Be Creative. Beyond avoiding easy sequences like “123456” or classics like “password”, avoid using things that are trending in popular culture. SplashData, which collates passwords from data breaches in America and Western Europe to build samples, said “123456 was, for the fifth year running, the most common password” in 2014. While in 2015, one of the most frequently found passwords in USA corporate networks was “Starwars!” and all of the stars, roles and events of the Star Wars franchise were popular too. The bad guys know that and will be sure to have those things in their PW libraries. Think out of the box. If you know “Gone with the Wind” forwards and backwards, exploit your trivia knowledge; if you are an organic gardener then plant some healthy ones; if you enjoyed a class on French romance poems in college it is time to use your studies in a way you never foresaw, Vivre sans aimer n’est pas proprement vivre (To live without loving is to not really live – Molière).
Change is over rated. Many organization and some websites require frequent changes to passwords. Some set even shorter life spans for privileged accounts (like admins). But if your password is sufficiently long and complex, studies have found that requiring 30, 60 or 90 day changes don’t add value (or security). Changing your password for no good reason actually detracts from security because it is more likely you will forget it and more likely you will write it down to avoid doing so. And many users will find ways around policies, like adding a new sequential number at the end which complies with the password change policy but doesn’t achieve a higher level of security. Admins, I’m talking to you – don’t require frequent periodic changes; and users, I’m talking to you – change your password anytime you think it might be compromised (by a shoulder surfer or your ex-boyfriend).
Don’t Re-Use. It is tempting to re-use passwords, especially when you have worked hard to create a complex one and have finally managed to memorize it, but avoid the temptation. Some people make categories of web services and create a shared PW for each tier of risk or type of service. Others append the company name or website initials to make unique passwords of “Apple#123”, “Google#123”, and “USPS#123” but that reveals a pattern that a breach of any individual account will reveal a lot to the adversary about your PWs. Don’t do it. Make each one unique – that way if one place is breached and your credentials show up on the black web they won’t give away the key to multiple sites you use.
Enter it with care. And no, I don’t mean slow deliberate key strokes (observers will love you if you do that). To avoid shoulder surfers, don’t enter your password in a place that allows others to register your entry. And don’t enter your password over unencrypted public WiFi networks (I’ll take a hack with my Triple, Venti, Half Sweet, Non-Fat, Caramel Macchiato). And, please, don’t mouth it or say it out loud as you enter it. These all seem like no brainers but you would be surprised how often unauthorized account access is granted through ignoring these simple safeguards.
Keep it real. You don’t have to make your password so cryptic that a super computer will take 10,000 years to crack it. You are not a financial institution (unless you really are one) or a highly classified network (unless you are one of those), so get real. Keep your panic for when the sky is falling. For the majority of us, reasonably complex and lengthy PWs will suffice. Keeping it real will encourage you to create hard to guess but easy to remember (for you) passwords. The bad guys will move on to the next target if you don’t make yours an easy one.
Make your password long to make it strong. The longer the better. “A longer password is usually better than a more random password,” says Mark Burnett, author of Perfect Passwords, “as long as the password is at least 12-15 characters long.” The excuse of keeping it short for your smartphone keyboard is no longer defensible with the advent of password managers and biometric authentication on mobile devices.
Second Level Authentication is Your Friend. When offered, take them up on adding second level authentication to access your account. Some services offer a text of a one-time-passcode (OTP) to your designated phone. Others allow you to register trusted devices and/or networks and deny attempts from all others. Some may offer image selection from a gallery of 6 or 8. Using multi-factor authentication doesn’t have to mean retina scanners or cypher locks but it always means greater security for you.
Use Capital Letters with Care. One of the recurring complaints from business users and website visitors is the requirement of the use of upper & lower characters. Most people put a capital letter at the start of their PW and call it done. This makes is simpler for the holder of the PW but it also makes it simpler for the bad gal. Mix it up, put some near the middle & end.
Use Special Characters with Care. Another recurring complaint from business users and website visitors is the requirement of the use of special characters. Most people put a pound sign (#) or an exclamation point (!) at the end of their PW and call it done. This makes is simpler for the holder of the PW but it also makes it simpler for the bad guy. Mix it up, put some near the beginning & middle. When websites don’t allow special characters consider making your password a bit longer; consider dropping feedback to the webmaster, or even declining to use the website plus telling them why.
Zzzz . . . Lastly, Develop a framework for your passwords. Human minds prefer patterns (that is why many people choose “12345678” or “abcdefgh” or “qwerty789”). A framework is a pattern on steroids; your mind will like it but the bad gals won’t.
A framework is your personal users guide on creating passwords. The framework should be something that compliments the way your mind works (to aid you in creating and remembering reasonably long and complex PWs) while not being obvious to co-workers or acquaintances.
You can create a PW framework that:
- capitalizes every word and
- inserts numbers or special characters after every word
In example, if you went to Paris for your honeymoon you might make your password “IReallyEnjoyedOurHoneymoonInParis”. That is very long by most standards and even includes lower & upper case letters. Now, if you add the month, day, and year that you landed in Paris after the first three words it might become “I08Really25Enjoyed2012OurHoneymoonInParis”. Now you have two out of three complexities and will pass the criteria set by many businesses and websites but you don’t have to stop there. Picking the special characters from left to right on your keyboard and inserting them after all subsequent words will create “I08Really25Enjoyed2012Our!Honeymoon@In#Paris$” and results in a very long (and complex) password.
You can create a PW framework that:
- capitalizes every vowel and
- makes every consonant lower case and
- inserts special characters after every vowel and
- places a number at a planned point in the PW
In example, if you don’t want one terribly long, try “mY#dO$g2009spO%t” (this is based on “my dog spot” where every vowel is capitalized, every consonant is lower case, a special character follows every vowel, and a significant year [to you] is inserted after the second word); that password is not nearly as long (or as fun) as your honeymoon to Paris but it is complex, sufficiently long, and easy (for you) to remember.
The framework you use should be something easy for you to recall but hard for others to guess (just like your password). I’ve covered two but you can probably come up with a better one (or at least one that fits you better).