A great deal of confusion surrounds the choice of strong passwords, and many suggestions for creating a good password are over complex and do not provide much security. But there is a simple way to create strong passwords that you can remember – and that will make you less vulnerable to online attackers.
A good password should be easy for you to remember, but difficult for anyone else to guess. But we're often advised - or forced - to create unmemorable passwords using rules that confuse us and provide little protection against real threats. So to choose a good password, we must understand those threats.
Threats to your password
You can be persuaded to reveal your password - it’s called 'phishing' and it's very common. It can be stolen by 'malware' - a malicious program on your computer that watches keystrokes as you type - or if you use the 'remember password' feature on a web page. In any of these cases it doesn't matter how complicated your password was.
Websites with login pages store passwords in a file, and these files often get stolen. If the file isn't encrypted, nothing you can do will protect your password. If it is encrypted, obvious passwords could get revealed quite quickly. More complex passwords would be slower to break, but the attacker usually has all the time they need.
An attacker might systematically try user names and passwords at the login page of some popular online service. This is called 'brute force' and it's preventable - the page should lock out further attempts after a small number of failures. But many don't, so this is a real threat. Here, using a strong password can help protect you.
If you login to a website the computer you are using will normally offer to remember the password and login details for you. This is not much of a security risk if you store the details on your home computer but make sure you do not store your password on a computer which you share with others such as one in a library or internet café.
What makes a strong password?
Two of the most commonly used passwords are '123456' and 'password' - very bad choices as they would be among the first to be tried by an intelligent attacker.
The ideal password is a fairly random sequence of characters, and extra length is usually more important than a wider range of symbols. But creating your password in this way is not always the most ‘human-friendly’ approach as you may find it tricky to remember.
Instead, one of the best techniques is to choose a memorable phrase containing the same number of words as the desired password length in letters (usually this is at least eight characters) and use the first letter of each word to create an acronym to use as your password. The chosen phrase should not be well known, and using capitals and lower case can add quite a lot of strength, but substituting numbers for letters or adding special symbols doesn’t make much difference.
For example, the phrase 'the boy stood on the burning deck until it got too hot' could yield a password of 'tBsotbDuigth', which is quite strong. The phrase is memorable even if the password is not, and the rule - capitalise every noun - is simple to remember, but results in unpredictable patterns in the password that make an attacker's job more difficult.
There are many websites that will allow you the chance to see how secure your password is, and often the site you are registering with will offer you the chance to test the strength of your proposed password before you log on.
The Password Meter will allow you to test the strength of your chosen password and experiment with how it can be improved by adding upper and lower case letters as well as numbers and symbols. Password Calculator is another useful indicator of password strength. This intriguing site will show you how quickly your password could be hacked using a ‘brute force’ attack. By playing around with carious characters and password lengths it’s not hard to create a password that could take many thousands of years to crack!
Don’t use the same password!
Finally, it's important to use different passwords for different activities - not necessarily for each site you use, but at least to segregate sensitive from non-sensitive services.
You might use the same password with different user names for commenting on multiple news sites or blogs, but you should have a different password for each bank and shopping account.