The new app everyone’s been talking about is released. You download it, fill in the sign-up form and you’re almost set! Then you’re asked to set a password for your new account. What do you do?
Coming up with something completely random, then remembering it, can be very difficult. Yet many applications rely on this system in order to keep users and their data safe from the rest of the world. Let’s have a look at some strategies for giving your online accounts their best chance of remaining secure.
What makes a password secure?
In order to make a password more secure, you need to make it impossible for someone to guess, difficult for a computer to crack and only used once (so if it does get into the wrong hands, all your other accounts are safe). Two popular strategies I see quite often are to either use a combination of random words to compose a passphrase, or to use an easy to remember phrase and boil it down into a seemingly random string of letters, numbers, and characters.
Both of these methods aim to increase the password’s entropy, which, without getting too technical, is a popular way to measure how unpredictable a password is. This is done by evaluating how many possible combinations there could be given the length and available characters. For example, an ATM PIN is usually 4 digits long, and only contains numbers 0 – 9. Therefore, there are 10,000 possible combinations a PIN could be (or about 13.3 bits of entropy). Although a PIN number can be quite difficult for a person to guess (assuming it is a truly random number), a computer would crack it in less than 10 seconds, assuming it could check 1,000 combinations a second.
So, what about passwords? How can you give them as much entropy as possible, and at the same time, keep them safe in your head?
Techniques for coming up with a strong, memorable password;
1) Combine four or more random and unrelated words
There’s a famous (in the techie world!) comic (http://xkcd.com/936/) which is often cited when people talk about this method. Rather than take a single word and replace letters with similar looking numbers and characters (! for l, or 3 for e, etc.) you take several words in sequence and make that a password.
For example, think of four completely unrelated words: ‘purple’, ‘fish’, ‘helicopter’, ‘okay’. If you put these words in a sequence – with or without spaces – this will make a pretty strong password, which is almost impossible to guess and very difficult for a computer to crack. It’s also incredibly easy to remember; just visualise a purple fish walking up to a helicopter and saying “Okay”. And voilà, you have remembered a strong password:
This is a pretty good method, although Bruce Schneier, a renowned security technologist, says that hackers are already on to this [https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html], so it may be better to move on to a method he recommends:
2) Turn a phrase into a random set of characters
Take a phrase – something personal to you, that you’ll remember – and then take the first letter of each word and put them in sequence. For example, let’s take the phrase “William Wordsworth said I wandered lonely as a cloud”. This would then become “wwsiwlaac”. Next, let’s pad it out a bit. Since clouds are up in the sky, we can put a ^ at the end, as it points up. Also, let’s put the letter for the word ‘lonely’ on its own with a space either side – as it’s lonely. Finally, let’s keep the WW at the beginning capitals, as they’re initials. Now we have:
WWsiw l aac^
Using this technique, we’ve created a seemingly random set of characters, which should have some meaning to you and stick in your memory. In order to remember them, you simply remember the phrase, and go through the story you used to come up with the password. You’ll be surprised how well it works.
Obviously, don’t use either of these two passwords mentioned above, as we’ve just written about them – come up with your own, and be creative about the way you replace some of the letters with other characters. Here are some other ideas:
- Replace the word “money” for a £ or $ instead
- If your phrase has something to do with food, add a capital ‘B’ at the end, as the character looks a bit like it has a belly
- If it’s something happy, put an open bracket ‘)’ somewhere, as the smile part of a smiley emoticon
Again, these are just to give you ideas of how to come up with ways of replacing characters in your password. The point is we’re trying to create a story and give some meaning to the combination of characters which will help you remember them later.
3) Use a password card
If this still seems like a lot of work, another approach is to use a password card, such as the one at http://www.passwordcard.org/en . This isn’t going to be quite as secure as not having your password written down at all, but it’s still better than using a weak password.
A PasswordCard is a credit card-sized card you keep in your wallet, which lets you pick very secure passwords for all your websites, without having to remember them! You just keep them with you, and even if your wallet does get stolen, the thief will still not know your actual passwords.
When you visit the website, a new, unique card is generated (so no two people have the same card). Then, all you do is print the card out, and remember the starting point and direction of your password, and you can trace along and use the sequence of characters as a password. It’s not going to be as good as not having your password in printed form, but it’s a far, far better than having a weak password.
To find out more, and download a free password card, visit http://www.passwordcard.org/en
Some other password tips;
Use a password manager
Even using the above methods, it can be difficult to remember a large number of passwords – after all, you really need each and every password you use online to be different. This is where a password manager comes in handy.
A password manager is an application that is installed on your Mac/PC and smartphone, and stores all of your passwords securely in an encrypted file, which can only be unlocked with a master password. This way, even if your device is lost or stolen, your passwords are still safe (as long as you have a strong master password!). A few popular password managers are 1Password (https://1password.com/), Lastpass (https://lastpass.com), and KeePass (http://keepass.info/).
Enable two-factor authentication
Many online services, including as Gmail, Facebook, Apple, and PayPal, offer two factor authentication as an option. This is where you log in with your password as normal, then a unique code is sent to your smartphone by SMS or notification which you have to enter to confirm you are the person the account belongs to. This way, even if your password gets into the wrong hands, someone trying to log in would physically require your phone to be with them in order to complete the login. It’s worth enabling this on your email and any accounts containing sensitive information, just as an added layer of security.
Log in via services such as Google and Facebook
Many apps and websites offer the ability to sign up and log in via other accounts such as Facebook, Google, and LinkedIn. This speeds up the sign-up process, as some of your information can be pulled across such as name, email address, and profile photo. You don’t usually have to enter a password when you log in this way, as a unique token is exchanged between the app and (say) Facebook which is then used to log you in. Once you’ve logged in to Facebook, you’ll then be able to log in to any other account which has been created via this method. This is a very secure way of logging in, and has the added benefit of you not having to create another password. You do however need to make sure you watch what access you’re giving the app to your Facebook account. Some apps may simply ask for your basic Facebook profile information, such as name, profile photo, and email address. Whereas others will ask for permission to post to Facebook as you. If this is what you want – great! But do keep an eye out and make sure you’re only signing up to services that you trust and you’re only giving them access to information they truly require.
So, just to recap:
- Don’t use weak passwords, such as short words, or any words or names which have some relevance to you
- Try to make your password as long and as complex as possible (using the above techniques to remember them)
- Only use each password once
- If you have to keep lots of passwords, consider using a password manager
- Enable two factor authentication on accounts containing sensitive information, such as email
- To quickly sign up to an account in a secure way, use the ‘Log in with…’ Facebook, Google, LinkedIn, etc. buttons, but only do this with services you trust and make sure you only give them the minimum privileges to your account
Lucidica provides London based IT support for businesses