The horror of bad passwords

Sven Krumrey

Every time a year ends, we're treated to the "top 10" from various categories. What were the most often used baby names, which car models sold best, who had the most followers on Twitter? A snore fest. One piece of news, however, woke me up from my winter slumber. A collection of 1 billion stolen data sets was analyzed to find the most popular passwords. Would it just be a case of same old, same old or had there been a learning process? What I found seemed like an invitation to unwanted visitors


The fastest solution is not always the best

Among ingenious selections such as "hello123" and "qwerty" (take a look at your keyboard), there was a multitude of common swear words, nicknames or football clubs. If you compare this situation to home security, it would be like putting your key on the door mat, shining a couple of spotlights on it just in case and then advertising the whole thing in your local newspaper. It's so easy to come up with good passwords even if you don't want to remember cryptic strings.

Hackers aren't dumb, there's been huge lists with the most common passwords on the Internet for years and various hacking tools will patiently iterate them until a match is found. Experts believe it only takes a list of the 1000 most commonly used passwords to infiltrate more than half of all user accounts, not exactly a nice thought. Since many users use only a single password for email addresses, online shops like Amazon or social networks, the damage may be considerable which is why providers are always adjusting their password policies for better security (longer passwords, upper- and lower-case letters and so on). In practice, "1234" may simply turn into "12345678", no security breakthrough here.

Expert advice is unanimous on this one: At least 8 characters, upper- and lower-case letters including special characters and digits. Passwords should not include any guessable, personal connections to their users nor should they show up in dictionaries or encyclopedias as that's one of the sources hackers will use. Funny keyboard patterns or strings of adjacent characters are also insecure. But how can you remember lengthy, impersonal passwords? There's a couple of tricks for that.

Highly individual mnemonic aid

Think of a phrase that is familiar to you and that you'd be able to look up if need be. For me, that would be the last line in "Back to the Future", i.e. "Roads? Where we're going, we don't need roads!". If you take only the first letter from each word and the punctuation marks you get "R?Wwg,wdnr!", a great password that is almost impossible to hack. You may also want to spice up "normal" passwords a little! If you replace letters with special characters or digits, you'll greatly increase password security. Turn "Oli-Minnesota" into "Ol1-M1nn3$ota" - hackers will find it hard to crack this one and it only takes a little practice for you to get used to this pattern.

Another nice approach is to omit all whitespaces in a short (but individual) sentence. "MyphoneisaSamsung" is already quite secure but if you replace letters with special characters, as described before, you'll get "Myphon31$a$am$ung" which is a tough nut to crack for any hacker. You may also want to think of colleagues and friends. "Michael Meyers" and "Lisa Walters" may turn into "MiMeyLiWal" or whatever way you want to shorten their names. If all of that seems to complicated, take two familiar words and add a number. This way, a friend of mine came up with "ChicagoJHancock69", not uncrackable but still better than "hello12345".

One key to rule them all

If you want to play it safe but don't trust your memory, you can always fall back on password management software. There's various applications with tons of features including freeware solutions like "KeePass". All you need to do is remember a single password to gain access to any number of stored passwords (or create a key file on a removable disk that you'll have to plug-in to use the program). Many of these applications also include the option to create and manage highly cryptic passwords for you so you'll stay safe without having to memorize a myriad of hard to remember strings of characters. At present, I'm still relying on my memory but I'll most likely use password management software in the future, you know, the ravages of time.

What I would like to know: Do you have any tips on how to create strong passwords? Do you use any particular method?

Back to overview

Write comment

Please log in to comment