Introduction
Our article Password Hygiene 101 was an introduction into a couple of the main ways bad actors can get their hands on your password. It was also focused on our traditional password setting habits, choices and routines, this article however will be focused on how to set a strong password. As this article builds upon the other, please read Password Hygiene 101 first if you haven’t done so yet.
This article won’t discuss Password Managers as an option as that itself is a separate linked article. These three are a great series to digest at once before choosing your preferred strategy for passwords. So, the scope of this article is best practise password setting without the use of a password manager.
One thing to bear in mind is the goal isn’t and cannot be to create the perfect or unbreakable password. The goal is to make a password that takes so much effort to crack that it isn’t worth the potential rewards on offer for the bad actor trying to crack it. The goal is for bad actors to move on to the next potential victim, the low hanging fruit as we say, and throw your account in the too hard basket. Don’t forget even the strongest passwords can still be compromised if you fall prey to a phishing scam or download malicious keystroke logging malware for example.
Dictionary attacks
We defined brute force attacks in Password Hygiene 101, a more sophisticated version of that exists in what’s called a Dictionary Attack. Bad actors are starting to make assumptions about passwords – for example they know passwords tend to be a logical sequence of words such as ‘Ilovechocolatecake’ for example. Therefore, they create, and access lists made up of:
- Words from the English dictionary (lists exist for all languages)
- Common character replacement such as ‘@’ for ‘a’ or ‘1’ for ‘i’
- Leaked lists of commonly used passwords
- Popular quotes, song lyrics or sayings
- Names including typical pet names, movie stars, film characters etc
These lists are made up of combinations of words with the most chance of success in various sequences. This narrows down the amount of password possibilities from a traditional brute force attack quite substantially, thus making it less time consuming to crack a typical password.
The important thing to think about here is the logical sequence part, a core assumption bad actors tend include in preparing their dictionary attacks. Therefore ‘Waxedchocolatepens’ is a better option than the aforementioned ‘ilovechocolatecake’ even though they have the same amount of characters. Of course both as they appear above are still susceptible, the logical one will be picked off quicker than the random one.
That’s principle one: random & illogical sequences are necessary
Length & changing your thinking to passphrase creation
Length is obviously one core feature of a strong password – the longer the better, but traditionally longer also means harder to remember. Combined with the first principle above, if it’s random, that makes the hard even more complex. It’s worth changing your thinking to create passphrases rather than passwords A passphrase is a sentence, much longer than the chocolate examples above (go for at least 20 characters or 6 words) but those words must be unrelated to one another to satisfy the random & illogical criterion.
There is no need for us reinvent the wheel here, below are links to the famous XKCD comic which illustrates the concept and a link to the EFF dice method passphrase generator for you to play around with.
EFF Dice-Generated Passphrases
That’s principle two: Length is most powerful when it satisfies principle one (random and illogical)
Characters, numbers & symbols
Whilst dictionary attacks have progressed to recognise the v@r1ation 0f w0rd5 using characters, numbers and symbols that doesn’t make their inclusion redundant. Recall principle one is all about randomness but traditional replacement, such as where we wrote ‘variation of words’ above, is predictable and would appear on dictionary attack lists as options. Instead use them at the start or end of your passphrase and of course be sure not to use numbers relating to you (birthday, part of your phone number, etc). Take your passphrase and simply add ‘55@#’ or something to the end.
Principle three: Use characters, numbers and symbols but not to replace similar appearing letters within the words in your passphrase.
Test your password
Ok, so you’ve followed through what’s been outlined and come up with a great password – it’s time to test it. There are many tools online the one we’re linking to below is called Passfult. The calculations are performed on your computer so nothing is being sent back to their servers however you may as well test your password strategy not your actual proposed password.
Using the principles in this article we’ve created ‘Pillowdogroofcarrot48$%’ which, when tested with Passfault, returned a result that it would take 119 centuries to crack! We also cross checked it on other password checking tools online with similar results.
Writing down passwords to remember them
So finally, you have an amazing password and surely know this isn’t the only one of such length you’ll need to create and remember. As introduced, we are excluding password managers from this article (which are a solution to this) so the next realistic option is to write them down.
This is often strongly advised against for good reason, people write passwords in their diary and leave it laying around the office or save it in the notes app of their phone or worst of all within a draft email. We aren’t immediately dismissive of the idea though, so if you must write it down, we recommend you:
- Write down half of the password on a piece of paper and store it in your safe
- Write down the other half and store it within an unappealing book in your bookshelf or other unpopular part of your house
- Don’t record it on any electronic device with internet access capability (especially unencrypted devices)
- If you must record it somewhere more easily accessible than two hidden places in your home, shorten it so it acts as a prompt. So, if your password was ‘Pillowdogroofcarrot48$%’ write down ‘Pdrc48$%’.
The final piece of advice here is to bear in mind what we discussed in The less obvious ways bad actors can access your data regarding sharing credentials and passwords with your spouse (who we assume would have access to the safe and bookshelf). If you suspect your relationship isn’t on a positive path, consider how the worst case scenario could impact your password strategy.
2FA
Two factor authentication has its own article with us (linked here) and was suggested in our Password Hygiene 101 article too – for good reason. We cannot wrap up this article without reminding you that 2FA in particular is the best friend your passwords have to protect your accounts.
Conclusion
The three guiding principles for creating strong passwords in this article aren’t and cannot be foolproof – bad actors and their tools grow more sophisticated each year. However, they’ll put you ahead of the overwhelming majority of passwords currently being generated by people who don’t know any better or don’t care. A password generated on these principles should go hand-in-hand with the other habits we discussed in Password Hygiene 101 in not reusing passwords, ensuring you change them regularly, using 2FA, and not sharing passwords.
Further reading
Visit and regularly come back to Troy Hunt’s Have I Been Pwned website to see if any of your passwords have been leaked. Change any that appear here first as a matter of priority but don’t forget many breaches go undiscovered so regularly changing passwords will always be good password hygiene.
This article is written in line with our Terms & Conditions and Disclaimer. As such all content is of a general nature only and is not intended as legal, financial, social or professional advice of any sort. Actions, decisions, investments or changes to device settings or personal behaviour as a result of this content is at the users own risk. Privacy Rightfully makes no guarantees of the accuracy, results or outcomes of the content and does not represent the content to be a full and complete solution to any issue discussed. Privacy Rightfully will not be held liable for any actions taken by a user/s as a result of this content. Please consider your own circumstances, conduct further research, assess all risks and engage professional advice where possible.
