Simple changes to words (p@ssw0rd)
- Well known number sequences or dates (911, 1225)
- Common keyboard or keypad sequences (qwerty, 12345)
- Passwords with personal information (address, phone number)
Creating complex passwords does not mean they have to be hard to remember. Here are some ideas for creating stronger passwords that are easy to remember.
Strong Password Methods
- Pick a phrase and use the first letter of each word.
- “Are You Ready For Some Football?” could be translated to ayrfsf.
- Strengthen this by incorporating capitalization AyRfsF
- Further strengthen this with special characters @yRf$F?
- To create a similar password for different sites you can add a prefix or suffix like @yRf$F?-Facebook or @yRf$F?-gmail
i. This also makes the password much longer which is the best way statistically to improve password security.
- Stagger words together by choosing two words and intertwining the letters.
- Choose two words like “security” and “password”
- Alternate with the next letter from each word speacsusrwiotryd
- Strengthen this by incorporating capitalization SpEaCsUsRwIoTrYd
- Further strengthen this with special characters SpE@CsU$RwI0TrYd!
- To create a similar password for different sites you can add a prefix or suffix like SpE@CsU$RwI0TrYd!-Facebook or SpE@CsU$RwI0TrYd!-gmail
i. Like mentioned before this makes the password much longer which is the best way statistically to improve password security.
- Adding spaces to the password (if allowed) also improves the complexity significantly
i. SpE@CsU$RwI0TrYd! – Facebook or SpE@CsU$RwI0TrYd! – gmail
- Some sites don’t let you use special characters. In these cases do the following:
- Make the password as long as possible and use a mix of capital and small letters along with numbers.
i. N0 Good D33d Goes UnPun1sh3d
Password complexity doesn’t require making passwords that are impossible to remember. In general not using dictionary words and making passwords with at least 12 characters with complexity greatly improve the quality and security of your passwords. Finally, changing your passwords at least every 6 months is recommended as long as you don’t take a strong password and change it to a weaker one. From the examples above you could enumerate these like @yRf$F-Facebook2 or SpE@CsU$RwI0TrYd! – gmail3. Alternatively, when it is time to change your passwords you can create a new password using any of the methods above.
By Shane Linde, Senior Engineer