Creating a secure password

In light of the recent TalkTalk hack you should consider changing your online passwords, if you haven’t already. And if that’s the case then here’s a bit of advice to help you be more secure.

Illustration of a man with his laptop and a password input field. The man is trying to think of a new password.

The basic rules of thumb when choosing a password

  • Bigger is better – aim for a minimum length of 12 characters.
  • Use a mixture of uppercase and lowercase letters, numbers and symbols.
  • Don’t use people’s names, place names or dictionary words.
  • Don’t use dates, phone numbers or postcodes… even as part of your password.
  • If a site offers two-step/two-factor verification you should probably use it.
  • Don’t use the same password for every account.

Never, ever use a password like the ones below as featured in SplashData’s 2015 annual list of the top 25 passwords in use. If your password is in the list below you should change it now.

  1. 123456 (Unchanged)
  2. password (Unchanged)
  3. 12345 (Up 17)
  4. 12345678 (Down 1)
  5. qwerty (Down 1)
  6. 123456789 (Unchanged)
  7. 1234 (Up 9)
  8. baseball (New)
  9. dragon (New)
  10. football (New)
  11. 1234567 (Down 4)
  12. monkey (Up 5)
  13. letmein (Up 1)
  14. abc123 (Down 9)
  15. 111111 (Down 8)
  16. mustang (New)
  17. access (New)
  18. shadow (Unchanged)
  19. master (New)
  20. michael (New)
  21. superman (New)
  22. 696969 (New)
  23. 123123 (Down 12)
  24. batman (New)
  25. trustno1 (Down 1)

Password cracking methods

It’s not just someone sitting there manually trying different words to discover your password, hackers use computer programs to do the work for them. Computers can make many more guesses per second than a human can, in fact a standard desktop PC could crack the password ‘letmein’ in under 1 minute. Here’s a couple of examples of types of cyber attacks:

Dictionary attack

Attempts to crack your password by trying every word and combinations of words in a predefined list such as a dictionary (any/all languages) or maybe, every word in a dictionary plus the most used passwords (see SplashData list above). Dictionary attacks can also try all words in the list using numbers and characters replacing letters, for example ‘p45Sw0rd’ is no safer than ‘password’.

Brute force attack

Will try to guess your password by trying every possible combination of letters, numbers and symbols. However brute force attacks can be much more advanced than simply trying every combination, they can also make assumptions about your password to cut down on the combinations/time required—for example passwords are now usually required to contain at least letters and numbers, so maybe the brute force attack doesn’t bother trying guesses made of just letters.

There are many more methods employed by hackers to get into your accounts, these two are by no means the end of the story, they are just the ones that best illustrate how simple password are easily hacked.

Creating a secure password

I use a method described by Bruce Schneier as a starting point for my passwords, it works like this:

  1. You take a memorable phrase that might be personal to you, let’s say, ‘Michon has big wooden doors and used to be a school room’.
  2. Take the first letter of each word: ‘mhbwdautbasr’.
  3. The first ‘a’ in the sequence was for, ‘and’, so let’s change that to a ‘+’.
  4. The letter ‘t’ was for ‘to’, so let’s change that to a number ‘2’.
  5. Now let’s say the first letter after a number or a symbol should be an uppercase, so we now have, ‘mhbwd+U2Basr’, which is pretty random, but easy to remember. It’s 12 characters long and according to would take about 344 thousand years for a desktop PC to crack.

NB: I wouldn’t recommend putting a password you are really going to use into a password testing/scoring site.

You could then append or prepend this with a site specific password created using the same method. ‘I like using Facebook’ becomes, ‘1luF’. Maybe I decide that social media accounts always append and use a symbol to join them, say an ampersand. now I have a unique password for Facebook like so: mhbwd+U2Basr&1luF.

By doing this I find I can make memorable, unique and secure passwords for all of my accounts.

Never give out your password. If someone phones you from a company whose services you use, they should never, ever ask you for your password—if they do they are not legit.