Recommended + Security & Privacy + Security News

4 Tips for Creating Secure Passwords

Posted on August 3rd, 2012 by

In a previous article, I outlined four types of passwords you shouldn’t create unless you want your account hacked. Given how valuable your passwords are, it’s important that they be secure, yet not too hard to remember. Not only do passwords protect your Facebook information, your personal blog and your e-mail account, but also many accounts linked to your credit card, such as your Amazon, eBay and PayPal accounts.

Here are four tips showing how you can create secure passwords:

Tip #1: Size Matters

With passwords, bigger is better. A 4-character password can be cracked using "brute force" techniques - where a computer simply tries every possible combination of characters - fairly quickly. A 6-character password will take much longer; 8 characters even longer. If you want to be really secure, go for 12 characters or longer.

Tip #2: Variety is the Spice of Life

There are four types of characters you can use in passwords:

  1. lower-case letters (a, b, c)
  2. upper-case letters (A, B, C)
  3. digits (1, 2 3)
  4. "special characters," which include punctuation (. ; !) and other characters (# * &)

There are 26 lower-case letters, 26 upper-case letters, 10 digits and, depending on the web site, as many as a couple of dozen special characters (some sites won't let you use certain characters). If you create a password with 6 digits, there are a million possibilities. If you use, however, six lower-case letters, the number jumps to over 300 million. And if you use a combination of upper- and lower-case letters, you get 2 billion different combinations. Add in special characters and the number of possibilities is in the hundreds of billions.

Combine this with tip #1 and use a longer password, and see these numbers expand faster than the universe during the Big Bang. If you only use letters and digits, an 8-character password can have as many as 200 trillion possibilities. Move to 12-character passwords and the number is so big I don't even know how to define it (it's 1023, plus a bit).

Tip #3: Create Unique Passwords

Here’s an easy way to create unique, memorable passwords that are impossible to crack. (Well, the NSA might be able to do it...) You should set a password like this for the user account on your Mac, because if anyone can get into your account, they can access a lot of your files and personal information.

To start with, you want something memorable. As an example, let's say you're a fan of the Game of Thrones TV series. You could create a password like this:

gameofthrones

That's 13 characters, so it's fairly long, but it's all lower-case letters. Let's throw in a couple of upper-case letters to make it more complex, but not in the expected locations, such as the "g" or "t":

gAmeoftHroneS

That's a bit better. But now, let's spice it up with a couple of digits. These have to still be easy to remember, right? How about this:

gAm3oftHr0neS

And the addition of even one special character makes this much, much harder to crack:

gAm3oftHr0n&S

This isn't too hard to remember, but it could be a bit easier. So let's just use one capital letter, one digit, and one special character; that's more than enough to make it unbreakable:

gAm3ofthron&s

You now have a password that is secure. According to the site HowSecureIsMyPassword.net, it would take about 423 million years for a desktop computer to crack this password.

Tip #4: Use Your Keychain to Store Passwords, or Use a Password Manager

While you have a really secure password, you still don't want to use it on all your web sites. You can use Mac OS X's keychain to store passwords - this is what "remembers" passwords when you enter them in Safari, along with the passwords you use for Mail and other programs. You can also use one of many programs that store passwords, but make sure that the master password you use for this software is as strong as the example above.

Do you have any other tips for creating secure passwords?

  • John Emry

    Could you review independent password managers? 

    • http://www.intego.com Intego

      We can look into it, John–thanks for the suggestion!

  • JeffQuackenbush

    I use eWallet on the desktop and phone app for storing and generating passwords. It has iOS and Android app versions. The phone app currently is much better, because it gives the option of generating passwords using various scrambling methods mentioned above. Having a bunch of unique, 20-character passwords is easy that way.
    It’s good to regularly back up your phone (encrypted backup, of course) then back up that backup. I also export from eWallet desktop to a text file in a FileGuard safe and in a 256-bit encrypted SITX file stored on a a secure cloud storage service.

  • will parker

    I sometimes use the following formula to create passwords
    take a name and date, for example John Smith 10/12/1970 and write it down like this
    JohnSmith10121970 then use every other character and add a symbol at the beginning and end, this would give you the password
    &JhSih0290&
    Some people may find this a little complicated but I find it easy to remember 🙂

  • http://twitter.com/wesmason Wes Mason
  • http://www.facebook.com/daboulet Daniel Boulet

    Be a bit careful with trusting what sites like HowSecureIsMyPassword.net say about the security of your password. If someone knows that you are a Game of Thrones fan then gAm3ofthron&s is suddenly crackable in far less than 423 million years (the situation is made worse by the use of 3 to replace the letter ‘e’ (a pretty common technique). That is not to say that gAm3ofthron&s is not a good password – it is probably easily good enough for practically anyone including Game of Thrones fans (of course, it is now a worse choice than it used to be now that this site has suggested it). My real point is that sites like HowSecureIsMyPassword.net cannot possibly know your street name, your favourite computer game, your native language, your first pet’s name or all sorts of other things which if used as a basis for your password make that password less secure than if you had started with something that is not associated with you.

    • LysaMyers

      Thank you Daniel, this is a good point!

  • Kyle

    gAm3oftHr0n&S would be cracked using any halfway decent cracking program as it would be in a dictionary list of possibilities that a set of rules applied to it would allow it to be cracked in under a second. It’s pretty rare that anyone would bother to crack a password using brute force or try to do it manually.
    Suggesting that only the NSA could crack it is dangerous and very misleading.

    Patterns like 3 for E, @ for A, 0 for O, etc., are such well known patterns that a cracking program spends virtually no time trying them out.

    Adding numbers to the end is also so common that they may as well not be there.
    The password ‘password’ is much weaker than ‘password1’, but naturally it would be cracked instantly. Adding a lot of numbers at the end gives a false sense of security since computers can zip through all number combinations very quickly. So it would be longer, but still so easy to crack that you may as well be using your dogs name.

    Just about anything you can come up with is a human generated “random looking” password. But in reality you tend to use the same characters and frequency of letters to numbers/symbols.
    Like “&JhSih0290&” which is just really 5 characters with numbers and a common pattern that would be looked for.

    Much, much longer is better. And not just repeating the same thing a couple of times like ‘wingo56wingo56’

    I know of two people that forgot their password and it was just their dog’s name. A person like that isn’t going to outsmart a hacker whose seen millions of passwords and can create a filter that will get their brilliant original idea in seconds. A password manager would probably be best for most people. Suggesting that anything less is a secure method is dubious at best.

    The famous hacker Kevin Mitnick wrote in a book in 2002 that a pattern of CVCVCVCV where C is a consonant and V is a vowel is better than your pet’s name since it isn’t in a dictionary but easy to remember, like fifigigi. But a cracking program would have no trouble with this as it is in a book that has been read by millions. It was weak even by then standards anyway.

    And recently I saw a youtube video that showed hundreds of passwords being cracked in seconds with some of them having over 15 characters in length.
    Human generated randomness just isn’t very good.

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}