Every so often a high-profile hack or security breach captures the tech community’s attention and, for a while, everyone becomes more diligent about protecting their identities and data. We have short memories, however, and eventually we fall back into our old habits of weak, but easy-to-remember passwords.
Thankfully, we have the tools to stop the cycle; all we need now is the will. Creating and managing secure passwords has never been easier, and the risks of failing to do so have never been higher. It was recently discovered that FileVault 2, Apple’s whole volume encryption technology, can be cracked in just a few hours if it is protected by a weak password.
With a strong password, the kind we’ll show you how to create below, it would take 34 years to break into FileVault. So let’s go over some tips on creating and managing strong, secure passwords.
Before we start digging into password generators and other tricks, let’s briefly go over the basic minimum requirements that every password should have:
- Uppercase characters
- Lowercase characters
The order in which they appear is not important, but every password should contain at least one of each type of character listed above. When facing a human or a computer that is attempting to break your password, the addition of each type of character significantly increases the difficulty of guessing correctly.
Security researcher Steve Gibson popularized the “haystack” concept for password creation and cracking. If you think of the total possible length of your password as a “haystack,” and the specific characters, capitalization, and order of your password as the “needle,” then your goal in creating your password is to make the haystack as large, and your needle as difficult to find, as practicable.
For example, a password of “123456,” which Mr. Gibson claimed is the most common password created by users, would mathematically take 18.5 minutes to break at 1000 guesses per second. No competent hacker would wait 18.5 minutes to try that combination of numbers, however.
Instead of a mathematical approach of starting with 000001 and counting upwards, hackers will put common passwords, like “123456,” or “password” at the top of their list and try those first. Therefore, the haystack in this scenario may be relatively large, but the needle isn’t hidden at all; it’s just resting right on top of the hay for all to see.
The goal, therefore, is to avoid using common words or number sequences, regardless of how long they are. Or, if you want to use common words to help you remember, modify those words so that they are less likely to reside in a hacker’s list of common passwords, as we’ll explain next.
Padding a password is the act of adding repeating characters to the beginning, end, or both sides of a memorable password. Mr. Gibson’s example is illustrative: which of the two passwords below is more difficult to crack?
Despite our preconceptions about the strength of completely random passwords, from a mathematical perspective the first password, at 24 characters in length, is harder to crack than the second password, which only contains 23 characters. You’ll notice that the first password, even though it’s easier to read than the second, still has all of our “minimum requirements:” uppercase, lowercase, numbers, and symbols.
This concept can be modified to add “padding” to both sides of a common word. As we discussed in our Tips to Avoid Being Hacked article several weeks ago, consider adding different repeating characters to the beginning and end of an easy-to-remember password, such as “aaaaaTMO!!!!!” The “TMO” is easy to remember and we surrounded it with five “a” and “!” characters.
Padding not only increases the size of your “haystack,” it also helps hide “the needle” deeper inside. Aside from extremely common passwords, a hacker or computer has no way of knowing if a subsequent character repeats. It therefore has to run through every possibility, with the result that each additional character significantly increases the time it takes to break the password.
The passwords listed here are for examples only, of course. If everyone simply used a dictionary word and added five period characters to the end of it, hackers would quickly figure that out and adjust their strategy accordingly. Therefore, make sure to use the techniques we’ve discussed to create your own unique combinations that hold specific meaning to only you.
Another example of creating uniquely specific passwords: use your significant other’s first name, with upper and lower case characters, followed by a date that’s special to you, and a random character that repeats the same number of times as the numerical value of the month you met. If your wife was named Holly, you were married on March 15, and you met in June, your password could look like: H0lly0315$$$$$$
A password like the one above is easy to remember, but just as strong as something like AnD3d$!l35zqWv%
Now that you’ve figured out how to create memorable but strong passwords, it’s important to remember that you shouldn’t use the same password everywhere. Hackers can obtain your password without having to break it, by hacking your bank or online shopping service, for example. If your password is the same across all of your online accounts, your identity, financial information, and data may all be at risk.
Thankfully, keeping track of multiple passwords is easy. OS X has offered its Keychain application for many years. Built directly into OS X, Keychain allows you to store and recall site or application specific passwords through the use of a single “master” password. Your Keychain can be accessed by going to
Third party software, such as the excellent 1Password (Mac App Store, US$49.99), expands on the OS X Keychain functionality and allows you to store site and application passwords, software license keys, online and physical membership information, and secure notes all in an encrypted archive that can be synced to and accessed on all of your Macs, iDevices, and even Windows-based computers.
If you don’t want to create memorable passwords but instead want the absolute strongest password, both Keychain and 1Password can generate completely random passwords of enormous length, up to 31 characters for Keychain and 50 characters for 1Password. If you go this route, make sure to keep backups of your password archive and/or print a list of your passwords and store them in a secure location, such as a safe or safety deposit box. If your digital database of passwords was ever lost or became corrupted, you’ll have no way to recall those long, random passwords.
Absolute security can never be guaranteed, but taking the time to set up password management software and change your online passwords to ones that are both secure and memorable will significantly enhance your protection in this digital age.
In the end, the key is making your haystack as large as possible and burying the needle where no human or computer could find it without years, or even centuries, of looking.