TechSoup Blog

State-of-the-Art Ways to Create a Secure Password

Written by Jack Foster | Feb 27, 2019 12:43:00 AM

Editor's Introduction

We've seen so many articles about passwords and so many of them talk about much the same things — essentially to make your passwords long and strong. We loved Jack Foster's comprehensive piece on nearly every technique available to create and manage passwords currently. We hope you do too. As he notes, bad passwords account for most cybersecurity breaches. This article was originally published on VPNGeeks.com and is republished here by permission of the author. The keyboard image in Technique 4 is also courtesy of VPNGeeks.

The Need for Good Passwords

Over the years, there have been many password tricks that have been invented, such as using a formula or mashing up memorable words. However, hackers are getting wise to our methods, and they have invented a whole host of superfast tools to crack our once secure password codes. In 2017, the Verizon Data Breach Report stated that "81% of breaches are caused by weak or reused passwords." Therefore, the importance of never reusing passwords cannot be stressed enough. Reusing passwords creates a serious leak in your data security when online. Find below some tips on the different reliable ways you can create truly unhackable passwords that you can actually remember.

How to Create a Secure and Memorable Password

If we break it down there are three keys to creating a secure password:

  1. Creating the password
  2. Securing the password
  3. Remembering the password

Before we think about any of the above, it is a good idea to gain some understanding of how hackers crack passwords. Then we might be able to reverse engineer this process to ensure that we create truly secure passwords.

How Do Hackers Crack Passwords?

Hackers use offline password-guessing attacks to guess your passwords. Their first aim is to turn the encrypted file into unencrypted passwords. These days hackers have access to military-strength password cracking software. If the hacker has a powerful machine, they can test millions of passwords per second until they guess the correct one.

I guess one of the problems that we are facing is that people have access to powerful kit that can cleverly guess passwords faster than ever before. In fact, there is currently a piece of software on the market that claims to do 8 million tries per second. Originally this type of tech was only available to government bodies, like the police. But now hackers have free access to be able to run this sort of hackathon for days or weeks on many machines.

Password Anatomy

Normally a password formula is made up of a root plus an appendage (suffix or prefix). The software to crack passwords has gotten very sophisticated. They check dictionary words in various languages and even check for common substitutions like "1" for an "I" or "3" for an "e." Hackers will also use any personal info that they have on the person and input this into the software to generate possible passwords.

The old advice was to string a lot of words together in a random fashion. However, this advice is no longer applicable as hackers can access this sort of password in milliseconds. Here are my tips for 2019.

Technique 1: Avoiding Easy-to-Crack Passwords

You'd be surprised at how many people use easy-to-crack passwords. Passwords like "password" or "QWERTY" are a hacker's dream — they can gain access to your accounts within seconds with passwords like these.

Another common mistake is using personal information within passwords: for example, using your name or family name within your password. I've lost count the amount of times I've seen people use their husband, wife, or children's names and birthdays within their passwords. It doesn't take a detective nowadays to find this information out within a matter of minutes.

You may have noticed when creating a password, the company, software, or website you're using may make some suggestions for you. For example, including uppercase and lowercase letters, with a combination of numbers, punctuation, and at least eight characters long. The reason for these suggestions is because they make it much harder for hackers to crack non-English passwords.

Technique 2: Cryptic Familiarity

Creating a password that's familiar to you is a good way to remember your password. However, as we know, this could be detrimental as it can be easy for hackers to crack. With over 66 percent of the population using social media, it's not difficult for cybercriminals to find personal information about you.

If you can generate a password that's difficult to crack but simple for you to remember, you're onto a winner. Something like "My son is 5 years old next month" can be scrambled into "MSi5yOnM". That might look confusing, but it's a phrase you'll easily remember and would be almost impossible for a hacker to crack.

It's quite common for people to use other methods to remember their password in a similar way: for example, a nursery rhyme or your favorite song. Again, it's all about combining uppercase and lowercase letters. "Humpty Dumpty sat on a wall, Humpty Dumpty had a great fall" turns into "HDsoaWHDhaGf" — easy to remember, hard to bypass.

Taking the above examples one step further, we can replace characters with symbols, numbers, and punctuation. This may be a little more difficult to remember at first, but you'll get used to the method quite quickly. You can make your own rules up on this one: for example, replace the letter "i" with a 1 and "a" with a 4. Let's take the phrase Christmas2018 and create a strong password of "Chr1stm4s2018!"

Technique 3: Memorable Dates

If you read the introduction to this post, you may be wondering why I'm including memorable dates as a secure password. A sequence of numbers can often be easier to remember than sentences, but sometimes easier to crack if the numbers are too obvious.

Avoid using birthdays or obvious dates that a cybercriminal could easily access. Think about your personal information that's publicly available — social media, blogs, and so on — and avoid any dates that you may have mentioned or posted about on these accounts.

Instead, think a little more outside the box. Perhaps you could remember a date when you went on your first holiday, stayed in your first hotel, first went ice skating. This kind of information is much harder to guess but should still be easy for you to remember.

For this method, think of three memorable dates, such as

  • 01/24/88
  • 12/19/91
  • 05/06/01

Replace the slashes (/) with a different character such as a "v" and the spaces between dates with an underscore (_). You can add a special character to the end of the password to make it extra secure. You should end up with something like this: 01v24v88_12v19v 91_05v06v01!

Although the password is long (and you may have to adapt it depending on the system you're using), it's probably the strongest password you're going to get! As long as you can remember the dates and the characters you've used to replace, you're onto a winner!

Technique 4: Keyboard Patterns

This method can be adapted depending on which device you're using. The idea behind this is to use keyboard patterns to generate and remember a password that is essentially meaningless and would be very difficult for a hacker to crack.

Taking the example in the picture above, we can use a pattern to create a memorable password: 1QAZ2wsx3EdX. you'll notice that I've used a combination of upper- and lowercase letters within the pattern (uppercase for the first line, lowercase for the second, and a mix for the third). It's a pattern within a pattern — pattern inception!

This method can be adapted to the device you're using. For example, if you're using a smartphone more regularly than a desktop PC, you can use different patterns that are available on your device's keyboard.

Hackers could use software to run algorithms that could generate passwords using every combination of a keyboard. However, it would be difficult, and can be made even more troublesome for them if the pattern is more complex. Try avoiding simple horizontal lines and introduce diagonals.

Technique 5: Change Your Password

It may seem like a bit of a pain having to change your password regularly, but it will keep you secure. Many businesses will have built-in software that requires you, as an employee, to change your password every 30 days or so. The reason for this is to ensure that your account remains safe and secure.

Remembering the passwords that you already have can be tough, and adding more on top can seem daunting. However, if you use the methods that I've mentioned above, you can make sure that you remember your password! Changing it regularly then won't seem like an impossible task.

Perhaps you could memorize several sentences from your favorite book. Or lyrics from your favorite song — these are often unforgettable and easy to recall from memory. Using cryptic familiarity, you can generate passwords using a book or a song and change them on a regular basis without forgetting them.

Technique 6: Be Vigilant About Where You Store Your Passwords

Never store your passwords in a place that can be easily accessed — or accessed at all. It's tempting to write all your passwords down, or even save them under a contact in your phone. But, if you do this, you're opening your accounts up to be hacked!

Shared storage or cloud storage can easily be hacked, so if you upload a spreadsheet or document to the cloud without encrypting it, your passwords can be cracked.

Storing passwords on your computer without encryption is one of the worst things you can do. Although there's lots of software available to stop your computer from being accessed by hackers, it's hard to be 100 percent secure. What if you take your laptop to a local cafe and connect to public Wi-Fi? Or you connect to your friend's network that isn't secure?

Being vigilant about your password storage, if you're going to store passwords, is essential. Think about looking into a password manager or ways to encrypt files to ensure that you're not opening yourself up to be a victim of cybercrime.

Technique 7: Use a Password Manager

If you have so many passwords to remember, and you don't think you can manage them, it may be worth considering a password manager. You'll simply need one very strong password to remember, and that should be the last time you'll need to remember one!

There are plenty of password managers available. Lots of them, such as Dashlane, come with apps for multiple devices and platforms, as well as web browsers. This means you can access passwords from all your devices in one easy-to-reach place.

You'll most likely have access to a security dashboard where you can change existing passwords and use tools to help you remain secure. Although your password manager can manage your passwords, you'll still need to ensure that the passwords you create are strong in the first place.

Technique 8: The Schneier Scheme

Bruce Schneier is an American cryptographer and computer security professional who has created a popular password system. To make sure that your password is secure, you must create a password that cannot be cracked by the above methods. Schneier's method seems to be pretty robust and also memorable. Let's take a look at how it works.

Firstly, you start out by creating a memorable sentence and then create a password with it. An example could be something like "Colin the caterpillar – cola gums yum" could be turned into "Ctc-C0L@gmsym." This is a 13-digit password that is not made up of any words that could be hacked. The best advice is to choose something personal to you.

If the site allows longer passwords with random characters, then that is great. However, you might need to use some shorter versions for some sites.

Technique 9: Password Safe

Password Safe is like a virtual safe that you can store all of your passwords in. The nonprofit software is revered by many and has had more than 4 million downloads. It is completely free and aimed at removing the headache of creating and remembering secure passwords.

Password Safe allows you to save as many passwords as you like. To access your passwords, you do this via one "master password." So you don't have to remember hundreds of secure passwords any more with Password Safe. Phew! What a relief. Due to the fact that experts are adamant that we need a different password for every site, Password Safe seems to take a huge weight off our shoulders by helping us keep our passwords safe and secure.

Technique 10: The PAO Method

If you are not happy with keeping all of your passwords in one place like Password Safe for any reason, then perhaps the PAO Method is for you. The way this method works is by using a Person-Action-Object (PAO) story theme as a memorization technique with mnemonic methods to help you make a secure password that you might remember. This formula was created by a team of Carnegie Mellon University computer scientists who put this method forward as a solution to creating uncrackable and memorable passwords.

This is how to utilize the PAO Method to create safe, secure and memorable passwords. Bring to mind a memorable place (La Palma in the Canary Islands). Then pick an image of a famous person (the queen of England). Then the final part is imagining a random action and object to bring the story together (the queen jumping on a bouncy castle in La Palma).

  • Person: The Queen (TQ)
  • Action: Jumping (jmp1ng)
  • Object: Bouncy castle (@bc)
  • Location: La Palma (L@Plma)

Our new 17-digit secure password could be: TQjmp1ng@bcL@Plma

This method is fun and quirky — thus more memorable. You can spend time making up whacky themes and creating passwords that you will remember because of the cognitive queues. The password will be completely random to others, however memorable to you. Perfect!

Technique 11: Guerrilla Mail

Next, I would like to look into a website that has a few tools that I think will be relevant to people who use a VPN or are interested in using one. Firstly, let's look at its secure, memorable password applications, and then I will get back to the possible VPN application for their solutions.

Guerrilla Mail offers what initially seems like a similar solution to Password Safe. Both offer a password management tool. However, Guerrilla Mail has a unique twist … it doesn't save your details on the cloud or use cookies. You use a master passphrase that nobody will ever know, so it is super important if you use their service to remember your master passphrase.

This is how it works. Using the Guerrilla Mail Password Manager, first decide on a master passphrase, then enter it in combination with the name of a website that you want to visit. A secure password is then generated for you to use on that website. The secure password is not stored on the Guerrilla Mail's database, it is generated when you input the URL and the master passphrase. The beauty of this system is that it allows you to use one password (the master passphrase) to generate all other passwords. This means you don't need to remember hundreds of passwords.

The only possible downside would be if someone got to know your master passphrase and websites you used it for. In this instance, they would have access to all of your passwords. This is a very unlikely sequence of events that would probably only happen if you didn't use a VPN or you kept a printed or physical copy of your master passphrase and the Guerrilla Mail account.

Guerilla Mail also offers an anonymous email address that has many benefits. First it deletes spam mail. Also the temporary email address could be used in conjunction with a secure VPN like Trust.zone. If you used a secure VPN with a temporary email and Bitcoin to pay for the service, then you would be in the position of complete Internet anonymity.

Technique 12: LastPass

LastPass is a very popular password management solution that offers both a paid and a free service. LastPass works as a browser extension that you can access easily with one click. Like Guerilla Mail, you need to first create a memorable password, so using the PAO Method or the Schneier Scheme, or another method of your choosing, create a memorable secure password.

LastPass has a member's area that they call "The Vault" which houses access to all of your favorite sites. LastPass also has a section called "Secure Notes" that is designed to keep sensitive digital records like insurance and health accounts. You can also audit your passwords to ensure that they are kept secure, share passwords with family members, and add in all of your credit card details into their platform so that you can pay with one click.

Personally, I would be a bit hesitant to give a website all of my data. However, LastPass ensures that they use the strongest AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes. Additionally, all data is encrypted at the device level, so LastPass doesn't have access to your data. Furthermore, they deploy two-factor authentication, which requires you to perform a second step, such as have a code sent to your phone, before you get access to your account.

Technique 13: 010 Memorizer

010 Memorizer is a piece of free software that you can download to help you create a secure and memorable password in a fun way. The system can also be used to memorize other numbers like social security numbers, IP addresses, and phone numbers. The idea behind 010 Memorizer is that it is way easier to remember vivid images than it is to remember numbers.

Let's face it, no matter how we look at it, even when using a password manager, you are going to have to, at the very least, create one memorable and secure password. So why not let 010 Memorizer help? You can use the software to find words that can be used to memorize numbers.

Technique 14: How Secure Is My Password

How Secure Is My Password is a free and really simple tool that will tell you if the password that you have created is strong. The site is really easy to use. You simply go over to their URL and input your password in the big text box.

The site will then estimate just how long it would take a hacker to guess your password. I decided to check out "TQjmp1ng@bcL@Plma" — the password I created above with the PAO Method — to test how good that method actually is. The result was pretty exciting. They reported back to me instantly that it would take a computer about 93 trillion years to crack this password. Nice!

Two-Factor Authentication

To be sure that your accounts are kept safe, it is a great idea to make sure that you turn on two-factor authentication. You know the authentication that sends a code to your phone — that sort of thing! It is not always available, but when it is, then take advantage of this great security feature. It provides added security levels because even if hackers manage to obtain your password, they won't actually be able to get into your account.

In Conclusion

If you are in any way bothered about your data protection when you are online, then the methods above offer some great approaches to both generating and managing safe, memorable passwords. Companies often have to handle passwords for clients that get remembered in the cookie settings if we don't use a VPN or that need to be securely stored.

When dealing with other people's data, we must be extra careful to keep data safe. However, even the regular Internet user now needs to pay attention to how they manage their passwords to optimize their security.

About the Author

Jack Foster has over 10 years of experience in the IT and cybersecurity sector. He is currently the chief content writer for U.K.-based VPNGeeks.