InfoSec 101: How To Create a Secure Password

Andrew Orr At LiquidVPN

Welcome to InfoSec 101, a series of articles aimed at helping you enhance your online privacy, boost your security and more. In this article, we’ll show you how to create a secure password.

Passwords From Scratch

The only secure password is one you remember. Most of the time people can just use a password manager, which we’ll cover below, but there are times when you’re forced to rely on memory. The news is filled with tales of companies being hacked left and right, and even the government isn’t safe. We all know by now that creating a secure password is essential, but how does one go about doing it?

Tips to remember:
  • Longer passwords are more secure. It is recommended that you use a password with 12 characters or longer.
  • Avoid names, places and dictionary words.
  • Mix and match by using different variations of capitalization, spelling, numbers, and punctuation

In the past, it was easy to create secure passwords just by using character substitution, like using the $ symbol instead of S, or @ instead of A. So the word password would look like this: p@$$w0rd. But according to cryptography expert Bruce Schneier, crackers – or malicious hackers – have more sophisticated methods now, and the old way of creating passwords can be easily guessed with brute force attacks.

Ways To Create Secure Passwords

It’s easy to create a secure password just by mashing your fingers on the keyboard and creating a string of random characters, but it will be next to impossible to actually remember the password. Bruce Schneier recommends taking a sentence that’s easy to remember and using special characters.  Here are some examples:

the cat in the hat = tHc@1nTh@t

Sally sells seashells = $@lyLs_e@.h3l

quick red fox jumps over lazy brown dog = Q1c>rD.&f0)jU[mp]_AZ+0.g

Although this method still uses character substitution which we mentioned is less secure, the advantage is that it uses a string of multiple words with some letters left out, instead of one word with simple substitutions.

The Passphrase Method

This method is probably the most simple, and all you have to do is pick a bunch of random words and string them together into what’s called a passphrase. You don’t have to use any character substitution, but you shouldn’t use words that make sense together. Here is an example:

tequila cotton shrubbery mango eggplant comma firetruck

This method seems counterintuitive at first, because of the caution against using dictionary words, but the website How Secure Is My Password? says that this phrase will take 7 tresvigintillion years to crack! That’s a 10 followed by 72 zeros, which is far older than the age of the universe at 14 billion years.

The PAO Method

A tool created by computer scientists at Carnegie Mellon University called the Person-Action-Object (PAO) method is another way to create passphrases. It’s an approach that combines conventional memorization techniques and mnemonic devices. Here’s how it works:

Pick an image of some random, interesting place. Maybe the Taj Mahal? Next, pick out a photo of a person you’re familiar with. It can be a friend, family member or even a celebrity. For this example, we’ll use Ryan Gosling. Finally, imagine a random action along with a random object and create a sentence, like this:

Ryan Gosling flies to the Taj Mahal in an ice cream boat.

This method has several advantages. Since our brains love images, we remember visual cues better, and we tend to remember weird events and things that are out of the ordinary. Obviously, you can’t fly a boat, but that is why it’s so memorable – it’s out of place.

Once you’ve created several of these PAO scenarios, you’re ready to build passwords from them. For example, you could take the first two letters out of each word – rygofltothtama – and either create a password out of that or combine that phrase with the other story phrases.

Using a Password Manager

Even if you can remember how you created each password, all of the ones you create start to add up after a while, so it’s important to use a password manager. Many password managers even offer to create randomized secure passwords for you, so you don’t even have to use the above methods.

Web browsers like Chrome and Safari offer to save your passwords for you, so every time you visit a website where you have an account, your login information will be automatically filled in. Beware that allowing Chrome or any web browser to store your passwords is not considered safe and it should only be used as a last resort. If you’re an Apple user, you may have heard of iCloud Keychain. iCloud Keychain offers basic management of passwords, credit cards, and account names. The data is “securely” stored in iCloud and can be synced between your iOS and macOS devices. Additionally, by using the Safari browser on the desktop, it will even suggest secure passwords to use.

1Password

1Password is a great password manager available for iOS, macOS, Windows, and Android. Not only does it let you create and store secure passwords, but you can also store information like bank accounts, email addresses, databases, credit cards/ID cards, secure notes, passports and a whole lot more.

Another excellent service built into 1Password is called Watchtower. Watchtower is a service that identifies websites that were made vulnerable when Heartbleed was discovered in April 2014.

1password password managerAn advantage of 1Password is creating share vaults for families and teams at work so everyone can have access. It uses AES-256 encryption and works with Touch ID and Nexus Imprint. For more information visit www.1password.com.

1Password Families is $5/month with a free 30-day trial. 1Password itself is a one-time purchase of $65, but you can get a free trial on Windows and macOS.

Our Rating: 4/5

Dashlane

Dashlane is another great password manager with three tiers: Free, Premium, and Business. Like 1Password, it’s on all the main platforms, and is an excellent addition to anyone’s toolkit.

Free Tier

  • Password Manager
  • Autofill
  • Digital Wallet
  • AES-256 encryption
  • All platforms
  • Share up to 5 items

dashlane password managerPremium Tier

In addition to all of the features in the free tier, Premium gives you:

  • Secure account backup to the cloud
  • Sync across all your devices
  • Unlimited secure sharing
  • Web access to your passwords
  • Priority customer support

Unfortunately, Dashlane Premium is a whopping $40/year so it might not be the best solution for all users, but it does support 2-factor authentication. For more information on Dashlane visit https://www.dashlane.com/

Our Rating: 4.5/5

Lastpass

Like the others, Lastpass offers Free, Premium and Business tiers. It also has browser extensions for Firefox, Chrome, Safari, Internet Explorer and Opera. Once you create a password with a website, LastPass will automatically fill in the information via the extension.

lastpass password managerLastPass can also remind you to change old passwords and even automatically change them for you. Unlike 1Password LastPass  supports two-factor authentication to add an extra layer of security (we’ll talk about 2FA in a future post).

LastPass is free for the desktop but to use the mobile app you need the premium version, which is $12/year. You can buy a recurring subscription up to 10 years in advance. For more information on LastPass visit https://lastpass.com/

Our Rating: 3.5/5