How to make a strong password

Post by Neeshé Khan (2018 Cohort)


Making strong passwords which are memorable are easier than you think if you ignore everything that you’ve been told and start to think of the reasoning behind the combination.

Yesterday morning I heard an advert by the UK’s National Cyber Security Center about setting better passwords. I went to the resources and ended up going down the rabbit hole to discover a range of resources on a variety of topics on ‘Get Safe Online’.

It’s a good starting point but very basic. If you know not to keep your dog’s name as a password, you won’t come out any better than when you went in. Personally, I’ve always found it a waste of effort with imposed slap-dash restrictions by IT teams or platforms to make me ‘secure’ (must be 8 characters long, include a special character etc). You can follow these rules but still be relatively vulnerable to hacks like the dictionary attack.

So, here’s some things I’ve learnt from various readings, discussions and from Dr Pound’s lectures at University of Nottingham that will help you understand how to make strong passwords rather than being told what passwords should contain.

1. Ignore what you’ve heard: Most common password is, believe it or not, ‘Pa55w0rd’. It meets the base requirements of being 8 characters long and contains a capital and a numeral. But, this would literally take no time to crack with a dictionary hack. But, if you ignore these requirements and change the way the same word is written to ‘pAssw*rd9’: first letter is not capital, ‘0’ turned to an asterisk and adding a ‘9’ because it’s conveniently next to the asterisk key. The strength of this simple memorable word changes to drastically more secure than what you started off with.

I’ve explained this in the parts below but just making a case here that keeping the word password as a password, isn’t all that weak, but it’s actually the combination that’s weak. In a similar way, you can keep words that are easy to recall by simply changing the combination of how those words are set. Always try to use three words as your password.

2. Don’t replace alphabets with numbers: You’re not any more secure by replacing the ‘e’ with a ‘3’, an ‘O’ with a ‘0’ or an ‘a’ with a ‘4’. When hackers attack, this is one of the first parameters they set as it allows an easy break when they’re racing against time. Instead, add it randomly into the word instead, ‘baseball’ to ‘ba9eb8ll’ where cracking time goes from something around the 10-minute mark to 3 months. Similarly, ‘p12345R6’ is much stronger than ‘Pa55w0rd’, although it’s the same word with ‘1,2,3,4,5, 6’ introduced and ‘R’ made into a capital letter than the ‘D’.

3. Capitals: Yes, they’re good but try not separating or ending words with them. This is because these parameters are set by the hackers when they attack i.e. words beginning/ending with a capital letter. See example 2 above for password where we made R capital instead of ‘P’ or ‘D’.

4. Special Characters: If you’re using a character like “_” or a “*”, use it in the middle of the word rather than to separate the words. Imagine the censoring of a r*de word. This means avoiding adding it at the start or end as the word won’t be well censored if you would see it anyway. Again, this helps to not get fished out at the start of a hack. Now, imagine updating the password to ‘pA*sw0Rd’ on the principles above.

5. Complexity: The complexity doesn’t have to be “letsthinkofacrazylongword” to keep us safe. You could use simple word combinations that are memorable without being vulnerable by using the tricks above. This also saved you the time taken to have to reset your password because it was so hard you forgot yourself an hour/day after setting it. I think we’ve all been there, right?

6. Prioritise Passwords: “Don’t keep the same password for everything” is obvious. What’s new is that you can actually prioritize the passwords you choose. This can be relatively easy by simply deciding how much information a platform holds about you and how valuable this information is to you. If there are pictures of you on a platform that can be used against you (snapchat/insta), that goes higher up on the priority list than an email account you don’t use very often. For low priority platforms use passwords that you wouldn’t mind resetting if you forgot them (which can take time). Equally, you won’t be at a great risk if your information was stolen or acquired by someone who isn’t supposed to have it.

7. ‘Call a friend’ option: Just that in this case the friend is still you, but through a different screen that you own. This is known as two factor authentication and great way to put in another loop to make sure others are kept out. Not every platform offers it and it could potentially mean that you might end up locking yourself out. For instance, if my online bank uses a text message with a code that I need to enter on to the platform, I could have changed/lost my phone number and not updated it for the bank. This means I have to go into the branch to prove my identity and provide new details. Another case could be Hotmail using Gmail to verify that’s it’s actually me IRL, but I might have forgotten my Gmail password too because it wasn’t my primary email. This will be quite difficult to correct because I can’t show up to Google HQ to prove it’s still my account.

8. Install that update: Yes, update your application or software. New patches/updates sometimes happen because they’ve found a weakness in the software, like the recent Whatsapp and Facetime bugs. Updates are rolled out to implement new software that gets rid of any backdoors that hackers can use to get in.

9. IRL: Yes, keep a note in the real world with your password(s). It’s like writing a diary so similar rules apply. Ideally, don’t give it the heading of ‘these are my passwords, keep out’, don’t stick them next to the device and don’t indicate which platform those passwords are for. It could be as simple as what appears to be a shopping list under your spice jars.

Resetting passwords is annoying but you’re better off doing it now than later.

—originally posted at https://neeshekhan.wordpress.com/