Recommended + Security & Privacy + Security News

4 Tips for Creating Secure Passwords

Posted on August 3rd, 2012 by

In a previous article, I outlined four types of passwords you shouldn’t create unless you want your account hacked. Given how valuable your passwords are, it’s important that they be secure, yet not too hard to remember. Not only do passwords protect your Facebook information, your personal blog and your e-mail account, but also many accounts linked to your credit card, such as your Amazon, eBay and PayPal accounts.

Here are four tips showing how you can create secure passwords:

Tip #1: Size Matters

With passwords, bigger is better. A 4-character password can be cracked using “brute force” techniques – where a computer simply tries every possible combination of characters – fairly quickly. A 6-character password will take much longer; 8 characters even longer. If you want to be really secure, go for 12 characters or longer.

Tip #2: Variety is the Spice of Life

There are four types of characters you can use in passwords:

  1. lower-case letters (a, b, c)
  2. upper-case letters (A, B, C)
  3. digits (1, 2 3)
  4. “special characters,” which include punctuation (. ; !) and other characters (# * &)

There are 26 lower-case letters, 26 upper-case letters, 10 digits and, depending on the web site, as many as a couple of dozen special characters (some sites won’t let you use certain characters). If you create a password with 6 digits, there are a million possibilities. If you use, however, six lower-case letters, the number jumps to over 300 million. And if you use a combination of upper- and lower-case letters, you get 2 billion different combinations. Add in special characters and the number of possibilities is in the hundreds of billions.

Combine this with tip #1 and use a longer password, and see these numbers expand faster than the universe during the Big Bang. If you only use letters and digits, an 8-character password can have as many as 200 trillion possibilities. Move to 12-character passwords and the number is so big I don’t even know how to define it (it’s 1023, plus a bit).

Tip #3: Create Unique Passwords

Here’s an easy way to create unique, memorable passwords that are impossible to crack. (Well, the NSA might be able to do it…) You should set a password like this for the user account on your Mac, because if anyone can get into your account, they can access a lot of your files and personal information.

To start with, you want something memorable. As an example, let’s say you’re a fan of the Game of Thrones TV series. You could create a password like this:

gameofthrones

That’s 13 characters, so it’s fairly long, but it’s all lower-case letters. Let’s throw in a couple of upper-case letters to make it more complex, but not in the expected locations, such as the “g” or “t”:

gAmeoftHroneS

That’s a bit better. But now, let’s spice it up with a couple of digits. These have to still be easy to remember, right? How about this:

gAm3oftHr0neS

And the addition of even one special character makes this much, much harder to crack:

gAm3oftHr0n&S

This isn’t too hard to remember, but it could be a bit easier. So let’s just use one capital letter, one digit, and one special character; that’s more than enough to make it unbreakable:

gAm3ofthron&s

You now have a password that is secure. According to the site HowSecureIsMyPassword.net, it would take about 423 million years for a desktop computer to crack this password.

Tip #4: Use Your Keychain to Store Passwords, or Use a Password Manager

While you have a really secure password, you still don’t want to use it on all your web sites. You can use Mac OS X’s keychain to store passwords – this is what “remembers” passwords when you enter them in Safari, along with the passwords you use for Mail and other programs. You can also use one of many programs that store passwords, but make sure that the master password you use for this software is as strong as the example above.

Do you have any other tips for creating secure passwords?

  • John Emry

    Could you review independent password managers? 

    • http://www.intego.com Intego

      We can look into it, John–thanks for the suggestion!

  • JeffQuackenbush

    I use eWallet on the desktop and phone app for storing and generating passwords. It has iOS and Android app versions. The phone app currently is much better, because it gives the option of generating passwords using various scrambling methods mentioned above. Having a bunch of unique, 20-character passwords is easy that way.
    It’s good to regularly back up your phone (encrypted backup, of course) then back up that backup. I also export from eWallet desktop to a text file in a FileGuard safe and in a 256-bit encrypted SITX file stored on a a secure cloud storage service.

  • will parker

    I sometimes use the following formula to create passwords
    take a name and date, for example John Smith 10/12/1970 and write it down like this
    JohnSmith10121970 then use every other character and add a symbol at the beginning and end, this would give you the password
    &JhSih0290&
    Some people may find this a little complicated but I find it easy to remember :-)

  • http://twitter.com/wesmason Wes Mason
  • http://www.facebook.com/daboulet Daniel Boulet

    Be a bit careful with trusting what sites like HowSecureIsMyPassword.net say about the security of your password. If someone knows that you are a Game of Thrones fan then gAm3ofthron&s is suddenly crackable in far less than 423 million years (the situation is made worse by the use of 3 to replace the letter ‘e’ (a pretty common technique). That is not to say that gAm3ofthron&s is not a good password – it is probably easily good enough for practically anyone including Game of Thrones fans (of course, it is now a worse choice than it used to be now that this site has suggested it). My real point is that sites like HowSecureIsMyPassword.net cannot possibly know your street name, your favourite computer game, your native language, your first pet’s name or all sorts of other things which if used as a basis for your password make that password less secure than if you had started with something that is not associated with you.

    • LysaMyers

      Thank you Daniel, this is a good point!

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}