You Shall Not Pass! - Building a Better Password from Scratch

Category: Data Security
Type: Blog
Author: Gaines Hayes

Anytime you sign up for a new subscription or account online, it usually follows the same routine. Think of a username (ideally not your real name) and a password.

A few simple guidelines for making a strong password include using:

  • - Numbers
  • - Uppercase letters
  • - Lowercase letters
  • - Special characters (!@#$%)
It sounds simple enough, right? However, you also want to avoid making your passwords easy to guess, so don't use:

  • - A password shorter than 8 characters
  • - The same password across multiple websites/accounts
  • - Sequential letters (abc, xyz, etc)
  • - Sequential numbers (1234, 0123, 54321, etc)
  • - Anything that could easily be figured from a quick Google Search (previous school name, birthday, home address, possible email address, hometown, mother's maiden name)
  • - Any password already on this list: The Worst Passwords of 2018.
That's a lot of different rules to keep track of when all you want to do is set up a new account for a website...

Some websites try to make this process less time-consuming by automatically generating suggested passwords for you to use. At first glance these passwords hit all the key components of an ideal password as shown above. They seem perfect - maybe a little too perfect...

So what can go wrong when a website automatically gives you what looks like an unhackable password?

According to Stack Exchange:

"An average user has no way to vet whether the password generator does indeed ensure that the password never leaves (the intended) site. The average user has no way to verify that the website is not keeping a copy of your password."
Here's what that means. If you can see a password on a website that is being suggested for you, then there's a chance that hackers could figure out the exact password shown to you. A website could keep a record of the password that was recommended for a certain visitor or user (aka you). Then all a hacker has to do is type in the password generated for you by the website verbatim to see if you followed the exact password recommendation. Next thing you know - Boom! Your account is hacked.

There is some good news though.

Most well-run websites will email you a randomly generated password to set up your account. Ideally, this password expires within a fixed time limit (like 24 hours but sometimes even much shorter than that) if you do not activate the account, forcing you to request another temporary password. In order to finish setting up your account, you have to create a permanent password of your own design. You want to make sure that one is completely different than the one that was created for you online

There's a lot of different ways you can handle generating passwords on your own without creating an online trail for hackers can exploit. Here's just a few ideas:

  1. Choose a music album, favorite song lyric, or your favorite music artist. Scramble the words of the album title. Add the year the album was released or when that artist was born/died. Finally, add a random symbol or two to season. For example, " 'Since you had to go, I've been on a roller coaster ride!' from the song Roller Coaster Ride by Eric Church's 2014 album The Outsiders released by EMI Nashville" becomes "SyhtgIboarr!2014-TO@EMIn" There's a lot of ways to slice and dice that many possible password characters into something more manageable when you have so much information to work with. Just pick the sections you want to use and go with it.

  2. Imagine you're in a restaurant ordering some food or a drink. "Hi, can I get the Shrimp Fried Rice plate for $8.99?" becomes "hcigtSFRpf$8*99?" "Hey bartender! Can I get a bucket of 6 Coronas for my friends? becomes "Hb!cIgabo6C4mf?"

  3. Use a book, newspaper, magazine, or online article. Pick the first letter of the password from the first word of the first line/sentence. Repeat using the second word of the second line or second sentence and so on...You can pick numbers from looking at the current time on the clock. Then just pick at least a symbol or two.

  4. Turn on Microsoft Word and let your cat walk across the computer's keyboard...Okay, I'll admit this one is a stretch. I'm sure it happens to people anyway, so why not enlist your cat to help secure your computer? Even monks from the medieval ages had trouble keeping cats off their handwritten manuscripts.
These are all just ideas. You can incorporate all or part of these ideas in whatever order you want. You can even use these to come up with your own password generation ideas that are completely different from anything I just described above (which is the ultimate goal). Just make sure you don't share your password generation trick with anyone else.

April 16, 2019
Back