Home Security Heroes independently tests and reviews every product. We may earn a commission when you buy through our links. Read more here.
When it comes to online security, one of the most important and most basic of the components that keep you safe is the humble password.
A password protects each of your accounts that you make, from your email or your bank account and even your computer itself in most cases.
If someone doesn’t know your password, and can’t guess it, they’ll have a hard time getting into your account.
Unfortunately, coming up with a strong password can be difficult, and a strong one you can actually remember is even more so, leading many people to use insecure passwords that are easily guessed.
However, these problems are avoidable, and it can be easier to make a strong password than you think…so long as you know what to look out for.
TIPS: Take our Password Test and see how secure your password.
What Makes a “Weak” Password?
All passwords that are considered weak are at least one (but usually more) of a few things.
Weak passwords often:
These things apply even if you think you are being clever, such as by using common word substitution practices such as “leetspeak” (the practice of replacing letters with similar looking numbers). For example, “password” is self-evidently a bad password (though is distressingly common).
Unfortunately many people might think that, for example, “P455w0rD” is by definition more secure. However, this is simply incorrect, or at the least is technically correct but to such a minimal degree as to be useless. While it might appear on the surface to serve the same purpose as a random set of numbers and letters it is, obviously, not at all random.
The most common type of password “hack” is what is known as a brute force crack or attack. It is essentially a method of randomly guessing passwords until one works.
This can technically be done manually, and the more common your password is (and the more the would-be cracker knows about you) the more likely a manual brute force attack will work.
But instead you’re more likely to see computer-powered brute force attacks. These can guess something in the ballpark of 1000 passwords per second, or more. They start with common dictionary words, go on to the more obscure ones (in multiple languages as well, typically), and even slightly more sophisticated programs can branch out and start doing those common leetspeak substitutions for each word, testing every variant of capitalized and uncapitalized lettering for each word (making password, PASSWORD, PaSSwOrD, and of course P455w0rD and so on all about as secure as each other, as an example).
These brute force cracks take relatively minimal effort to set up and can often yield quite lucrative results for the person doing them over time.
Now, these automatic password guessers won’t help them with personal information, necessarily. If you use your wife’s full maiden name as your password, plus her birthday or something, it can seem like a good password since it’s unlikely these kinds of brute force attacks can work.
“MaryJaneDoe1986” looks like a pretty good password then, right?
What a lot of people fail to account for is that this level of sentimentality in passwords is common, and oftentimes the information used to make the password is wholly publicly available.
Whether you’ve posted about your wife on Facebook before, or just have had a publicly documented wedding or some such, it’s shockingly easy for someone to find out information about you that you might not be aware of.
Spouse’s name and children’s name are a big one, as are pets (though it might be slightly harder to guess this one if you don’t post about them on social media) and if someone is targeting you, specifically these passwords will offer almost no protection.
It’s easy enough a child could do it, and that’s speaking from experience. I used to be very proud of myself for “hacking” into the family computer when I was grounded just by guessing what passwords my family might use.
And if a child can do it, you can rest assured a creative and greed-motivated individual with access to all of your publicly available information can do it too.
So, with the “don’t” options out of the way, what are some things you SHOULD do?
Components of a Strong Password
So, we know that the first things hackers will try are basic words and phrases in the dictionary, as well as common strings of numbers and symbols tacked onto the end for meeting minimum password requirements, followed by passwords derived from sentimental personal information.
Now that you know that, you’re empowered to do something about it.
Your first inclination might be to start trying out truly random strings of letters, numbers, and symbols.
This is a good instinct, and it actually CAN result in very strong passwords, but does fall victim to a few human foibles.
Namely, the human memory, and our proclivity to find or create patterns in anything we do.
No string of letters, numbers, or symbols in different stages of capitalization formed by human hands will be truly random. For that matter, neither will ones created by machines (which we’ll get to in a moment), but they get a lot closer than people do.
For example, I’m going to close my eyes and slap around on the keyboard for a bit “(NfUIUF(*UhY&@Hj@”
Wow! That sure does look like a secure password, right? How could anyone guess that?
And you’re right, it would be fairly hard to guess for a computer, and likely impossible for a person…even with the inherent patterning here (notice most of these letters and symbols come from the middle or right side of my keyboard, which is where my hands naturally fall as I’m holding left Shift with my left ring finger through much of it).
However, just as it would be nigh impossible for any hacker to guess manually…it’s also impossible for YOU to guess manually. I’ve already completely forgotten the exact order or letters and symbols up there as I look away from the screen for a moment.
If you have a photographic memory, or something near to it, this is perhaps a great choice. For most people though, what this password represents is this: you’re going to be hitting the “Reset password” button every single time you go to log in to whatever site you’re looking at.
If this is the path you want to go, the only way to really make it work is by using a combination of a random password generator and a password vault or password manager of some kind.
Password managers are sealed by their own password, and contain a compilation of all your used passwords. This means you really only need to come up with a single ultra-secure password that then protects all your other randomly generated ones. That means this password needs to be airtight though, so you’re going to need at least one more method of secure password generation under your belt.
The next best thing to truly random passwords in terms of security is password phrases.
As mentioned before, certain phrases can be as insecure as simple words, usually boiling down to common historical quotes (“I have a dream…”, “Veni, vidi, vici…”), religious phrases (“God is great, God is good…”), or common inspirational phrases (“Nothing is impossible…”).
These can be guessed, and guessed more easily if the hacker is someone who knows you or has a strong enough grasp on your life from social media habits that your interests and beliefs can be guessed.
Instead, collections of seemingly unrelated words can be used.
It’s almost cliché at this point to refer to this XKCD comic when talking about password security and internet safety, but it’s commonly quoted for a reason.
This comic came out right when I started having to think about passwords for my adult accounts (work email, bank account, and so on) for the first time, and it’s been a great aid ever since.
The basic idea is to think of or generate four (or more!) seemingly unrelated words that are nevertheless memorable. The comic itself uses “Correct Horse Battery Staple” -which you should NOT use as it will almost assuredly be one of the first options tried by a savvy brute forcer. I’m sure many people saw the comic and failed to get the actual point of it – as an example. These four words have no relation and yet are quite memorable.
This kind of password can be further beefed up by adding random letters and symbols in between, though be sure it’s still something you can remember.
However, with this kind of password you must be sure that the words are truly unrelated, or at least mostly so.
For example, while something like…”Quick Fox Lazy Jump” might seem like a random string of words, it harkens back to an old English language “pangram” (it uses all 26 letters at least once): the quick brown fox jumps over the lazy dog.
This kind of thing will almost assuredly be on crackers’ radars, and will be programmed into their programs to try and get past the complacent.
Modified Sentence Passwords
Also known as the Schneier Method (named after Bruce Schneier, a prominent computer security specialist) this is somewhat of the same principle as the above options.
It aims to create a password that is easy for you to remember, but very hard for other people to guess.
The method is simple. You think of a sentence, and a rule that modifies that sentence into a password.
As a quick example, your sentence is “My favorite restaurant is Joe’s Diner”.
This is an easy sentence to remember, especially if it is true at the time you make it.
Now, this sentence alone is a pretty bad password. While it may be hard for computers to crack it, this is the kind of thing that someone who knows you, or knows enough of you, can try as a password quite easily.
What changes this is the rule. The rule should also be something easy to remember, with the most common example being to take the first two letters of each word and just mash them into a single word.
In this case “My favorite restaurant is Joe’s Diner” becomes “MyFareisJoDi” which is going to be pretty hard for both computers and people to guess.
However, the exact rule is unimportant, and there are a near-infinite number of combinations to this. “MyFareisJoDi” is only one possible permutation of even that singular phrase.
Assume the same sentence, but apply a different rule, like “the first and last words are mirrored”. This gives you a password of “MYyMDinerreniD”; somewhat harder to remember (so perhaps a bad rule) but also hard to guess.
So long as you can remember the trigger phrase, and how you modified it, you can always think for a moment to back-engineer your own password (because there’s a logic to it) but crackers are going to have a MUCH harder time trying to do so since there is at least two levels of randomness to this.
A Final Note
One thing you should always be aware of: no password is going to be perfect. However, one should never let perfect be the enemy of good, as the saying goes.
Just because no password is uncrackable does not mean you should give up trying to make it harder. At a certain point, if your password is hard enough to crack, most people will give up on it.
The “Nonsense Phrase” method exemplified in the XKCD comic has been touted as outdated in recent years, because crackers have started to catch onto it and work the logic into their password guesser programs. This might disqualify it as a method to be used for the absolute most secure things imaginable, like secret intelligence reports and the like.
However for you, the average person, it should still suffice. All types of security are an exercise in risk management above all else. There is absolutely no silver bullet for security of any type, no security system that can’t be overcome, or any truly impenetrable vault on the planet.
The point of security is deterrence and risk mitigation rather than truly having an ironclad protection nothing could ever get through.
A password that takes three minutes to crack is a bad password, no matter how you slice it. If it takes 3 days to crack, it might be a bit better, depending on what you’re protecting. Most people aren’t going to spend 72 hours straight trying to crack into your DirecTV account or what have you. If a password takes three weeks, months, years to crack?
It may as well be perfect, unless you’re dealing with assets beyond most people’s means. Even your bank account and the like is not going to be worth it to the average hacker if it takes that long because there’s no telling how long it will take once it passes that 3 day mark. It could be four days, a week, or three decades for all they know…and so most of the time, they’ll move onto an easier target.
That said, always have some kind of backup plan, because it goes both ways. If a particularly dedicated hacker doesn’t move on, you could end up having to deal with a security breach anyway…but that doesn’t mean having the more secure password was useless, it just means your first line of defense has been breached, so now they have to deal with the rest.
Last Updated on