If you’ve been following the news you have probably heard about several security breaches in several big companies of late, maybe most notably the LinkedIn leak (6.5 million username and passwords) and more recently the Billabong leak (21 000 username and passwords). Shockingly enough Billabongs passwords were stored in plain text, while the LinkedIn passwords were mearly hashed once with SHA-1.
Why this is a particularly bad situation for very many people is that most people use the same username and password for several different sites. You can only imagine the possible damage one can do to you if they got your e-mail login and hijacked your account. They could then use the e-mail account to hack into many of your other accounts using the “forgot password” function or simply by using the stolen login pair. You risk having sensitive data stolen, money from your bank account transfered to some Russian account or maybe even items bought with your e-wallet money, pictures of your children uploaded to a cloud service collected into a questionable network, files and information deleted and maybe as a final humiliation the perpetrator “tweaks” your Facebook account with questionable interestes and ideas until all your friends and family cuts off all contact with you. Well, maybe not, but you get the idea.
Of course, without any tools to help, remembering 3 or more passwords becomes increasingly difficult, inpractical and for most people impossible if the passwords are of any significant length. That’s why some smart people have invented password management systems like LastPass. You just need to remember one password and you can use it to store the other passwords you need to remember.
Other than that I can give you some tips in choosing decent passwords that are not that hard to remember. It’s a bit of a myth that good passwords must be super-complex and totally random.
Entropy is the idea that the more sets of characters you use in the password, the more space the attacker has to search in order to crack your password. A password with just lowercased letters has a space of 26 characters, but if you also use uppercased letters you double the space the attacker has to search. If you also add a digit and a symbol, or even better, use multiple characters from multiple sets of characters, you’re in good shape. I’m really not a math genius so read for example this section on Wiki if you don’t take my word for it
Password length basically just multiplies the search space and of course is greatly enhanced by strong entropy in the password.
If you’re interested in reading more about password security and as well want to check out a great online tool you can use to check the strength of your new or old passwords, Gibson Research Corporation has a great, short and concise, but adequately thorough informative article (and tool!) here.
Lastly the common sense part of choosing a strong password is the good ol’ don’t choose personal information like your name, name of your dog, your social security number, your birthday and so on. Also try to avoid dictionary words, but hold that thought, because I believe in the right context you can use dictionary words in order to make your passwords more rememberable but still provide an undoubtebly strong password that are hard to crack as any password.
So with this knowledge in hand we can go ahead and choose an easily rememberable password while still retaining top-notch security! As stated on the GRC page linked to just above, in combination with the three criteria mentioned above – come up with your own personal twists to your passwords to make them longer (and stronger) and easily rememberable as well.
It’s really a walk in the park to reach more than 15 characters long passwords while making them fairly easy to remember and significantly stronger than any of the non-sense AFiwh3251 passwords. Combine words with symbol and digits to create your own twists that nobody else knows about. It doesn’t matter if the words are found in a dictionary; the attacker would still need to go through a vast space of potential combinations and his efforts would be in all probability pointless.
An example could be [[Mango_72_Tree]] (please don’t use this password, ever :P) which is 19 characters long, but reasonably easy to remember (if you’re used to 6-8 length passwords don’t worry, you’ll get the hang of it soon). The GRC search space tool says this password will be cracked in a hundred trillion centuries with one hundred trillion guesses per second!
A computer can’t account for all possible padding styles or character combinations, so they basically have to either search the entire search space or check “the most probable” combinations – which of course a personal combo system would deny anyway.
So there you have it. My take on creating a highly secure password routine while at the same time not sacrificing too much usability.
I’d like to end the article by recommending you to not using the same password for at least your important services like your e-mail, bank login, e-wallet solutions other major services like Google, Apple and so on. They do make mistakes and if you use an unique password you’re much safer in the long run.