The basic rules of thumb when choosing a password:
- Bigger is better – aim for a minimum length of 12 characters.
- Use a mixture of uppercase and lowercase letters, numbers and symbols.
- Don’t use people’s names, place names or dictionary words.
- Don’t use dates, phone numbers or postcodes… even as part of your password.
- If a site offers two-step/two-factor verification you should probably use it.
- Don’t use the same password for every account.
Never, ever use a password like the ones below as featured in SplashData’s 2023 annual list of the top passwords in use. If your password is in the list below you should change it now.
Password cracking methods
It’s not just someone sitting there manually trying different words to discover your password, hackers use computer programs to do the work for them. Computers can make many more guesses per second than a human can, in fact a standard desktop PC could crack the password ‘letmein’ in under one minute. Here are a couple of examples of different types of cyber-attacks:
Attempts to crack your password by trying every word and combinations of words in a predefined list such as a dictionary (any/all languages) or maybe every word in a dictionary plus the most used passwords (see SplashData list above). Dictionary attacks can also try all words in the list using numbers and characters replacing letters, for example ‘p45Sw0rd’ is no safer than ‘password’.
Brute force attack
Will try to guess your password by trying every possible combination of letters, numbers and symbols. However brute force attacks can be much more advanced than simply trying every combination, they can also make assumptions about your password to cut down on the combinations/time required—for example passwords are now usually required to contain at least letters and numbers, so the brute force attack doesn’t bother trying guesses made of just letters.
There are many more methods employed by hackers to get into your accounts, these two are by no means the end of the story, they are just the ones that best illustrate how simple passwords are easily hacked.
Creating a secure password
I use a method described by Bruce Schneier as a starting point for my passwords, it works like this:
- You take a memorable phrase that might be personal to you, let’s say, ‘Michon has big wooden doors and used to be a school room’.
- Take the first letter of each word: ‘mhbwdautbasr’.
- The first ‘a’ in the sequence was for, ‘and’, so let’s change that to a ‘+’.
- The letter ‘t’ was for ‘to’, so let’s change that to a number ‘2’.
- Now let’s say the first letter after a number or a symbol should be an uppercase, so we now have, ‘mhbwd+U2Basr’, which is pretty random, but easy to remember. It’s 12 characters long and according to howsecureismypassword.net would take about 344 thousand years for a desktop PC to crack.
NB: I wouldn’t recommend putting a password you are really going to use into a password testing/scoring site.
You could then append or prepend this with a site-specific password created using the same method. ‘I like using Facebook’ becomes, ‘1luF’. Maybe I decide that social media accounts always append and use a symbol to join them, say an ampersand. Now I have a unique password for Facebook like so: mhbwd+U2Basr&1luF.
By doing this I find I can make memorable, unique and secure passwords for all my accounts.
Alternatively, you could use a password manager to generate and store your passwords, making things even easier. By using a password manager, you only have to remember one password, but make sure it’s a strong password because it holds all your secrets!
A word on email accounts
If there’s one account you should pay particular attention to it’s your email account. Your email account is important, it will probably contain a lot of private information about you, your family, and friends. And if a hacker gets into your email, they could use the “Forgot password” feature of other online accounts to gain access to them too. So make sure the password for your email account is secure.
And finally, never give out your password. If someone phones you from a company whose services you use, they should never, ever ask you for your password—if they do they are not legit.