We offer website design in Salisbury, and as part of this often have to create our client’s user logins to our content management system and other 3rd party systems.
From a security point of view it’s best to have a long random string of upper and lower case letters, numbers and special characters (for example “H^3rFR55*&!;Hgg37a”), but of course this is difficult to remember, and is therefore often written down. From a user’s point of view it’s best to have something that’s easy to remember (for example a child’s name such as “annabel”).
So what’s the best compromise?
It is very common for people to improve on the easy password, by adding some numbers (for example “annabel1992”), or by swapping the odd letter with a number (for example “annab3l”), but unfortunately these are almost as vulnerable as the original password.
To see how to improve a password, we must first understand (roughly) how passwords are guessed. There are usually three methods:
1. A dictionary-based attack. This is where every dictionary word is tried (including names, places, football teams etc) starting with “aa” and ending with “zz”. This can be done very quickly, remember that this is an automated process and thousands of passwords can be tried every second.
2. An ‘intelligent’ dictionary-based attack. This is where a dictionary-attack is improved upon, by adding common dates before or after names (for example “annabel1950” – “annabel2014”), trying the odd replaced character, and even appending popular word combinations (for example “spotthedog” or “hairydog”). This takes a while longer, but is still relatively quick.
3. A brute-force attack, where every possible combination is tried, including letters, numbers and special characters, so starting at “a”, and ending at “zzzzzzzzzzzzzzzz”, with perhaps “H^3rFR55*&!;Hgg37a” in between. So long as the password is long enough, and contains special characters, this type of attack can take an exceptionally long time to crack, longer than a lifetime.
With this in mind, it is clear which passwords are most secure, so our suggestion to creating a secure password, that is easy to remember is as follows:
Think of a phrase with at least 16 words in it, ideally one that means something to you.
“I get up at 7am every morning to look at the stars, and ask myself, is there life out there?”
You can then take the first letter from every word, and replace words/letters with suitable numbers and special characters (making sure that you will remember).
This password is difficult to crack, and easy to remember.
Another alternative, is to think of 4-5 random words, that do not mean anything to you personally (no names, or places for example), and do not have a link (such as “hairy dog”), then concatenate them.
Although this is using words from a dictionary, it is still secure as an intelligent dictionary attack is unlikely to append 4-5 unrelated words .
Even better, replace one of the words with a few numbers and special characters that you can remember.
With these tips in mind, you can hopefully create a password that is easy for you to remember, but hard to crack.
Three last pieces of advice are don’t write your password down, don’t tell it to anyone, and use a different password for different logins (especially financial logins).