How to Choose a Better Password

by Mikey Rox on 6 August 2012 5 comments

If you’re addicted to the Internet like I am, chances are your life is full of passwords.

Passwords for social networking accounts, bank accounts, frequent-flyer accounts, daily deal accounts — the list goes on and on.

With so many accounts, of course, comes the increased possibility of being hacked, and a successful hack can make you feel violated and even leave you broke.

So to help you avoid the embarrassment and hassle of a hack, here are a few tips on how to choose a better password. (See also: Wise Bread's Guide to Identity Theft Prevention)

What Not to Do When Choosing a Password

I’ll get to the best ways to fortify your accounts with a solid password in a minute, but first we need to cover those things that you should never do.

When creating a password, NEVER:

  • Use only a word. Any real word is off limits. If it’s in the dictionary, don’t use it.
     
  • Use your user name or real name. That’s just common sense. Also avoid using the name of another person or pet in your life. If the hacker is someone you know, these are the first words he or she will use to try to gain access to your information.
     
  • Only put a digit in front or behind a password comprised of a real word thinking that you’ve changed the game. That won’t help you; hackers are on to that trick, too.
     
  • Spell any of the off-limits words in reverse to beat the system. You won’t. 

What to Do When Choosing a Password

You don’t have to be a rocket scientist to establish a password that’s nearly impenetrable. Here are some ways to create one that most hacking programs can’t crack.

Use a combination of the following techniques to create a strong password:

  • Use at least eight characters — a combination of numbers, upper- and lower-case letters, and punctuation marks. More characters is always better.
     
  • Shorten a favorite (but not famous) movie quote or song title to only the first letter of each word in the quote or title. For example, change the "Casablanca" quote “Here's lookin' at you, kid” into HLAYK. (Although, again, using something less famous is better.) To further protect it, add a series of number to the end of it, perhaps the year “Casablanca” was released — 1942. You also can choose to lowercase some of the letters, such as the A. The final password would be HLaYK1942. To make it ever stronger, replace the A with the @ symbol to create the password HL@YK1942.
     
  • Throw a punctuation mark into the middle of a word. Example: Wise$Bread.
     
  • Use a word you like and can remember, then remove the vowels and replace them with numbers or punctuation marks.
     
  • Misspell a word in your password on purpose.
     
  • Use your imagination to come up with a password that has no significance in the real world. Just make sure you can remember it.

Additional Tips for Keeping Your Password Safe

Once you have that password created, keep it safe by following these suggestions:

  • Never save a file on your computer containing your passwords. That’s just asking for trouble. If you must, write the password on a piece of paper and lock it in a safe. It’s best, however, to never write it down — which is why it’s important to choose a password you’ll remember.
     
  • Never give your password to anyone for any reason. No one needs to know your password. If someone wants it, it’s for nefarious purposes. You can count on that.
     
  • Never respond to an email requesting your password, even if the email claims to be from someone of authority. Your respective networks will NEVER contact you via e-mail asking for your password information.
     
  • Try using a password management tool such as LastPass or KeepPass. Not only do they increase your level of security, they also simply your life by requiring that you only remember one password.

How did you create your password? Does it adhere to these tips? Let me know in the comments below.

EDITOR'S NOTE: Some advice in this article has been updated.

3.25
Average: 3.3 (4 votes)
Your rating: None
ShareThis

comments

5 discussions

Add New Comment

CAPTCHA
This test helps prevent automated spam submissions.
Guest's picture
Juggler314

Holy crap, some of this is plain bad advice. Did you even do a decent amount of research before writing this?

1) I can crack a completely random 6 character password in seconds on my computer. 8 Characters might take a minute or two. 12 characters is around where it starts to get "harder" - 344 thousand years, but that's just one computer. 12 is good enough for "normal" users - but if you really have something to keep secure people with unlimited resources could still crack that in a reasonable amount of time (with unlimited funds - you can purchase computer time and run several million computers together - so that takes the crack time down to a few days, albeit it will cost you many thousands of dollars). Adding just one more character to 13 makes it pretty good for now, but computers do get faster.

2) Adding a punctuation mark inside a regular word is nearly as bad as just picking a word - advanced password checkers will run through the dictionary and for every word will do many thousands of permutations like this.

3) Same thing with replacing vowels with common substitutes - the programs will check all these things.

4) misspelling is marginally better, but only if the password is long enough to start with.

Here is a funny XKCD.com comic that explains this in pretty simple terms http://xkcd.com/936/

Here is a web page that will tell you how long it takes to crack a given password by a single desktop http://howsecureismypassword.net/ (note you probably should not test your actual password there, just feed it something similar).

How can you write an article like this and not even touch upon password managers (lastpass, 1password and keepass being the 3 prominent ones - I use lastpass, my master password is 22 characters long - mostly random and *every* password for anywhere else is 20 random characters (or as long/complex as the system will let me use).

If you really wanted to get technical you could touch upon two factor authentication too, a growing number of sites allow that.

I get that the point of writing articles on a site like wisebread.com is a game of monetization, but how about we not give out information that actually makes it *easier* to hack someones password?

Lastly here's a good article about what happens when you become lax about passwords - even ones you consider secure (up until I switched to lastpass I was guilty of this myself even though I clearly knew better, using the same randomly generated 9 character password I got as a freshman in college back in 1993, granted that's *still* more secure than most people's passwords even today, it isn't enough if you care about losing your data). http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard

Meg Favreau's picture

Thanks for your comment, Juggler. After additional research, we have updated some parts of the article.

Guest's picture
Thad P

Excellent advice from start to finish.

As I understand your point, it is better to improve a bad password to a strong password than it is to use nothing. Most people can implement what you suggest, which is why you wrote it.

Guest's picture
Guillaume Martin

This site is also good for building strong passwords. It actually tells you were are the weaknesses.
http://www.passwordmeter.com/

Guest's picture
Bryan

I use different passwords for social networking sites, for my business sites, and for my financial accounts.

The ones I use for social networking sites are less complicated than the ones I use for business and for my bank accounts. Still, doesn't mean that they're less complicated, they're easy to guess.. ;)