The protection of data is key to the internet. Here at Freshleaf we have put a great deal of time into making our password protected areas as secure as possible using the most up-to-date and trusted techniques. However we can only do so much… in the end it’s all down to the quality of a user’s password that determines the security of their information.
I’ll try and avoid getting stuck into the really technical side of password security here. What I will do however is share some quick tips on how to improve your password security…
Over the years in a bid to get their users to make better passwords, many sites have forced you to create a password with at least one capital letter, special character and/or number. This is done in an attempt to make computers take a lot longer to guess your password. Having capital letters doubles the number of possible combinations of letters, and adding numbers and special characters increases the number of possibilities further. However not all passwords are not easy to remember, as humourously illustrated by this xkcd.com illustration:
Top Tip #1: don’t use “correcthorsebatterystaple” as your password.
Almost everyone who has read that comic now has that password stuck firmly in their heads.
xkcd shows that there’s also a lot of maths you can do to calculate the ‘entropy’ of your current password which I may cover in another post later on. There are also plenty of fun online tools that can tell you how many hours/days/months/years it may take a computer to figure your password out.
Top Tip #2: Try not use a password that you have typed into a password security calculator or any other password generation site.
Any of those sites could just be there to collect passwords, and all it takes is one of them and your password is compromised.
So how do we make a password that is both secure, and memorable?
As the comic suggests, a long password can be more secure than a short password with numbers and characters stuck in-between and also more memorable. One definite is that a longer password is a more secure password, and multiple word passwords are better than single word. So really we are now making passphrases instead of passwords.
Unfortunately from here on some of the suggestions I have are not always possible, as some websites force you to put numbers and special characters in. Some also limit the max length of your password to something small like 10.
Top Tip #3: Sites that specify the length of your password are less secure.
This is because if a hacker knows that passwords can only be between 6-8 characters for example, it instantly reduces the number of possibilities (entropy) their program will need to attempt.
With that in mind, providing you’re not forced to build your password in a specific way, heres are some examples of ways you can make a memorable password.
These are only examples, I am not suggesting you use any of the ideas below as your password security is your responsibility not mine. However they might give you some ideas.
A common one is to add numbers or dates, but this is getting a little too common
Add 10 dots to the end of all your passwords:
Put brackets around your password:
A common misconception is that a computer guessing passwords can guess part of a password. Unless there is a particuarly sophisticated method I am unaware of, this isn’t true. Each attempt at guessing a password is validated on the entire password. Websites don’t come back and tell you that part of your password is correct, or tell you that the last two characters are wrong like a slot machine. So even if your password was joebloggsapple and the guess was joebloggspear, the computer would have no idea that it was close to getting it correct.
So now you have a password that is hopefully easier to remember and yet secure. Or is it?
Regardless of how much entropy your password has and how many years it may take a computer to guess, your use of the password is just as important if not more so. A password that has 100 bits of entropy can be less secure than a password with 8 bits of entropy if poorly managed.
There are people on the web who make money from collecting username/email and password combinations and sell them on. All it takes is those details to be recorded somewhere once by someone untrustworthy and that’s it, you’re on a list. Once your details are on a list, someone can buy your password and hack your account.
There’s not always a lot you can do about this. Looking for certificated sites or secure connections to sites can help stop your password being intercepted in data transfer which is key to online banking for example. But even if the site you are signing up to has those, how can you really be sure? The answer is you can’t, not completely. You could be signing up to, as in the recent case with LinkedIn, a site that was used by millions that hadn’t secured their passwords enough and all those passwords were leaked on a list.
This is particuarly a common occurance on old sites that have been long forgotten about, like that image uploader that you used once and haven’t been back to since. If you used your usual password on that and the same on your Paypal, then you could be at risk.
If you assume that one day your password will be compromised, this will allow you to take steps to limit the damage.
Top Tip #4: Never use the same password for different sites.
But nobody wants to remember hundreds of different passwords. We all know this is a bad idea but how many of us actually use a separate password for each site?
Heres some tips on how you can use the same password, but make it different for each site: (again, these are just tom spark ideas, don’t necessarily use these)
Add the name of the site into your passwords
Now an argument against this is that a real person looking at your password could look at it and work out what you were doing here but a computer wouldn’t. Using a site’s name isn’t particularly clever, so heres another example:
Add the main colour of the site into your passwords
Example1 (last fm): joebloggslovesthecolourred
Example2 (facebook): joebloggslovesthecolourdarkblue
Example3 (twitter): joebloggslovesthecolourskyblue
If you were to tell someone the pattern you use, they would still need the common bit (e.g. joebloggslovesthecolour) of your password to know the full password.
There’s lots you can do so have fun and make your own pattern.
Top Tip #5: Ultimately, the best way to be secure is to use long passwords, but also be original or atleast be different
invent your own method, that way you are not remembering passwords, just a pattern.
I hope this has helped give some ideas on how to make creating passwords and remembering them on the internet less of a headache.