We all know we should use secure passwords, but, how do you balance the necessity of highly secure passwords with the ability to easily recall them when needed? Depending on which study you read, the average person has 27 online accounts and between 70-80 passwords to remember. As a result, many people choose the path of least resistance (I’m working on a future post about this) so either use simple, easy to remember (and guess) passwords, or use the same password everywhere.

Creating and managing strong passwords may seem like a daunting task, but it doesn’t need to be, and I’m going to show you how.

Brief history of Passwords

Before we look at how to create strong passwords, for fun, let’s look at a brief history of their use. The use of passwords is often traced back to the 1960’s when Fernando Corbató, working at Massachusetts Institute of Technology (MIT), created a way for researchers to share a common mainframe, but keep their individual files private. The concept of a password was developed so that users could only access their own specific files for their allotted four hours a week (if my children are reading this – see even they had time restrictions on their technology use).

However, the notion of passwords can be traced back even further. The literary history of the password dates back to the 18th century classic tale of Ali Baba and the forty thieves, where “Open, Sesame” was used as a password to gain access to magical sealed cave. Not surprisingly, “open sesame” often appears in lists of the most commonly used passwords! Don’t use it!

In 16th century renaissance Italy cardinals are believed to have used ciphers to protect their correspondence. There is also historical evidence of the Roman military reportedly using passwords as a way to distinguish friend from foe.

Finally, many of you may be familiar with Shibboleth, a system which let’s you use a single set of credentials to log into multiple systems that are linked together as a federation (Universities and colleges use this called Eduroam). Interestingly, the name is derived from the Shibboleth Incident which took place in the 11th century. The 12th chapter of the biblical Book of Judges records a battle between the tribes of Gilead and Ephraim. Gileadite soldiers used the word “shibboleth” as a password, and a way to detect their enemies, knowing that the Ephraimites were not able to pronounce “sh” in their dialect. Knowing the password was literally life or death!

Clearly, passwords have been around for a long time. They may not have much of a future, but that is a topic for another post.


Strategies for creating secure passwords

The original advice when creating passwords was to choose one that someone couldn’t guess. However, very soon long lists of the most popular passwords were shared online leaving these passwords vulnerable to dictionary attacks (I’m working on a future post about this). To mitigate this risk the advice was updated so that passwords should now be at least eight characters in length, made up of letters, at least one number and a symbol such as (@#$%{}/\'”~,;:.<>+-=_^?&*!|). While this advice can help produce more secure passwords, they are very hard to remember. So how can you create a secure password that you can remember? Well, here are a few strategies you can try:

Method 1: Mnemonics (acronyms or phrases that are easy to remember)

Convert a sentence into a password

Bruce Schneier, a security expert, recommends turning a sentence into a password. The sentence should be personal and memorable to you, but not to anyone else e.g. not the lyrics of a popular song. Take the words from the sentence, apply some personal memorable tricks to modify that sentence into a long-length secure password. For example,

Wow…doestfsd = Wow, does that flower smell delightful.

Ltime@go-ihtow@lkh4>5m! = Long time ago i had to walk home for more than 5 miles

This strategy should produce a seemingly random long password, but one which is difficult to crack, and importantly easy for you to remember.

Pass Phrases

An alternative to creating strings of characters as a password is to use a pass phrase. Popularised by the xkcd comic the logic behind this strategy is that a password made up of random characters, such as Cj0ue4&3pex, is hard for humans to remember but easy for password cracking software. Whereas, a passphrase such as Treewrongmonkeygrapefruit is easier for humans to remember, but difficult for a computer to guess.

The key to this method is the length (number of words) and the randomness. It essentially uses the concept of diceware to select words (six now recommended) at random from a special list called a Diceware Word List.

It is best to avoid choosing the random words ourselves as we risk selecting words that are either linked due to cognitive bias in our brains or using words that we may have posted publicly (e.g. on social media). Both of which can result in weak passwords since they can create a surface area of predictability an attacker can leverage, or could leave the password susceptible to a dictionary attack.

The general advice when creating pass phrases is to use:

  • a minimum of 6 base words (the more the better)
  • a decent size word list. Diceware’s recommendation of 6^5 (7776) should be used
  • randomly selected words (Do not pick them yourself)
  • include spaces in your passwords if you want

PAO (Person-Action-Object)

Researchers at Carnegie Mellon University put forward the PAO method to create and store your unbreakable passwords. The theory behind the method is that our brains have cognitive advantages for memorisation when using visual cues and memorable stories.

To use the method you use a combination of a person using an interesting object to do something (the stranger the better). For example, Kermit the frog eating haggis. To extend this further and make an even more secure random pass phrase the researchers suggest you picture a setting in which the person-action-object story is occurring. Let’s say that the setting is a secret pink bunker. You now end up with a sentence like “Kermit the frog eating haggis at a pink underground bunker. The point of this mnemonic technique is that you end up with six words Kermit, eating, haggis, pink, underground, bunker that according to kasperky will take 10000+ centuries for an average home computer to bruteforce. It can be made even harder to crack by replacing some letters with numbers, punctuation or special characters.

There are lot’s of other examples such as Phonetic muscle memory, but the three above strategies offer good protection, and importantly, produce passwords that are easy to remember.

Method 2: Password Card

A completely different approach to remembering your passwords is to to use a Password Card. These are credit card sized cards which you print, keep in your wallet, and use to create secure passwords, without having to remember them.

Password Card

The card has a unique grid of random letters and digits, each row with a different colour and each column a different symbol. Rather than remembering a strong password for each site you use, you simply remember a combination of a symbol and colour (e.g. ! green), and then read the letters and digits off the card (e.g. Q5F5pZGMP). You can mix things up by choosing any length and direction. For example, when using ! green you could read left for five characters and then down for four (e.g. Qr8jwkCF9). Just remember the pattern you use, and I suggest using the same pattern for all passwords.

I know I will probably get some kick back for advocating the use of Password cards, with the two main objections being:

  • We’ve always been advised not to write down our passwords.
  • What if my wallet gets stolen

However, while I agree in general that writing down passwords is probably not the best idea, the logic here is that a chain is only as strong as its weakest link. It’s far safer to pick secure passwords and write them down (obviously stored securely), than it is to remember simple and easy to guess passwords. Bruce Schneier would certainly agree, as he recommends writing some passwords down. I am not quite at that place, but in this case I see no problem as you are not actually writing any passwords down, only a grid for creating the passwords. Sure, your wallet could get stolen, but the thief will not actually know your passwords, only the grid of random digits from which you created it. There are simply too many possible passwords on the card for them to bother trying to figure out the password of an average user. As with any password method, just be careful and watch out for shoulder surfers.

Method 3: Use a Password manager

The final option is using a password manager, such as LastPass, to create and store long secure passwords. The password manager is secured with a master password which you remember and can then be used to store every other online password you need to remember. Most password managers come with an easy to use web interface, and many also includes plugins for various web browsers and apps for many smartphones. More on password managers later.


Survey Results

While researching the content for this article, I surveyed my mailing list about their password security habits. Here’s what I found.

  • Over 60% of people either remember or write down their password. It was good that nearly 40% of people use a password manager, however, I suspect at present I have a disproportionate number of highly technical users in my mailing list. I suspect a more reflective figure would be closer to what was found here.
  • 96% of people reuse their passwords, or part of, on multiple sites. The largest percentage of people (33%) use a mixture of text (upper and lowercase), numbers and special characters. I suspect this reflects enforcement by password policies, which is good.
  • 81% of people use a password between 8-15 characters (again probably as they are forced to). However, I suspect it may be common that an old password has something appended to the end of it to make it up to 8 characters e.g ‘billydog’ + ‘1234’
  • Over 50% of people just add something to the end of the an old password when forced to change it. It was good that only 5% choose something easy to remember like a family name.

Take aways:

Password recycling is the most common problem, and poses the biggest risk.

The vast majority of people admit to doing it.
Large percentage of people still try to remember their passwords, however, the average person can only remember 4 or 5 secure and complex passwords (unless using some of the strategies above).
It is very common to simply add something to the end of an old password, meaning part of the password is still reused.

Recommendations

Disclaimer: The advice I am about to share is specifically targeted to subscribers of my mailing list, although it is probably applicable more broadly. I regularly poll my mailing list and respond to their questions regarding their digital habits. If you would like to receive the right advice for you, join the mailing list. This advice also contributes towards the Protect strategy of my Digital Balance Philosophy which proposes we should:

refine our digital interactions so they continue to support the goals and activities we want to pursue but minimise our exposure to risk and unhealthy relationships with technology - Christoper D. McDermott


# General Tips:

  • Every password should be complex, and importantly unique (not reused on another site) and preferably randomly generated.
  • To achieve this, everyone should be using a password manager (see below) to store a secure unique password for every site you use online. Your aim is not to know any of your passwords for online accounts.
  • However, you may still need to remember a few secure passwords, for example the master password for your password manager (used to open the application) therefore I recommend using one of the strategies I listed above. For example, you could use a Password Card to create a secure password to get into your password manager, and then use the password manager to store every other password for you.
  • When changing passwords do not use a public computer or wifi. Instead, use a clean computer on your home wifi network.
  • The last tip is a little controversial. You do not need to change all your passwords on a regular basis. Forcing people to do so can actually do more harm than good because people resort to the habits I mentioned in the introduction. If you are using the above tips you passwords should be safe and secure, therefore only change them if you suspect an account has been compromised.

Regular risk/skill level (most people) – use an online password manager

  • It will generate secure passwords for you
  • Store them securely so even you and even the company do not know them.
  • It will synchronise your passwords across devices (PC \ Mobile \ Tablet)
  • Has a browser extension so it can populate username and password fields when you visit the genuine website for each password

I recommend Bitwarden. It is open source and has an active community.

Increased risk/Advanced skill level – use an offline password manager

  • It will also generate secure passwords for you
  • Will store your passwords securely so even you do not know it.
  • You will need to install it manually on each of your devices (no syncing), but it means none of your data is stored or synced online.
  • Has a browser extension so it can populate username and password fields when you visit the genuine website for each password
  • Ultimately, this option is going to be less convenient (especially if you are not on your main computer) but more secure.

I recommend KeePass XC. Again it is open source and has an active community.


Using secure passwords contributes to the ‘Protect‘ strategy of my Digital Balance philosophy, which encourages us to:

refine our digital interactions so they continue to support the goals and activities we want to pursue but minimise our exposure to risk and unhealthy relationships with technology

To learn more about the philosophy, and how you can apply the three strategies Compartmentalise, Protect, and Refine to achieve the right balance in your digital interactions, download a copy of my free ebook.

DF Tube