by – Jack Foster
Whether you are an individual or a business handling hundreds of pieces of sensitive data. There is a mounting requirement to be able to create and safely memorize 100’s of passwords.
Over the years, there have been many password tricks that have been invented, such as using a formula or mashing up memorable words. However, hackers are getting wise to our methods and they have invented a whole host of superfast tools to crack our (once secure) password codes. In 2017 the “Verizon Data Breach Report” stated that:
“81% of breaches are caused by weak or reused passwords”
Therefore the importance of never reusing passwords cannot be stressed enough. Reusing passwords creates a serious leak in your data security when online.
So how can you create a truly un-hackable password – that you can actually remember?
There are several problems with coming up with a secure password that you will actually remember.
Firstly, it is advised that you use a different password for each website.
I mean – what?
How on earth can we possibly remember 100 (odd) passwords?
Then there is the fact, that if you can remember the password, then someone can probably figure it out… Plus, saving 100s of passwords in an Excel spreadsheet or GoogleDrive is most certainly not secure.
One thing to remember is that if you use a “new secure secret formula” that has been shared online, the chances are – you are not the only one using that formula. Therefore the templates or formulas are only actually secure so long as nobody knows your method. The minute it is shared, the formula is no longer secure.
Sharing neat password formulas is interesting, and we will look into it a bit. However, there must be more reliable methods that we can use to keep our passwords secure and memorable. In this article, we will delve into the current options available.
Creating a Secure, Memorable Password
If we break it down there are three key to creating a secure password:
- STEP#1 | Creating the password
- STEP#2 | Securing the password
- STEP#3 | Remembering the password
Before we think about any of the above it is a good idea to gain some understanding of how hackers crack passwords. Then we might be able to reverse engineer this process to ensure that we create truly secure passwords.
How Do Hackers Crack Passwords?
Hackers use offline password-guessing attacks to guess your passwords. Their first aim is to turn the encrypted file into unencrypted passwords. These days hackers have access to military-strength password cracking software. If the hacker has a powerful machine, they can test millions of passwords per second until they guess the correct one.
I guess one of the problems that we are facing is that people have access to powerful kit, that can cleverly guess passwords, faster than ever before. In fact, there is currently a piece of software on the market that claims to do 8 million tries per second. Originally this type of tech was only available to government bodies, like the police, but now hackers have free access to be able to run this sort of hackathon for days or weeks on many machines.
Password Anatomy
Normally a password formula is made up of a root plus an appendage (suffix or prefix). The software to crack passwords has gotten very sophisticated. They check dictionary words in various languages and even check for common substitutions like “1” for an “I” or “3” for an “e”. Hackers will also use any personal info that they have on the person and input this into the software to generate possible passwords.
The old advice was to string a lot of words together in a random fashion, however, this advice is no longer applicable as hackers can access this sort of password in milliseconds. There is one method that is reported to work. That is a method devised in 2008 by Bruce Schneier, a security expert.
#1 | Avoiding easy to crack passwords
You’d be surprised at how many people use easy to crack passwords. Passwords like password or QWERTY are a hacker’s dream – they can gain access to your accounts within seconds with passwords like these.
Another common mistake is using personal information within passwords. For example, using your name, or family name within your password. I’ve lost count the amount of times I’ve seen people use their husband, wife, or children’s names and birthdays within their passwords. It doesn’t take a detective nowadays to find this information out within a matter of minutes.
You may have noticed when creating a password, the company, software, or website you’re using may make some suggestions for you. For example, including upper case and lower case letters, with a combination of numbers, punctuation, and at least eight characters long. The reason for these suggestions is because they make it much harder for hackers to crack non English passwords.
#2 | Cryptic familiarity
Creating a password that’s familiar to you is a good way to remember your password. However, as we know, this could be detrimental as it can be easy for hackers to crack. With over 66% of the population using social media, it’s not difficult for cybercriminals to find personal information about you.
If you can generate a password that’s difficult to crack but simple for you to remember, you’re onto a winner. Something like “My Son is 5 years old next month” can be scrambled into MSi5yOnM. That might look confusing, but it’s a phrase you’ll easily remember and would be almost impossible for a hacker to crack.
It’s quite common for people to use other methods to remember their password in a similar way. For example, a nursery rhyme or your favourite song. Again, it’s all about combining upper case and lower case letters. “Humpty Dumpty sat on a wall, Humpty Dumpty had a great fall” turns into HDsoaWHDhaGf – easy to remember, hard to bypass.
Taking the above examples one step further, we can replace characters with symbols, numbers, and punctuation. This may be a little more difficult to remember at first, but you’ll get used to the method quite quickly. You can make your own rules up on this one, e.g. replace the letter ‘i’ with a 1 and ‘a’ with a 4. Let’s take the phrase Christmas2018 and create a strong password of Chr1stm4s2018!
#3 | Memorable dates
If you read the introduction to this post, you may be wondering why I’m including memorable dates as a secure password. A sequence of numbers can often be easier to remember than sentences, but sometimes easier to crack if the numbers are too obvious.
Avoid using birthdays or obvious dates that a cyber criminal could easily access. Think about your personal information that’s publicly available; social media, blogs, etc. and avoid any dates that you may have mentioned or posted about on these accounts.
Instead, think a little more outside the box. Perhaps you could remember a date when you went on your first holiday, stayed in your first hotel, first went ice skating, etc. This kind of information is much harder to guess, but should still be easy for you to remember.
For this method, think of 3 memorable dates such as:
- 24/01/88
- 19/12/91
- 06/05/01
Replace the slashes (/) with a different character such as a ‘v’ and the spaces between dates with an underscore (_). You can add a special character to the end of the password to make it extra secure. You should end up with something like this: 24v01v88_19v12v91_06v05v01!
Although the password is long (and you may have to adapt it depending on the system you’re using), it’s probably the strongest password you’re going to get! As long as you can remember the dates and the characters you’ve used to replace, you’re onto a winner!
#4 | Keyboard patterns
This method can be adapted depending on which device you’re using. The idea behind this is to use keyboard patterns to generate and remember a password that is essentially meaningless and would be very difficult for a hacker to crack.
Taking the example in the picture above, we can use a pattern to create a memorable password: 1QAZ2wsx3EdX. you’ll notice that I’ve used a combination of upper and lower case letters within the pattern (upper case for the first line, lower case for the second, and a mix for the third). It’s a pattern within a pattern – pattern inception!
This method can be adapted to the device you’re using. For example, if you’re using a smartphone more regularly than a desktop PC, you can use different patterns that are available on your device’s keyboard.
Hackers could use software to run algorithms that could generate passwords using every combination of a keyboard. However, it would be difficult, and can be made even more troublesome for them if the pattern is more complex. Try avoiding simple horizontal lines and introduce diagonals.
#5 | Change your password
It may seem like a bit of a pain having to change your password regularly, but it will keep you secure. Many businesses will have built in software that requires you (as an employee) to change your password every 30 days or so. The reason for this is to ensure that account remains safe and secure.
Remembering the passwords that you already have can be tough, and adding more on top can seem daunting. However, if you use the methods that I’ve mentioned above, you can make sure that you remember your password! Changing it regularly then won’t seem like an impossible task.
Perhaps you could memorise several sentences from your favourite book. Or lyrics from your favourite song – these are often unforgettable and easy to recall from memory. Using cryptic familiarity, you can generate passwords using a book or a song, and change them on a regular basis without forgetting them.
#6 | Be vigilant about where you store your passwords
Never store your passwords in a place that can be easily accessed (or accessed at all). It’s tempting to write all your passwords down, or even save them under a contact in your phone. But, if you do this, you’re opening your accounts up to be hacked!
According to Sky High Networks, 143 files on Microsoft’s OneDrive contain the phrase ‘password’ within the file name. Shared storage or cloud storage can easily be hacked, so if you upload a spreadsheet or document to the cloud without encrypting it, your passwords can be cracked.
Storing passwords on your computer (without encryption) is one of the worst things you can do. Although there’s lots of software available to stop your computer from being accessed by hackers, it’s hard to be 100% secure. What if you take your laptop to a local cafe and connect to public WiFi? Or you connect to your friend’s network that isn’t secure?
Being vigilant about your password storage, if you’re going to store passwords, is essential. Think about looking into a password manager or ways to encrypt files to ensure that you’re not opening yourself up to be a victim of cyber crime.
#7 | Use a password manager
If you have so many passwords to remember and you don’t think you can manage them, it may be worth consider a password manager. You’ll simply need one very strong password to remember, and that should be the last time you’ll need to remember one!
There’s plenty of password managers available. Lots of them, such as Dashlane, come with apps for multiple devices and platforms, as well as web browsers. This means you can access passwords from all your devices in one easy to reach place.
You’ll most likely have access to a security dashboard where you can change existing passwords and use tools to help you remain secure. Although your password manager can manage your passwords, you’ll still need to ensure that the passwords you create are strong in the first place.
#8 | Schneier scheme
Bruce Scheier is an American cryptographer and computer security professional who has created a popular password system. To make sure that your password is secure, you must create a password that cannot be cracked by the above methods. Schneier’s method seems to be pretty robust and also memorable. Let’s take a look at how it works.
Firstly you start out by creating a memorable sentence and then create a password with it. An example could be something like “Colin the caterpillar – cola gums yum” could be turned into “Ctc-C0L@gmsym”. This is a 13 digit password that is not made up of any words that could be hacked. The best advice is to choose something personal to you.
If the site allows longer passwords with random characters then that is great. However, you might need to use some shorter versions for some sites.
#9 | Password Safe
While on the subject of Bruce Scheier, we must look at Password Safe and how it can help us create and secure our passwords. Password Safe is like a virtual safe that you can store all of your passwords in. The software is revered by many and has had more than 4 million downloads. It is completely free and aimed at removing the headache of creating and remembering secure passwords.
Password safe allows you to save as many passwords as you like. To access your passwords you do this via one “master password”. So you don’t have to remember 100s of secure passwords any more with Password Safe, phew! What a relief. Due to the fact that experts are adamant that we need a different password for every site, Password Safe seems to take a huge weight off our shoulders by helping us keep our passwords safe and secure.
#10 | The PAO Method
If you are not happy with keeping all of your passwords in one place like “Password Safe” for any reason, then perhaps The PAO Method is for you. The way this method works is by using a Person-Action-Object (PAO) story theme as a memorization technique with mnemonic methods to help you make a secure password that you might remember. This formula was created by a Carnegie Mellon University computer scientists who put this method forward as a solution to creating un-crackable, memorable passwords.
This is how to utilize the PAO method to create safe, secure and memorable passwords:
Bring to mind a memorable place (La Palma). Then pick an image of a famous person (The Queen). Then the final part is imagining a random action and object to bring the story together (The Queen jumping on a bouncy castle in La Palma).
PERSON:- The Queen (TQ)
ACTION: Jumping on a (jmp1ng)
OBJECT: Bouncy castle (@bc)
Location: La Palma (L@Plma)
Our new 17-Digit secure password could be: TQjmp1ng@bcL@Plma
This method is fun and quirky – thus more memorable. You can spend time making up whacky themes and creating passwords that you will remember because of the cognitive queues. The password will be completely random to others, however memorable to you. Perfect!
#11 | Guerrilla Mail
Next, I would like to look into a website that has a few tools that I think will be relevant to people who use (or are interested in using) a VPN. Firstly, let’s look at its secure, memorable password applications, and then I will get back to the possible VPN application for their solutions.
Guerrilla Mail offers (what initially seems like) a similar solution to Password safe, in that they offer a Password Management tool. However, their service has a unique twist… they don’t save your details on the cloud or use cookies. You use a Master Passphrase that nobody will ever know, so it is super important if you use their service, that you remember your Master Passphrase.
How it works – Firstly you decide on a Master Passphrase, then you input the website that you are visiting. A secure password is then generated for you to use on that website. The secure password is not stored on the Guerrilla Mail’s database, it is generated when you input the URL and the Master Passphrase. The beauty of this system is that it allows you to use one password (the Master Passphrase) to generate all other passwords. This means you don’t need to remember 100’s of passwords.
The only possible downside would be if someone got to know your Master Passphrase and knew that you used the website. In this instance, they would have access to all of your passwords. This is a very unlikely sequence of events that would probably only happen if you didn’t use a VPN or you kept a printed or physical copy of your Master Passphrase and the Guerrilla Mail account.
Guerilla Mail also offers an anonymous email address that has many benefits. Firstly it deletes spam mail and also the temporary email address could be used in conjunction with a secure VPN like Trust.zone. If you used a secure VPN with a temporary email and Bitcoin to pay for the service then you would be in the position of complete internet anonymity.
#12 | Last Pass
Last Pass is a very popular password management solution that offers both a paid and a free service. LastPass works as a browser extension that you can access easily with one click. Like Guerilla Mail, you need to firstly create a memorable password, so using The PAO Method or The Schneier Scheme – or another method of your choosing, create a memorable secure password.
LastPass has a members area that they call “The Vault” which houses access to all of your favorite sites. LastPass also has a section called “Secure Notes” that is designed to keep sensitive digital records like insurance and health accounts. You can also audit your passwords to ensure that they are kept secure, share passwords with family members and add in all of your credit card details into their platform so that you can pay with one click.
Personally, I would be a bit hesitant to give a website all of my data. However, LastPass ensures that they use the strongest AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes. Additionally, all data is encrypted at the device level so LastPass don’t have access to your data. Furthermore, they deploy – Two-factor authentication (also known as multifactor or 2FA) which requires you to perform a second step (eg. add a code from your phone) before you get access to your account.
#13 | 010 Memorizer
010 Memorizer is a piece of free software that you can download to help you create a secure and memorable password in a fun way. The system can also be used to memorize other numbers like social security numbers, IP Address’ and phone numbers etc. The idea behind 010 Memorizer is that it is way easier to remember vivid images than it is to remember numbers.
Let’s face it, no matter how we look at it, even when using a Password manager, you are going to have to (at the very least) create one memorable and secure password. So why not let 010 Memorizer help. You can use the software to find words that can be used to memorize numbers.
The example that they give on their site is:
If you are trying to remember that the number of bones in a hand is 27, convert the number 27 into the word INK. Now association INK with a hand: imagine breaking a pen and ink squirting all over your hands. Don’t think of a little ink – thing of a RIVER of ink pouring onto your hands and spilling onto the floor, eventually covering the whole room. Action words like ‘gushing’ or ‘exploding’ usually work well as they create a vivid image in your mind”
So there you have it, you can use the 010memorizer software to help you to create vivid passwords and also remember other strings of numbers that are hard to recall.
#14 | How Secure is My Password
How Secure is My Password – is a free and really simple tool that will tell you if the password that you have created is strong. The site is really easy to use, you simply go over to their URL and input your password in the big text box.
The site will then estimate just how long it would take a hacker to guess your password. I decided to check out “TQjmp1ng@bcL@Plma” – the password I created above with the PAO method to test how good that method actually is.
The result was pretty exciting, they reported back to me instantly that:
It would take a computer about 93 TRILLION YEARS to crack your password
Nice!
Just out of interest I wanted to test my “Schneier Scheme” password in comparison (to see which password generation method was the most secure):
This is my Schneier password: Ctc-C0L@gmsym
Here is my result:
Further securing your accounts
To sure that your accounts are kept safe it is a great idea to make sure that you turn on two-factor authentication. You know the authentication that sends a code to your phone – that sort of thing! It is not always available, but when it is, then take advantage of this great security feature. It provides added security levels because even if hackers manage to obtain your password, they won’t actually be able to get into your account.
In Conclusion
If you are in any way bothered about your data protection when you are online, then the methods above offer some great approaches to both generating and managing safe, memorable passwords. Companies often have to handle passwords for clients that get remembered in the cookie settings (if we don’t use a VPN) or that need to be securely stored.
When dealing with other people’s data we must be extra careful to keep data safe. However, even the regular internet user now needs to pay attention to how they manage their passwords to optimize their security.
[…] ที่มา: 1password, aripfan, igguru […]