Tips for creating strong passwords: use phrases, substitute letters with symbols, don't reuse passwords, use a password generator and manager, and enable two-factor authentication.
Above is a video of my recent appearance on Despierta America on Univision explaining the process. (In Spanish)Good passwords are not easy to remember. Could they be? That is the question. Through the years, I feel like I’ve seen every trick in the book for creating a strong password and the principles are always the same. Create a password that’s unique, not a dictionary word, that’s hard to crack and easy to remember. Easier said than done. Let me explain.A dictionary or a brute force attack is basically a robot that’s trying dictionary words and possible combinations to try to guess passwords. These lists can have millions of words and combinations and they can go through them faster than you can say – “Ouch, my accounts were hacked.” If your password contains a word that’s in the dictionary, any dictionary, in any language, it has a higher chance of getting guessed by the bad guys. What can you do?
Here is a simple trick. Try to remember a phrase or saying that you can recall without a hitch. It can be something your family says, it can be a phrase from a favorite passage from the Bible, you get the point. After that, we take it, deconstruct it and spice it up to make it harder to guess. Here is an example and yes, I must say it. Don’t use this one.Birds of a feather flock together. Let’s take the first 3 letters of each word and build a stronger password. It would look something like this.birofafeaflotog – I doubt you’ll find that in any dictionary but in the days of Game of Thrones, you never know. This combination is better than a word found in the dictionary but we can make some easy substitutions that will make it even stronger like changing easily remembered letters for numbers of symbols. Check this out.b!rof@feaf1ot0g – OK, I admit it, I went a little overboard but you get the point. I don’t like to necessarily use upper case in the first letter since I feel it’s kind of what everyone does.
Since you are not supposed to reuse these passwords, you can do a simple trick to remember what they are for, for example if it’s for your bank you can add a ba at the end or a couple of digits from your account, if it’s for your credit card, you can add cr or visa. You get the point.The reality is that the strongest passwords are completely random and have no correlation whatsoever to you and look something like dz{pTn{JzB5Pa?LP. Now, how the heck do you remember that? The answer is simple. You don’t.
First of all, to generate these passwords, I recommend using a random password generator that will come up with an unintelligible combination every time. To remember them, you need a password manager that will automatically fill them in for you when you are visiting the websites in question. Here are some I recommend:
These tools allow you to have one strong super password that you remember while all the other unintelligible, strong super passwords are encrypted and stored for you but here is the truth. No matter how strong your password is, it can eventually be hacked. An old tenet from my old pals in the information security community is that no matter how intricate, any security system can be breached given enough time and resources. In the past, those resources were dependent on scarce computational power but today, a hacking group can have millions of computers at their disposal they can use to crunch the numbers. What can you do?
The simple answer is two-factor authentication. This is based on something you know like the password or something you can access like a text message being sent to your phone or an app that displays a code. The drawback with two factor is that it needs to be turned on in every place you visit and it’s not available everywhere. Many of the sophisticated tools that were needed to access corporate secured sites are now available to anyone and a great example of this is the Google Authenticator App. What does it do?This app is installed on your phone and it will give you 6 digits that are synchronized cryptographically with your account. In simpler words, if you don’t enter the right numbers at the said minute, the authentication won’t work, even if you have the password. I know, this can be annoying but you know what’s more annoying? Getting your emails stolen and paraded on national TV, can you hear me now John Podesta?
Passwords are a pain, they are insecure, you can make them a little better but you have to manage them in a responsible way and wherever you can, use strong passwords combined with two-factor authentication. This won’t protect you when your data is stolen at the source, ahem, ahem... Yahoo but it wont’ allow the bad guys to get to your stuff as easily. At the end, it’s a number’s game and if you are a hard number to crack, they’ll move on to the next target, unless you are a big shot. In that case, be afraid, be very afraid.