How to create a strong password: 8 essential tips

22 October 2017 by Mark Williams

Here’s a riddle for you. There’s a key that opens many doors, but it puts your business at risk of a cyber attack more than anything else in the world. What is it?

If you said password, you answered correctly.

Most people don’t realise that passwords are extremely vulnerable, and they’re the mechanism through which criminals gain access to your networks, systems, devices and data. In fact, recent research by Verizon found that 81 percent of hacking-related breaches are attributable to weak or stolen passwords.

What does this mean? It means people and organisations are using weak, guessable and easily stolen passwords. Case in point: controversial credit reporting company Equifax used ‘admin’ for the username and password of a database containing the names, email addresses and National Identity Document numbers of hundreds of employees. And that’s after the company revealed that it had suffered a data breach that compromised the personal information of 143 million customers. Nice.

The need for strong, unique passwords can’t be overstated. So if you think your passwords aren’t up to scratch (they aren’t, trust us), it’s time to renew them. Here’s how to create a strong password.

Audit all your passwords and prioritise

The first thing you need to do is list all your passwords (ideally by hand, on a hack-resistant piece of paper that you can shred later) and identify any that have been used more than once.

On average, people use just six unique passwords to protect around 24 online accounts, and research by Keeper Security found that more than 80 percent of people over the age of 18 reuse the same password.

Let me be blunt: reusing passwords is dangerous. Using one password across several different websites and services is like giving hackers the key to the city: they’ll have access to everything. So you need to audit your passwords, identify any duplicates and set about creating new ones. You should also prioritise creating new passwords for what Microsoft researchers call ‘high-consequence sites' - think online banking and email.

Harden your heart and don’t be obvious

Now you’re ready to create strong passwords. The first tip is this: do not, I repeat, DO NOT use your birthday, your partner’s name, the date of your anniversary or your mother’s maiden name as a password. That kind of information is predictable and, not to mention, fairly easy to find online - especially if you’re a social media user.

You should also avoid obvious and commonly-used passwords like ‘password’, ‘1234’ and ‘admin.’ I recommend taking a look at this list of 2016’s most common passwords and avoiding every single one of them (which, unbelievably, constitute over 50 percent of the ten million passwords analysed to create that list).


Make it long

There is no minimum password length that everyone agrees on. However, we think that a good minimum length for a strong password is 12 characters. The longer your password is, the harder it is to crack.

Click to get your free IT security policy template

Don’t use substitutions

Don’t think you’re fooling anyone with ‘p@55w0rd’ or ‘j0hn5m!th’. Substituting characters for numbers is the oldest trick in the book, and hackers know it.

As The Washington Post writes, ‘even if you pick a fairly uncommon word, like "Troubadour," and replace some of the letters with other symbols, this combination might only take a computer seconds, minutes or hours to guess.’ So don’t think you’re being clever by switching an S with a 5, and steer clear of substitutions.

 

...But do use a mixture of words and characters

Be sure to mix it up a bit with symbols, numbers and both upper and lower-case letters. This makes it harder for criminals and computers to crack your password, as you’re using characters from across the keyboard.

You should also consider using a random string of words as your password. As this xkcd comic by Randall Munroe correctly points out, a random string of words like ‘correct horse battery staple’ would take a computer 550 years to guess at a rate of 1000 guesses per second, compared to ‘Tr0ub$dor&3’ which would take just three days at the same rate. Random strings are harder to guess, but easy for you to remember.

 

Use a phrase

Passwords need to be memorable, but randomised 60-bit strings of letters and numbers aren't exactly easy to remember. This is why most people end up creating weak passwords like ‘admin.’ It’s a conundrum that has plagued users for years.

The good news is there is a simple way to create a long, memorable password. All you have to do is invent a phrase that you can base your password on, like this:

  • Phrase: ‘I wouldn’t waste money on thirty-seven old donuts for my fireplace.’
  • Password: IWn’tWMo37ODfmfP

This is just an example; don’t be afraid to get creative and come up with the most memorable password possible. (Pro tip: if you still have trouble remembering your passwords, you should resist the temptation to use existing or weak passwords and instead consider using password manager software.)

 

Play with your keyboard

Another way to create a strong password is to think of your keyboard as a canvas, rather than a way of simply inputting information.

For example, you could start at any key and ‘draw’ out a ‘W’ with your finger. This gives you a password that’s a challenge to crack, but easy to remember. In theory, you don’t even have to remember the password itself - all you need to know is the pattern you drew, and the key you started on.

 

Change your password every 90 days

The best password is the most recent password. The longer you keep your password the way it is, the more likely it is that hackers will figure it out. Remember it would only take an algorithm three days to guess the password  ‘Tr0ub$dor&3.’

If you have strong, unique passwords that you change every 3 months or so, you limit the amount of time these cybercriminals have to try and breach your security.

 

Don’t forget, passwords need to protect

The point of passwords is to protect your information and your business. If you don’t take their construction seriously, you’re actively putting yourself (and your customers, clients, employees and suppliers) at risk.

If you come up with a unique, long, multi-character password that you can remember and change every three months, you’ll be secure. This may seem like a lot of work, but it’s worth it. After all, what’s more important to your business, convenience or security?

 

If in doubt, ask

We at Pensar can assist you with password policies and software to help you manage passwords effectively and securely. Our knowledge of solutions such as LastPass and Apple's Keychain can help you implement strong password management. Contact us to enquire.

 

Click to get your free IT security policy template

Download Pensar's business guide to ransomware

Free email updates

Get useful business IT articles in your inbox as soon as they are published. No spam.
Unsubscribe at any time.