Many sites won’t let users create an account until they have created a suitably “strong” password – often measured by text flags on sites describing passwords as “weak” or “strong” as you type.
This sort of system tempts users to fall into traps such as adding numbers and symbols to the end of passwords – which makes them easy to remember, but also much easier to crack.
Thankfully, there are a few tricks to creating memorable passwords that will at least slow down cybercriminals – buying you time to reset your accounts if a list of encrypted passwords leak in a data breach.
Consider using phrases, not words
Using a single English word as a password is incredibly insecure – easy prey for the “dictionary attacks” cybercriminals use to “guess” passwords. Merely adding more words – changing, say, “dragon” to “dragonistired” – is a good first step.
“This works up to a point,” says ESET Senior Research Fellow David Harley. “Length is helpful. But the guessability of a passphrase can be overestimated. Dictionaries can include commonly used phrases as easily as single words, and a space character is just a character (and looking for the delimiter between words is actually a decryption technique). Using a passphrase in combination with other techniques such as interleaving, character substitutions, special characters and so on, does make a difference.
Maths can be your friend
Sites which demand special characters – “!” – as part of passwords often lead to users adding a special character at the end of a password. This, again, makes the cybercriminals’ job easier. Harley says, “This also applies where the site requires you to change your password periodically but allows you to do so by appending a number. Password cracking 101.”
Using maths equations – where the characters mean something – can make for a memorable, secure password. Something like“1hundred+5=Threehundred” is long enough to be secure, has a nice mix of characters, and the wrong answer is silly enough to be memorable. Using these symbols in sentences works just as well.
Size does matter
Size does matter more than complexity, as long as you do not use just one long word. Long passwords, made of several elements, are more secure than short ones. A short sentence such as “happinessisgood” is very hard to guess – 1,677,259,342,285,730,000,000 possibilities, and that’s just a 15-character lowercase password (as discussed in a previous ESET paper). Adding a single number or special character makes the criminals’ job even harder.
Harley says, “If you augment it with other techniques, you can increase the time it takes to crack it.”
Don’t use words in the cybercriminals’ dictionary
Typically, cybercriminals will use a “dictionary attack” – so the key to making their lives difficult is to avoid anything in the “dictionary”. This will usually include any English word – or indeed any single word in other languages.
Don’t use any part of your own name
The programs criminals use will also look for parts of your name or username being reused in your password. It’s one of the first things a password cracker (human or automated) looks for when it comes to trying to guess a password).
Don’t use your home town
Whether or not cybercriminals already “know” details about you – from your Facebook page, say – place names are easily guessed. If you live in Springfield, Springfield is definitely not a good password choice, for instance). The word lists used in dictionary attacks are likely to contain common place names.
Don’t use TV “likes” and “dislikes”
Dictionary attacks will usually include song titles, the names of books, and cartoon characers and so on – no matter how unique you think your tastes are. Particularly not recommended are geeky references such as “Superman” or “Gandalf”, which regularly crop up in lists of the most over-used passwords of all time.
Mixing things up
Mixing up numbers and sentences can make for secure passwords – even if you “break the rules” and use personal details. While we’ve tried to discourage the use of easily remembered (but easily guessed) words or character strings, like your dog’s name or your birthday, you can still use these safely if you are smart about it. “Roverloves 2 run” is a fine password. “On 4/17/60 I enteredthe world” is a very strong password that contains somebody’s birthday!
Use personal details – fake ones
“It’s even better to use false personal details, as long as you’re consistent about it,” says Harley. “There are those who advocate using false details on social media sites, where possible and appropriate (and legal) and it’s a related issue: where the risk is from someone who has enough information about you to target you specifically, it’s likely that he’s using social media to gather it. However, if you use the same false data for social media and for password mnemonics, then it doesn’t matter to the crim that it’s false: it’s still all too useful to him.”