Password Creation Rules and Common Sense Tips
Passwords are essential in the computing world: from using a password to sign in to your operating system to passwords for accounts on the Internet. The following guide looks at the most important rules when it comes to the creation of passwords. If you follow all of them, you make sure that your passwords are secure. While there is still the chance that someone will be able to decrypt them or steal them, the impact that this have will be less than for the average user who may use the same password on all services.
Password Creation Rules
1. Passwords need to be strong
There is no definition of what strong means in regards to passwords. The general consensus is that passwords need to be of appropriate length and complexity. I prefer to use passwords of 16, 20 or even more characters if the service allows it. Longer passwords are harder to memorize, but that is only a problem if you are not using a password manager that does that for you. So, if you are using a password manager, you only need to remember the master password for it and nothing else. And that master password should be very secure (mine is 40+ characters). Strong also refers to the characters used in the password. It is best to combine
- Upper and lower case letters
- Special characters
to increase the strength of the password.
2. Passwords need to be unique
This is an important rule, even though it is not the most important rule. The basic idea behind making passwords unique is that if someone gets hold of one of your passwords, they can’t use it for other services that you are a member of. A single strong password that has a low probability of being stolen makes it less likely that this ever happens, even if it is the only password used by a user. That’s in theory only though, as there are means of stealing passwords without having to decrypt them first. This can be through social engineering, keyloggers or software that records network traffic. It is also important to note that unique means also that you can’t use the username or a slight derivation of it as your password.
3. Passwords can’t be in the dictionary
There are two major types of attacks against an encrypted password to decrypt it. Brute-Force attacks that try every possible character combination imaginable, and dictionary-based attacks that use a dictionary file. The latter is a lot faster as it just have to go through all the words in a dictionary, and maybe in addition some combinations or additions (two dictionary words combined, or adding 1 to the end of each word). This includes popular terms, like favorite sport teams, pet or human names, sequences on the keyboard (qwerty, asdfyxcv) or artist names, and all personal information about yourself or your family including the name of the street, your school, license plate of your car or your favorite family vacation.
4. Password Managers do all the work for you
While it may be an impossible task for most users to create and memorize strong unique passwords for every service they use, it is not really something that most users need to worry about, as password managers can do all the heavy lifting for them. Password managers such as KeePass or LastPass help you generate and remember secure unique passwords. Even the built-in password manager of the browser can be of use. While not all come with password generation options, they do save all passwords that you create on the Internet so that you do not have to remember them all individually.
Along with the creation of secure passwords come guidelines that help you make sure that no one else gets hold of your passwords.
- Be cautious about public computer systems. Since you do not have full control over the system, you do not really know what is running in the background. It is best not to type your passwords on these systems at all. If you do use them, make sure you log out of all services that you have signed in during the session. I’d also recommend to clear the cache, cookies and browsing history.
- Do not send your password to anyone, not your friends, family or someone claiming to be a support member of a service you use.
- If a server gets hacked, or you have the feeling that your account got compromised, change the password immediately even if it is false alarm or if there is only a slim chance that someone can actually decrypt your hopefully secure password.
- Make sure your password manager is properly protected. If you use your browser’s password manager, make sure you protect it with a Master Password. If your browser (Chrome) does not have that option, do not make use of the password manager in the browser, but use another tool for it.
- Change all insecure or weak passwords if you still have any.
- Make sure the password for your email account — the one associated with accounts you use on the Internet — is also secure. Someone who manages to get into your email account can use the “password recovery” option of Internet services to create a new password for accounts to gain access to them.