Password security is a necessity today in the advent of the internet, from online shopping to the widespread use of social media. People are spreading their identifying data far and wide, often using the same password for multiple websites. This makes it easy for someone who wants access to one of your accounts to gain entry to not just one, but all of them.

It’s more common than you think. One such story is Mat Honan, and though his epic hacking occurred through Apple and Amazon flaws, not password security, it highlights the need to be more protective of personal data than ever, avoiding common mistakes.

Common mistakes

In his article about password security, John Pozadzides states that around twenty percent of people use the following passwords:

  • Your partner, child, or pet’s name, possibly followed by a 0 or 1
  • The last 4 digits of your social security number. (US equivalent of National Insurance Number)
  • Easy numerical sequences like 123, 1234, 123456, or 654321, etc.
  • “password”
  • Sports teams – Your city, or college, football team name, etc.
  • Date of birth – yours, your partner’s or your child’s.
  • “god”
  • “letmein”
  • “money”
  • “love”

How many people have some of this data readily available on their Facebook page or other social sites? If hackers can’t get in using the above passwords, there are free password crackers that are available from websites like insecure.org, enabling hackers to do a ‘brute force attack’ on your password. Ouch!

Creating a password system

How is it possible to create an excellent, tough-as-nails password (like “NbSh9la41?”) for every website you use and still remember them all? Develop your own personal system, a way of creating long strings of text which varies for every website, but is easy to remember. Sound impossible? Don’t worry, I can help. Here are my top tips:

1. Make it mnemonic (recommended):

This is where you come up with a sentence which helps you memorize a string of letters. For example, UK music students use “Every Good Boy Deserves Fudge” to remember the order of notes on the treble clef. (E, G, B, D, F).

2. Add a variation per website (important): 

Try using a method of choosing 2-4 letters of the website you’re creating the password for in your password, such as “sco” for Tesco. Try adding them to the end of the password or mixing them in as the 2nd, 4th, or 6th letter. Just make sure you are consistent. Sometimes a website’s address is different from the brand itself, so always use the same thing – either the brand itself as in Tesco, or certain letters in the web address.

Also Important for Security: When you enter an email address, try to vary it per website, if you own a domain. For example, if signing up with Boots website, I’d use boots@mtstudios.net. Not everyone can do this, and sometimes customer service people get confused (“What, you mean your email is boots@…”), but overall, it acts as another layer of security, with the added benefit of knowing which companies sell your email to spam-a-lot lists. If you get tons of spam sent to boots@mtstudios.net, you know they sold it – and then you can block that one web address, rather than forever having spam coming to your main email.

3. Give it a code (optional):

For extra security, you could even develop a code for these letters, such as vowels are a 1 and consonants are a 0, (so SCO would become 110) or use the telephone keypad numbers to replace the letters (so SCO would become 726). Don’t worry, after you use it a while, it gets easier, and we always have our phones on us for reference.

4. Use special symbols (optional):

Pozadzides says to “pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time [for the password cracking software] for an 8 character password from 2.4 days to 2.1 centuries.” Of course, it can be frustrating when some online companies don’t allow you to use characters like + or !

Putting it all together

Okay, using the steps above, we’re going to build a great password:

  1. Mnemonic – Take a memorable phrase or sentence that’s meaningful to you, like I grew up in East Texas. For my example, I’ll use ‘The quick brown fox jumps over the lazy dog’, which becomes “tqbfjotld”.
  2. Add your variation – I’ll take the first 3 letters of the website I’m on and add them to the end of “tqbfjotld”.
  3. Give them a code – I’ll use the telephone keypad method. For example: for Amazon’s website, AMA becomes 262, thus “tqbfjotld262”, and for Tesco, TES becomes 837, hence “tqbfjotld837”.
  4. Special Symbols – Finally, I’ll add special characters. I’ll make the first two letters capital and put in a ^ before my numbers
  5. Finished! – Now my final password system looks like this: “TQbfjotld^262” for Amazon and “TQbfjotld^837” for Tesco. That’s a pretty darn secure password system, don’t you think?

Try to make sure it’s at least eight characters or more (as recommended by Microsoft), though 10 – 12 is probably ideal. Since you’re only memorizing the system, it becomes so much easier to remember (getting easier the more you use it and get used to it), and the password becomes pretty impenetrable! Don’t worry if the sequence looks confusing, you chant it like a mantra as you type, ie. The Quick Brown Fox…

Just to be contrary, you don’t technically need a gobbledegook password. Somehow, over the course of password evolution, we’ve taken complexity as more important than length. Really, “aaaaaaaaaaaaaaaaaaaa” is more secure than “TqbfjotlD^837”, as there are more characters, therefore it will take longer, on average, for a brute force attack to try this combination.The problem is that there is no standardization amongst websites to require a minimum length, and some even put a maximum on it, which doesn’t help with memorization. Plus, it’s easy to see the unusual keyboard drumming over someone’s shoulder, so it’s nowhere near secure enough in public places.

Other Issues:

Before I finish, I wanted to point out some last advice for personal security:

Some websites make you enter “security” questions in case you forget your password. People can easily hack into these just as easily, especially if you use favourites like the above 10 commonly-used passwords, such as ‘sports team’. If you must put in an answer, use random information like the surname of your favourite author, regardless of the question. Never enter a straightforward answer or someone could easily guess or research it.

facebook app settings privacy malarkyAlso, don’t put your birth date / address / telephone on social sites like Facebook. Every time you allow apps to access your Facebook profile, they can see all  your information.  Who knows who is on the other ends of these apps, accessing your data?  Also, check the privacy settings from time to time. I noticed that there was a new option ticked that allowed my friends apps to see my information.

If you need more convincing, just watch an episode or two of The Real Hustle and see what people can do with your data. Keep it secret, and you’ll keep it safe.

I hope this guide has helped you develop your own password system that rocks – and maybe help you be a little bit more secure in the long run. Good luck!