Skip to main content

Six tips to bombproof your password

secure passwords headerMajor password breaches are so common they’re becoming like storms and traffic jams: One day you hear about tens of thousands of Twitter users compromised or several million at LinkedIn, the next it might be upwards of 50 million at Evernote or LivingSocial.

But despite their fallibility, passwords won’t be replaced any time soon. Two-factor authentication technologies using our mobile devices and even biometrics can help keep us secure, but so far none are foolproof, and precious few are even convenient.

How can we make our passwords more hack-resistant and manage all the passwords we need?

Entropy is your new best friend

Most attackers don’t break passwords by going to Gmail or Facebook and making guesses; that’s slow, and most services block access after a few failed attempts. However, if attackers steal account data through a security hole, they can make thousands, millions, or even billions of guesses per second offline using their own computers. If that sounds outlandish, consider that Stricture Consulting Group last year showed off a small computer cluster made from off-the-shelf components that could test as many as 350 billion passwords per second. Some password-cracking operations harness hundreds (or thousands) of computers via botnets or legitimate cloud-computing platforms, while others just use everyday PCs. They’re fast too.

The quality of a password doesn’t matter if a service stores your password as plain text and an attacker steals it. (Don’t laugh: it happens.) If passwords are encrypted, however, size and randomness are two factors that determine a password’s strength or entropy — basically, a measure of the possible combinations a password can have.

“The higher the entropy, the longer it will take, on average, for a brute-force attack to succeed,” noted Joe Kissel, author of the ebook Take Control of Your Passwords. So, all things being equal, you want a high-entropy password.”

The benefit of a password’s size is obvious: More characters means more possible combinations. The benefit of randomness is less subtle. A password like YesThisIsMyGreatNewRandomPassphrase wins points for size — 36 characters! — but loses points for randomness, since it’s just upper- and lower-case letters. (It’s also less random because it’s in English: Attackers try to take advantage of common letter patterns.)

Something like *5FRRcr62{d~OkP!{AKaxzevQZb6L{~S1F~b would be more secure — it’s both big and highly random. Unfortunately, it’s almost impossible for most people to remember…but it’s easy for a computer to remember.

Ways to make strong, memorable passwords

There’s no magic formula for making passwords both very strong and easy to remember. However, here are some ideas:

Size matters — In statistical terms, memorable passwords aren’t very random, but you can make them stronger with sheer size. These days, I consider 14 to 15 characters a minimum for a random password. For a password based on words or phrases, a realistic minimum might be 20 characters. When in doubt, go big.

Use combined terms — Grouping a three to five unrelated words together can be a great basis for a long password. Something like TurquoiseGullGrapeDiner creates a sizable password (23 characters) but only requires you remember four things.

Use groups of symbols and numbers — The example above won’t work if a system requires numbers or symbols. However, if you accent it with a small group of special characters, like (3*^, it can be used almost anywhere as TurquoiseGullGrape(3*^Diner. Here’s the trick: Come up with two or three sequences of symbols and numbers like that, then re-use them to both add entropy to your longer passwords and meet password requirements. Just consider symbols carefully: diacriticals and symbols (like €, ™ þ «) might be easy on a computer keyboard, but on phones even shifting between upper and lower case can be annoying.

Avoid 1337 speak — Don’t use common symbol substitutions like @ for a, 3 for E, 5 for S, [) for D, etc. Those are some of the first things password crackers attempt — and remember they can attempt millions (or billions) of combinations per second.

Improve entropy with random passwords — Several services like Random.org and WhatsMyIP.org will generate random passwords of any length, with options to avoid similar-looking characters (like 1 and I). These are hard to remember, but if you use a password management system (see below) you might not care.

Never reuse passwords — It’s tempting to make a single strong password and use it everywhere. Don’t do it. When attackers steal passwords, they often get information like names, email addresses, billing details, and even security questions or password hints along with them. If attackers crack your password on one service they can quickly try the same password with your name or email address on other services. If you never reuse passwords, damage from a cracked password is already contained.

Managing passwords

Making a strong password for every service means most of us will be swimming in passwords—and we’ll never remember them all.

… An ounce of prevention — say, 16 random characters — can be worth a pound of cure.

Password management programs like 1Password, RoboForm, Clipperz, and LastPass are possible solutions. Each have their pros and cons, but the basic idea is similar: They remember your passwords and try to automatically log you into sites and services once you enter a master password or PIN code. Some have features like random password generators and support for USB keys. Users only need to remember a single master password for day-to-day stuff, and the programs are just as proficient at storing long, incomprehensible passwords (like Qz!~WEpmm[z|5!6UYa#xPJ#e) as brain-dead passwords you should never use (like “password”).

The password managers above (and others) are available for most desktop and mobile operating systems, and can synchronize passwords between phones, tablets, and computers (1Password relies on Dropbox, for instance). That’s tremendously handy if you create a website password on your PC, then need it later on your iPad.

“If you’re going to use a password manager, it makes sense to pick something that will sync securely across all your devices,” noted Kissel. “Usually syncing involves the cloud, although some sync directly over Wi-Fi. As long as the data is encrypted, which it always is, cloud-based syncing isn’t riskier, but it is more convenient because your devices don’t have to be on the same network.”

Trusting password managers can have drawbacks. For instance, LastPass stores everything in the cloud, which is great until you don’t have Internet access or the service goes down. Similarly, a software incompatibility could make your passwords inaccessible — maybe on just one device, but maybe everywhere.

The upshot is that you will almost certainly need to memorize a handful of passwords. The most likely candidates are:

  • Your computers and devices
  • Your password manager
  • Critical online services (like email, Google account, Apple ID)
  • Online banking
  • Sync services (like Dropbox)
  • Social media

Not all of these apply to everyone. Most people will only need to memorize four or five passwords. Almost everything else can be trusted to a password manager.

Finally, consider recording your most important passwords on paper in a safe place. That’s not a notepad next to your keyboard, but perhaps a safety deposit box or an obscure location in your home (like, inside a CD of Aerosmith’s Greatest Hits). The list isn’t so much for you, but for anyone you might need to access your devices or accounts in an emergency.

Better safe than sorry

These steps may seem like overkill. Why would an attacker care about your Pinterest account or Facebook page or email? Unless someone wants to besmirch your online reputation, they probably don’t. However, even our seemingly innocuous accounts can be stepping stones to PayPal, Amazon, iTunes, credit cards, bank accounts, and identity theft — and those are precisely what serious attackers want. With so much of our day-to-day lives now online and password breaches becoming so commonplace, an ounce of prevention — say, 16 random characters — can be worth a pound of cure.

Editors' Recommendations

Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
Hackers are using this incredibly sneaky trick to hide malware
A hacker typing on an Apple MacBook laptop, which shows code on its screen.

One of the most important things you can do to protect your online security is install one of the best password managers, but a recent cyberattack proves that you have to be careful even when doing that. Thanks to some sneaky malware hidden in Google Ads, you could end up with viruses riddling your PC.

The issue affects popular password manager KeePass -- or rather, it attempts to impersonate KeePass by using misleading Google Ads. First spotted by Malwarebytes, the nefarious link appears at the top of search results, meaning you’ll likely see it before the legitimate websites that follow beneath it.

Read more
Is your PC acting up? Here’s how to fix it
A PC gaming desktop setup with two monitors and a gaming chair.

Whether you have one of the best desktop computers or a 10-year-old PC, things can go wrong sometimes. Freezes, crashes, overheating, or even the dreaded Blue Screen of Death (BSOD) -- there are plenty of issues that sometimes plague PC users, and when it happens to you, you might feel at a loss as to what to do.

Good news -- not every malfunction requires taking the PC to a professional repair service (although some of them definitely do). If you're unhappy with the way your PC performs, start by checking out our comprehensive guide to troubleshooting a PC, because it might turn out to be the only thing you need to get it all fixed. On the other hand, if your computer won't turn on at all, we have a separate guide for you.
PC issues? Start here

Read more
How smart light bulbs could steal your password
GE Cync smart lights review

If it's connected to the internet, it can get hacked -- yes, even some of the best smart bulbs. While smart bulbs make it easy to adjust the lighting and ambiance in your room, they connect to Wi-Fi, which makes them susceptible to attacks. Researchers from the Universita di Catania and the University of London discovered a particular vulnerability in the TP-Link Tapo L530E smart bulb and the accompanying TP-Link Tapo app. It seems that hackers could gain access to your passwords just through the smart bulb.

These days, smart devices are more and more prominent in households across the globe. The TP-Link Tapo L530E is a popular smart bulb, which is what drove the researchers to analyze it and attempt to find flaws within its security. Unfortunately, they found at least four vulnerabilities, all stemming from the fact that the bulb's security measures might be insufficient.

Read more