It's a perpetual dilemma. We all instinctively know that passwords comprised of simple numerical patterns or familiar words like our name tend to be the easiest ones to remember. The drawback is it makes them easy to hack, too. But make them too complicated and you'll have a hard time committing the password to memory.
Proposed solutions to this problem aren't hard to find. Do a little research on Google and you'll find a wealth of ideas on how to create a secure password that's can also be easily recalled, the so-called holy grail of internet security. However, I've recently came across a post on the blog Tecca entitled "5 ways to make an easy-to-remember, ultra-secure password" that, in my opinion, provides one of the best approaches on the topic.
- Related: Dramatic video: hacker vs. computer
While the author Taylor Hatmaker echoes much of the well-worn advice that's already out there, she advocates a special method that, oddly enough, allows for simple words and even character patterns -- but only within certain parameters.
Before we get into that let's review some of the basic best practices for creating secure passwords by going over what you shouldn't do.
- Avoid using parts of your name or email address since criminals can easily figure this out
- Don't include personal information like your birth date, names of family members or street addresses.
- Consecutive numbers are a bad idea. You can basically nix "123456" or any other pervasively common combinations.
- Steer clear of familiar sequences, phrases and slang terms.
What users are left with is the conventional thinking is that the best approach is to use a jumbled-up mixture of numbers, symbols and upper and lower case letters. Hence, a good password would look something like this: T^n3k28$P!eV*AfJ9
Sounds like life on the internet is getting pretty complicated, right? So then you're probably wondering how it can be possible that using patterns, even simple ones, can bolster the strength of your password. The technique Hatmaker recommends involves a technique called "password padding," which suggests incorporating more symbols along with making passwords longer as a way of fortifying them against an attack.
The strategy, proposed by renowned security expert Steve Gibson, is based on the rationale that incorporating those two factors gives users the best chance at thwarting malicious programs that rapidly runs several password combinations to uncover the right one, otherwise known as brute force simulators. For instance, there are more than 1500 symbols a hacking program needs to run through to correctly lock down one character of your password while each character added to a pass-code makes it several times more difficult to crack, Hatmaker writes.
Here's an example from Gibson's website in which he explains the counter-intuitive logic behind it:
The main concept can be understood by answering this question:
Which of the following two passwords is stronger,
more secure, and more difficult to crack?
You probably know this is a trick question, but the answer is: Despite the fact that the first password is HUGELY easier to use and more memorable, it is also the stronger of the two! In fact, since it is one character longer and contains uppercase, lowercase, a number and special characters, that first password would take an attacker approximately 95 times longer to find by searching than the second impossible-to-remember-or-type password!
But wouldn't something like “D0g” be in a dictionary, even with the 'o' being a zero?
Sure, it might be. But that doesn't matter, because the attacker is totally blind to the way your passwords look. The old expression “Close only counts in horseshoes and hand grenades” applies here. The only thing an attacker can know is whether a password guess was an exact match . . . or not. The attacker doesn't know how long the password is, nor anything about what it might look like. So after exhausting all of the standard password cracking lists, databases and dictionaries, the attacker has no option other than to either give up and move on to someone else, or start guessing every possible password.
Don't believe it? You can test out Gibson's tactic using the password strength tester by going to his website.
Learn more about internet security on SmartPlanet:
- Infographic: How Stuxnet supervirus works
- Virus attacks military drones, exposes vulnerabilities
- Four easy-to-remember passwords that will protect you for life
- New software may end internet censorship once and for all
- How to avoid the “500 worst passwords of all time”
- Anonymous hacktivists add Stuxnet code to their arsenal