There are 3 good methods to create strong passwords. Before you think about creating a strong password, remember to implement other much more important measures.
(target audience: users who want to secure their accounts and need to create a password)
Remember that you don't need to worry about a good password, before you implemented the other measures. Ready?
How to remember all your passwords you ever need?
As you noticed, most attacks require the criminal to somehow observe you entering the password. These attacks obviously fail if you never enter your password in the first place.
You already implemented either a password manager which does all the logins for you or you use the identity managed by Microsoft, Google or Apple to authenticate to a service (or store your passwords). You can now set up your devices to work with a short device-password (which works only on this one specific device) or biometric authentication (fingerprint, face scan).
Why can the device password be much shorter and much easier? Let's look at it the other way: the password for an online service needs to secure against brute force attacks where attackers try out all common and known passwords, all dictionary words (including adding 1! to the end or replacing a with @) and then all other possible combinations one after another. This is not a suitable attack for devices which delete itself after 10 failed attempts or require a restart after 3 attempts and an ever increasing wait time between login attempts like Windows Hello. That's why your device password can be much shorter. The criminal cannot even try out all obvious combinations like your birthday, your dog's birthday, 0000,...,9999, 1212, 1234, if there are only 10 attempts before the phone deletes itself.
You can also setup login via fingerprint or face-recognition. Although these biometrics can be fooled, for most criminals it would be much easier to observe you entering the password. They also have to get physical access to your device in the first place.
Now that you have established an easy and secure way to access your devices and all the stored passwords on them, you may need to secure one online account.
How to create good passwords?
There might be one or two passwords which you still need to remember (for example the password to your password manager or to your one main online identity). The methods below create a password which can be considered secure, only when you also implement the other measures.
Remember, that focusing on password complexity (meaning, does your password include uppercase, lowercase letters, numbers and special characters) and length are pretty much insignificant in determining password strength (meaning, how hard is it for criminals to guess your password). I discussed in another blog article, why focusing on password complexity only helps the criminals to guess your password.
What options do you have to create a secure password?
Write it on a paper but don't use it
You implemented the above setup and will only ever need your password as a backup or to set up a new device. Just write something long and random on a piece of paper and secure it properly. Maybe a bank safe or just a secure place in your house. Just don't put it on a post-it next to your device or under the keyboard. Although a paper below the keyboard requires physical access for the criminals to abuse, why take the risk if you don't need the paper in the first place?
xkcd-Option:
There is a famous xkcd-comic explaining pretty accurately how to create a good password, which would be hard to guess. Take 4 random words and combine them as a password and the result will be much harder for criminals to guess than for a decent sized usual password. This only works if the 4 words are really random. The xkcd-example is:
CorrectHorseBatteryStaple
This is secure enough for most applications, if you make your own combination (and implemented the other measures).
This option becomes a little weaker if you select the words (humans are often predictable), especially if you add in personal information. It becomes stronger if you add a different language or make uncommon spelling mistakes. For example change the English word Horse to the German word Pferd and misspell a word:
KorrectPferdBatteryStaple
It becomes really strong, if you don’t write the words as usual, all lowercase letters or with an uppercase letter at the beginning. Instead you could make a letter uppercase somewhere inside the words (there are 33 million possibilities (2 to the power of 25) to distribute the uppercase and lowercase letters for this example):
korRectpfErdBatteryStaple
You could also add letters, numbers or special characters somewhere randomly (yes, randomly is important) in between. In general it is assumed that adding numbers and special characters increases security more than adding extra letters (even when there are more letters than regularly used special characters).
korRenctpfErdBXatteryStaple
korRe9ctpfErdB?atteryStaple
Passphrase option:
The passphrase option is similar to the xkcd-option, but with the difference that you try to remember a whole sentence which you use as a password. This makes the password longer (which is really good), but also makes the words related (which is not that good). Make up your own sentence, preferably a silly one like:
"Peter always sings songs when others read dictionaries"
"Pizza and sweets served with old rough donuts"
You can improve the passphrase even more, by following the same advice as above, adding some numbers, special characters and uppercase letters randomly in between.
Why is the password-from-passphrase trick bad?
Some people recommend to take a passphrase and just use the first letters of the sentence (<- this sentence then becomes: "Sprttapajutflots"). Why is that a really bad idea? You start with a pretty long (and probably good) passphrase and reduce it to a short password, which might look completely random, but you could get unlucky and create a single word from another language. Take the sentence "Peter always sings songs when others read dictionaries" again. It is pretty unlikely, that anyone would guess this passphrase, but if you take only the first letters you get:
password
So you transformed a really good passphrase into one of the worst passwords. Let’s look at the other passphrase: "Pizza and sweets served with old rough donuts". Again, you get the same password from the first letters. This is another downside of the Password-from-passphrase approach: 2 completely unrelated pretty good passphrases result in the same password. This is obviously bad.
Granted, it is pretty unlikely that your password-from-passphrase is that bad, but would you have recognized the city
the glacier
or the Polish or Finnish translation of the popular (and therefore bad) password "iloveyou":
kochamcie,
minaerakastansinua?
Or would you have used them as passwords, expecting them not to appear in dictionaries (which makes them bad passwords)?
Final thoughts
It is much more important for you to implement a password manager, 2FA, pay attention to phishing, keep your system secure and choose a secure supplier before you invest too much into creating and remembering passwords.
Make your life easy with a password manager.
This advice is meant for the majority of users. You might want to implement stronger measures if you are in a high risk scenario.
Kommentare