The Best Way to Create (and Remember) a Strong Password

Passwords are the gatekeepers of our data on the internet. They protect (or should protect) every online profile you make, along with the information in it. But do you really know how passwords work? For most people, all they know, and all they feel they need to know, is that they type a username and password into a couple of text boxes and, like a key being turned in a lock, a website opens up for them. However, understanding the mechanics of online passwords can help users create a strong password for superior online safety. Let’s take a behind-the-scenes look at the science of passwords.

• How do passwords work?
• When and why were they invented?
• What are the pros and cons of passwords?
• Tips for creating a strong password
• What other security options are there?
• Other ways to protect yourself online

How Do Passwords Work?

As a website user, you only see the surface of how passwords function. Typically, when you sign up for a website, the site will ask you for some information about yourself. Things like your name, desired username, possibly a date of birth and address, and also your password. You fill out the information, click “sign up,” and then you can use your username and password to sign in every time after that because the website stores that information for later use.

However, the process behind the scenes is more complex than that. While the easiest way for a website to remember your information would be to just store it verbatim on a server, that’s hardly a safe method. If a cybercriminal hacks or breaches that server, it can reveal your password and other information to all. Because of this, reputable websites filter your information through a type of encryption called “hashing.”

What is Hashing?

Essentially, the process of hashing takes your information, scrambles it up, and assigns it a unique string of random letters and numbers. One of the most common hash functions is called “md5().” It turns any input into a string of 32 characters. You can see how it works below:

md5(password) = 9fgt456an2fi85anq601iq5hb6m1o0z3

With the md5 function, anything placed between the parentheses is what becomes the randomized output.

The most important feature of hash encryption is that a specific input will always produce the same output, if the same hashing function is used. This is how they protect passwords:

1. A user creates an account on a website.
2. The password is run through a hash function and stored in the website’s database.
3. When the user signs in again, the password they type is run through the same hash function.
4. The website scans the database for the exact hash match, from the previously saved password information.
5. When the match is found, the user is granted access.

It’s nearly impossible for a hacker to reverse a hash function in order to gain access to a user’s password. In fact, it’s easier for them to guess the user’s original password, even if it takes millions of attempts, showing just how important it is to create strong, memorable passwords.

When and Why Were Passwords Invented?

The concept of passwords is certainly not a new one. Sentries all the way back in ancient Rome used them to challenge both friends and foes entering outposts. Since then, their use has become ubiquitous in spy movies and tree forts around the world.

However, digital computer passwords were first developed earlier than you might expect; before the days of the internet, even. In 1961, MIT developed the Compatible Time-Sharing System, a computerized operating system that gave researchers scheduled computer access. In order to protect each researcher’s files, a computer scientist named Fernando Corbató suggested the use of passwords.

However, the simplicity of the earliest password systems made them easier to hack so, a decade later, cryptographer Robert Morris Sr. devised the method of hashing, explained above.

Since then, different protocols have been added to password creation – such as the rules that dictate which characters must be used in a password – due to the pervasive threat of hacking that has been around since the advent of the internet.

What Are the Pros and Cons of Passwords?

Because passwords protect almost every single online account we have, many people believe they’re also the best security method out there. Well, yes and no. Although passwords offer some unique benefits over other methods, they also have a few downsides. 

• Pro: Passwords are easy to create and use. Even granddad can use them!
• Con: Hackers have become adept at guessing simple passwords, especially common ones. Check out this list of the most common passwords. If yours is on it, consider changing it now! 
• Pro: They’re customizable. A password you come up with will be easier to remember than one made for you.
• Con: In order to set an easy-to-remember password, many users make them too easy for hackers to guess.

Another major drawback of password security has emerged with the multitudes of accounts we all use every day. In order to remember how to sign in to every website we have accounts for, many users recycle the same password. Unfortunately, a hacker only needs to guess or steal this password for one account in order to access them all.

How to Make a Strong Password You Can Remember

Passwords protect everything online. Your email, social media, bank accounts, and more. It makes sense that you want your first line of defence to be as strong as possible. Unfortunately, making a strong password you can remember isn’t always an easy task, especially because you should use a unique password for every account.

Thankfully, there are a few great ways to create strong, memorable passwords (gym workouts and protein shakes not required).

• Use a password manager
• Make it at least 12 characters
• Use numbers, symbols, and capital and lower-case letters
• Don’t use real words
• Avoid obvious substitutions
• Create a memorable mnemonic

Use a Password Manager

When you use the internet frequently, it’s common to have five, ten, twenty, or maybe even more different accounts that require passwords. With so many, it’s tempting to use the same password for each. It’s the convenient choice because it means you only need to remember one password instead of dozens. But, it’s also less safe. If one account becomes compromised, you run the risk of having every other account breached as well. Instead, use different passwords but also use a password manager to keep track of them for you (we recommend KeePass). This allows you to protect your safety AND keep track of your passwords.

Make It at Least 12 Characters

Most websites set their own minimum character limit for passwords. Some keep it at eight, others go as low as four. However, the shorter your password, the less secure it is. A great rule of thumb to follow is to use a password that is at least 12 characters long. The longer you go, the more secure it is.

Use Numbers, Symbols, and Capital and Lower-Case Letters

The more unpredictable your password, the stronger it is. You can help make it seem more random by using a mix of numbers, symbols, and letters. Many websites have already adopted these guidelines, by making it mandatory to use an assortment of character specifications.

Don’t Use Real Words

While real words are easier to remember than an indecipherable scramble of letters and numbers, they’re also easier to crack. If you can find the word in a dictionary, don’t use it.

Avoid Obvious Substitutions

Many people believe that replacing letters with similar numbers (for example, using 3 for E) is a great way to make a strong password. After all, it adds a different character type to the mix and also avoids the issue of using real worlds. However, the trick is so common that it no longer strengthens a password.

Create a Memorable Mnemonic

So, if you can’t use real words and you can’t substitute those real words with numbers, how do you create a strong but MEMORABLE password? It may seem like you’re only left with the option of smashing your head against the keyboard and using that as your password. But you can still create a strong, mostly random password by creating a mnemonic, or memory trick.

First, think of a sentence that you’ll remember (bonus if it includes numbers somewhere). For example, “The Empire Strikes Back was released in 1980. Tickets cost $7.50 per person.” You can then use the first letter of each word, the punctuation, and the numbers to create your password. In this case, it would become “TESBwri1980.Tc$7.50pp.” Not only is the password longer than 12 characters, it also includes both capital and lower-case letters, numbers, and symbols AND it’s easier to remember than a completely random password because it means something to you.

What Other Security Options Are There?

Although passwords are the easiest method for websites to secure user accounts, many cybersecurity experts began sounding the alarm on their overall efficacy more than a decade ago. They’ve been around long enough for users to develop bad password habits and for hackers to have developed effective protocols for stealing passwords.

While we have yet to develop perfect alternatives to passwords, many companies have started adding multiple layers of account security to their websites, so that passwords are used in conjunction with other security measures. These measures include:

• Multi-Factor Authentication. With this method of security, users still use their regular passwords to access their accounts. However, they must also input a one-time code sent to an email address, phone number, or authenticator app in order to pass through security. The rationale behind this is that, because the one-time codes expire, a hacker can’t use an old one to access accounts.
• Biometrics. Security provided in this way relies on detecting a user’s fingerprint or face in order to grant access to an account (usually biometrics grant access to devices rather than websites). While biometrics have come the closest to replacing traditional passwords, they still make too many mistakes to dominate the security sphere just yet.
• USB Keys. Some companies are working on developing USB keys; physical devices that you can insert into your computer that will interact with the websites you visit to unlock your accounts for you. 

Other Ways to Protect Yourself Online

In addition to creating strong passwords for your accounts, you can take other steps to protect yourself online. These steps include:

• Learning how to recognize the signs of phishing. Phishing is one of the most effective methods hackers use to steal passwords. This method relies on fooling a user into thinking they’re interacting with an email from a legitimate source, like a banking institution, for example. When they let their guard down, a user may accidentally give away personal information without thinking twice about it. Phishing has become incredibly sophisticated, but there are still ways to identify and avoid phishing attempts.
• Using a virtual private network. VPNs add anonymity and encryption to your browsing session, reducing your exposure to snoops online.
• Delete old accounts. Many modern websites continuously update their security protocols to help keep you safe. However, older websites that have fallen into disuse may have fallen behind the curve. Unfortunately, just because they’ve fallen out of popularity, this does not mean they aren’t vulnerable to hackers. In fact, they’re even riper targets because they’re easy ones. If you have an account with any site like this, especially one secured with a password you still use, consider deleting it.

Password protection isn’t something to take lightly. Having a strong password can mean the difference between safety online, and a serious breach of your privacy. Use our tips, in conjunction with other security measures like multi-factor authentication, for the most well-rounded account protection.