There is a lot of misleading information about passwords, and many websites (including banks) have guidelines that actually lead people to create weak passwords. Here is how to create a strong password that you can remember.
Let’s start with a password that would be completely acceptable by Canadian bank standards, yet would be very easy to crack…
This password has a minimum of six characters with uppercase letters, lowercase letters, special symbols and numbers combined into a format that doesn’t match any english dictionary-based words. In short, this is exactly the sort of password that is often recommended, and it is exactly the sort of password that can be cracked in seconds. It violates every one of the seven simple rules I am going to lay out for you to follow. First off, it is too short…
1. Length is the single most important factor in making a difficult to break password.
Think of a password as a numeric combination lock. Each new character has an exponential effect on the number of possible combinations. Here is how that plays out in real life. A six character password that uses numbers, symbols, lowercase and uppercase letters, such as Ad@m+3, draws from a common set of 94 keyboard characters, giving it 689 billion possible combinations (94^6). An eight character password limited to only 26 lowercase letters, such as adamthree is much simpler, yet has over 5,429 billion possible combinations (26^9). Which one would you rather type? By simply adding three extra characters, the password with only lowercase letters has approximately 788% more potential combinations than one made up of a complex and difficult to type combination. How many characters are enough? Well, more is always better, but aim for at least 9, and preferably between 12–16 characters.
2. Un-predictability is the second most important factor in making a difficult to break password.
Let’s go back to the numeric combination lock analogy. If you already know the first five letters are “abcde”, what would you guess the sixth letter would be? If you knew my name was Adam, and you already knew the first two letters of my password were “Ad”, what do you think the next letter would be? If it was not an “a” what would be your second guess… an “@”? Avoid useless tricks such as inserting a “$” instead of an “S”, or an “!” instead of an “I”. If you can think of it, so can hackers. There is no point making your password more difficult to remember and type if it does not make it more secure. Let’s keep it reasonably simple, so we can handle a long password of between 12–16 characters. The following five rules will focus on how to make your password more unpredictable.
no better. I-h@ve-3-$!sterz
3. Don’t tell any “truths” in your password.
There are only a tiny amount of truths each of us could tell, but a nearly infinite amount of lies.
4. Don’t “make sense” in your password.
There are a small amount of things that make sense in this world, but an almost infinite amount of nonsense.
5. Avoid “predictable phrasings”.
There is a limited amount of correct syntax in language, but an almost infinite amount of grammatical errors.
6. Avoid “predictable spellings”.
There is a very limited amount of correct spellings and common misspellings, but there is an almost infinite amount of uncommon spelling errors.
very good. hams-38-sisters-i
7. Avoid anything “personally meaningful”.
You should assume that hackers have access to everything that has ever been publicly shared about you online. These dribs and drabs of information add up to reveal an unsettling amount of personal detail, and all those keywords and phrases are potential vulnerabilities for your password. It is critical that you avoid anything with personal meaning.
even better. hams-38-twisterk-i
This last password, hams-38-twisterk-i, is reasonably strong, and easy enough to be able to memorize and type (with some practice of course). Now to be clear, if this password was made up of random letters, numbers and punctuation it would certainly be stronger, even if it were a few characters shorter. However, if you can’t remember your password, that means it needs to be written down, which means it can be potentially seen by others. It is best to limit your master passwords to things you can type from memory. According to https://howsecureismypassword.net our starting password Ad@m+3 would be cracked by a standard desktop PC within 52 seconds. It estimates that our revised password hams-38-twisterk-i would be cracked within 846 billion years. That’s good enough for most of us.