Creating secure passwords can be a mind numbing conversation at the best of times. I’m going to give you three levels of creating a secure password. If you’re not at specific risk (ie aren’t likely to be targeted) the basic method should provide good security. It will keep your password out of the hands of script kiddies and their ilk. The final method is for the most paranoid, living in places where privacy is under constant threat. The middle method might be good for, say, your online banking if you’re fortunate enough to have anything in there to worry about. DO NOT USE ANY PASSWORD OR METHOD DESCRIBED IN EXACTLY THE WAY IT IS DESCRIBED. Assume that every password here is NOT secure, and now on a list somewhere.
Passwords can also be stolen using “man in the middle” attacks. The plugins listed on the safe surfing page will help protect against such attacks but once again, if you are online you are at risk. Using these methods will make you more secure, not bulletproof.
The Basic Password
Everyone always says to use a different password for every web site. But, you say, I have a bajillion places I log in and can’t remember a bajillion different passwords. And who could? One way to have a different password for every site is to use the same method to create different passwords. Let me show you what I mean.
Let’s say we’re logging in to Twitter. I’m going to put the year, between hyphens before the last letter.
Twitte-2015-r
The above password has both upper and lower case letters, numbers, and extended characters (those symbols above the numbers on most keyboards). Make sure to include all 4 in your method. Using the trick above, your Facebook password would be Faceboo-2015-k, Instagram would be Instagra-2015-m, etc. Remembering one method gives you a different password for every site, and let’s you figure out passwords you forget.
That example was very simplistic and I suggest making it a little more complicated than that. Let’s go back to our example: Twitte-2015-r. Let’s substitute numbers for vowels (“i” will become “1” and “e” will become “3”) and split the date in half.
T-20w1tt315-r. That’s a good password and can easily be applied to other pages.
This is just an example of how to create a method, don’t use this method. It’s security comes from creating something that is uniquely your method. Use pig latin or german or smileys :). Make it yours.
If you ever need to change a password (some places demand passwords be changed at regular intervals) you can either take it as an opportunity to update your method, or you can introduce “drift” where your changes move over one letter. (Tw-201tt15-3r) That way if you don’t remember that you changed that one password, there’s a way to “look” for it, just drift your changes until it works. When you do update your method, update your passwords. If you forget to change one you don’t use regularly, it’s usually easy to remember the last two or three methods you used and it’s probably one of them.
The Middle Password
This password is actually a pass phrase. Pick three or four words that don’t relate. “Random cupcakes restrain snakes”. Run it together and perform a vowel / number substitution. Throw in a smiley face. Capitalise some letters. We’ll capitalise every 3rd letter for this example:
R4nd0Mc9pC4k3s:)R4stR41nsN4k3s
Now there’s a password. Because of the oddness of the phrase, once you’ve thought or typed random cupcakes restrain snakes a couple of times it will be easy to remember. You’re thinking about it now aren’t you…..
The drawback to this method, of course, is that you have to remember a different phrase for every login and so need to either write it down or use a password manager. But if you only use this method for two or three different passwords, they should be “sticky” enough that most people will remember them. Use this method for your password manager.
The Paranoid’s Password
Use a password manager, and a password generator. Use 64 characters and change it regularly. Use linux for generating the password as it does not use the cpu when doing random generation. Intel cpu’s are reported to be compromised and there’s no reason to believe other’s aren’t as well. The only secure way is to not use the cpu for random generation which, last I heard, Windows is still doing. If your primary machine is Windows, linux can easily be run in Virtualbox for password generation.
A Note on Vowel / Number Substitutions
In the above examples I used a “looks like” substitution – A=4, E=3, I=1 etc – but it’s certainly not the only one available. Sticking with 5 vowels, we could also substitute 1-5 for the vowels. Or 10-15 or 7-12. Or 1,3,5,7,9. While it may seem clunky in the beginning, with the repetition of creating passwords it should become easy quite quickly. Naturally it’s also not necessary to substitute every vowel……
return to Safe Surfing
