4 Tips for Creating Secure Passwords
Posted on by Kirk McElhearn
In a previous article, I outlined four types of passwords you shouldn’t create unless you want your account hacked. Given how valuable your passwords are, it’s important that they be secure, yet not too hard to remember. Not only do passwords protect your e-mail account, your social media accounts, and any web services you use, but also many accounts linked to your credit card, such as your Amazon, eBay and PayPal accounts.
Here are four tips showing how you can create secure passwords:
Tip #1: Size Matters
With passwords, bigger is better. With the power of todays computers, a 6-character password can be cracked easily using “brute force” techniques (where a computer simply tries every possible combination of characters) in mere seconds. An 8-character password may take hours if it’s complex enough; 10 characters would take even longer. If you want to be really secure, go for 12 characters or longer. But also make sure that your passwords aren’t of the type that are commonly used, such as those listed on this Wikipedia page.
Tip #2: Variety is the Spice of Life
There are four types of characters you can use in passwords:
- lower-case letters (a, b, c, etc.)
- upper-case letters (A, B, C, etc.)
- digits (1, 2, 3, etc.)
- “special characters,” which include punctuation (. ; ! etc.) and other characters (# * & etc.)
There are 26 lowercase letters, 26 uppercase letters, 10 digits and, depending on the web site, as many as a couple dozen special characters (most sites won’t let you use certain characters).
If you create a password with 8 random digits (that is, numerals only), there are 108 (100 million) possibilities — everything from 00000000 through 99999999. If you use, however, 8 random lower-case letters, the number jumps to 268 (over 208 billion, with a b). With a combination of numbers, upper- and lower-case letters, and special characters, the number of possibilities for an 8-character, pseudorandomly generated password can be in the hundreds of billions.
Combine this with tip #1, using a longer password, and see these numbers expand faster than the universe during the Big Bang. Of course, these numbers assume truly pseudorandomly generated passwords. For example, if you were to choose an 10-character password like
Password1!, it wouldn’t take long to brute-force crack the password. But a 10-character password like
y8E&@.o3Tc — which is just as long and also uses upper, lower, numbers, and special characters — would be significantly more difficult to crack, because it doesn’t incorporate words or predictable patterns.
Tip #3: Create Unique Passwords
The best way to create unique passwords is to generate pseudorandom ones and store them in your password manager—but we’re getting ahead of ourselves; that’s tip #4.
Let’s assume that you need to come up with a password that you’re going to need to type often, so it needs to be memorable, but you also want it to be relatively strong. Here’s an easy way to create unique, memorable passwords that are difficult to crack. You can use a password like this for the user account on your iPhone or your Mac, which is very important: if anyone can get into your phone or computer, they can access your e-mail, your files, and all your personal information.
To start with, try to come up with a short phrase or sentence that will be memorable to you, but preferably isn’t an axiom or anything in any public record like a book. As an example, let’s say you’re a big fan of the Game of Thrones TV series, and you think it’s the greatest of all time (“the GOAT,” as the kids say). Your first thought might be to create a password like this — please don’t use any of these examples:
That’s 12 characters, so it’s fairly long, but it’s all lower-case letters. Let’s throw in a couple of upper-case letters to make it more complex, but not in predictable locations (such as the first letter of the password or a word within it):
That’s a bit better. But now, let’s spice it up with a couple of digits. These have to still be easy to remember, right? How about this:
And the addition of even one special character makes this much harder to crack:
If something like that is too difficult to remember, you can simplify it a bit. To make it a bit more memorable, let’s just use one capital letter, one digit, and one special character, and add a 13th character on the end for good measure:
Again, don’t use these specific password examples. But if you’ve gone through this exercise on your own, you now have a password that is relatively secure while also being memorable. According to the site How Secure Is My Password, the last example above would supposedly take about 2 million years for a single computer to crack. However, with relatively inexpensive technologies that are easily available to attackers today, such as cloud computing clusters, this number is significantly overestimated. GRC’s Password Haystacks page estimates that it would take a “massive cracking array” up to 16,500 years to crack this password.
It’s also complex enough that someone watch you type it (an attack called “shoulder surfing”) would have a hard time memorizing it. So a password like this should certainly be good enough for logging into your computer or your phone.
It’s true that this password is difficult to type, but the next tip explains how to get around that.
Tip #4: Use Your Keychain to Store Passwords, or Use a Password Manager
Even if you have one really secure password memorized, you shouldn’t reuse it for all your web sites and services. This is because of credential stuffing attacks; if one site’s database gets breached, hackers may try to reuse publicly exposed username and password combinations to log into other sites. Since remembering several dozen complex passwords is implausible, you’ll need a secure way to store all those unique passwords. That’s where a password manager comes in.
If you primarily use Apple devices, you can use the Keychain in macOS and iOS to store passwords. The Keychain is what “remembers” passwords when you enter them in Safari, along with the passwords you use for Mail and other programs. You can also use one of many password managers available (choose one that’s reputable and well-known, but not LastPass). Just make sure that the master password you use for this software is as strong as the example above.
How can I learn more?
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: