How to choose a STRONG Password

**geoff01** · #1 03-06-2007, 11:49 AM

The first part of this was written by someone who actually had his password hacked, and has since written this in order to benefit others.

Easy to Remember = Easy to Hack
Traditionally, we've all wanted to use passwords that we can easily remember, because we're afraid of forgetting them and being locked out. Unfortunately, in this day and age of cyber-thieves, we can't afford that convenience. A password is easy to remember if it follows a pattern or if it's made of real words and phrases. Both of these attributes make them very easy to crack by a computer. Pattern matching is one of the things that computers do best, and a Dictionary Search uses lists of known words to speed up the cracking process, so real words leave you open to hacking. Like it or not, you need to use a random password.

Re-using Passwords is Suicidal
These days you need passwords for just about everything you do online, and one can quickly feel overwhelmed by all those crazy character strings. There's a strong temptation to use a single password at multiple sites, just to keep things simple. Remember, simple for you means simple for a hacker. If just one password is compromised, every account that uses that password is compromised. That's an opening the size of the Holland Tunnel, and a hacker WILL go through it. Again, it's not convenient, but you must use a unique password for every single account you create.

Short, but Not So Sweet
Another error many folks make is to use short passwords. Again, this is more convenient for humans, but again it's more convenient for hackers as well. In my case, I used a password that was only 6 characters long. With just lower case letters, that allows about 309 million possible passwords. Seems like a lot, but it only took 'a few hours' for the hacker to guess it. If I'd used 8 characters instead, there would have been 209 billion possible passwords.. See what a difference just adding 2 characters makes?!!

Character Symbols - The More, The Merrier
Merrier for you, not the hackers... My password used only lower case letters. That means there were only 26 characters available. That played into the hacker's hands by cutting down on the number of possible variations. If I'd used a mixture of upper case and lower case letters, the character set doubles in size, and instead of 309 million variations, there would have been 19.8 billion variations, even with a password only 6 characters long. Clearly there's a benefit to using a larger character set. Add in all ten available numerals (0 throuh 9) and you add even more strength to your password.

To create a strong password that is easy for you to remember but hard for someone else to determine, try one of these techniques:

Merge two or more words, and combine the words with numbers and symbols. For example: Walk[My]Dog, Po#34tato, Champions=1995.
Abbreviate a phrase you'll remember. It could include numbers and symbols, or words that you can substitute with numbers or symbols. For example: I ride my bike 5 miles each Saturday could become the password Irmb5meS.
Use punctuation and numbers to combine the initials of people or objects from a familiar group, such as your favorite athletes, friends, movies, books, or historical figures. For example: Gandhi, Abraham Lincoln, and Joan of Arc could become the password 1G,2AL,JA.
Drop all vowels from a favorite saying, and then add numbers or symbols. For example: Walk three dogs could become the password Wlk3Dgs.
To be strong, a password must:

Contain at least seven, but no more than 16, characters.
Combine three of the four different types of characters:
Uppercase letters (for example: A, B, C).
Lowercase letters (for example: a, b, c).
Numerals (for example: 1, 2, 3).
Symbols (` ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : " ; ' < > ? , . /).
Not be a common word or name, or a close variation.
Some service providers require that a strong password also:

Not be the same as any of your four previous passwords.
Not be a minor variation of your old password. For example, if your old password was Champions=1995, a new password of Champions=1996 would not be acceptable.
Important

Don't use one of the above examples as your password.
Don't write down your password.
Never give out your password in an instant message conversation or share it with anyone else. You should never be prompted for your password in an e-mail.
If you have more than one e-mail account, for instance, one for work and one for personal use, you should use a different password for each account.

Amadeus · #2 03-06-2007, 01:27 PM

my 2 cents
if you have problem with you imagination you can always download password-creator software. Such programs will help you to create really strong passwords. Also They can keep created passwords securely.

goldenfish · #3 03-06-2007, 06:04 PM

great post geoff01 , reading it has made me consider changing my password , even though it`s 20+ characters long , quite impossible to guess

pluggy · #4 03-06-2007, 08:59 PM

Most accounts are compromised with help on the inside (a keylogger for example) it matters not how complex your password is if you have one of these lurking............

protex01 · #5 03-06-2007, 10:46 PM

i'm using the same strategie in my passwords.
but i see that a software for password creation it will limit your imagination and make your mind sleeping...

goldenfish · #6 03-06-2007, 11:16 PM

Quote:

Originally Posted by pluggy

Most accounts are compromised with help on the inside (a keylogger for example) it matters not how complex your password is if you have one of these lurking............

true , keyloggers can be a pain , had one some time ago .. I was lucky the one that sent it to me was probably a newbie .. cause the keylogger software was a trial one , and jumped on my desktop on start-up to upgrade by purchasing the keylogger`s licence

Aston · #7 03-07-2007, 07:19 PM

You can use some password keeping program like AI Roboform. It helps to manage different identities and autopaste passwords. No keylogger will catch it. Yet better put a decent antivirus, antispyware and firewall.

n197 · #8 03-08-2007, 11:51 AM

as pluggy said even if you have the strongest password in the universe it won't help if your pc is infected

HPC · #9 03-09-2007, 03:32 PM

to avoid being catching by keylogger u can type ur pass over some digits then use backspace buttom to clear it.eg ur pass: qwer123 u can type qwer1234 then clear the 4 digit

pluggy · #10 03-09-2007, 07:06 PM

Just to blur the picture more, the latest stuff to hack e-gold bypasses all password security measures altogether by just emptying your account whilst you are logged in. Makes the hackers life a lot simpler......