photo credit: Lock It via photopin (license)

A guide to using proper passwords

Passwords: we all use them. Each site that requires a login, the computer at our work, our e-mail accounts, etc. They all require passwords. I often am amazed by how ignorant some people are when it comes to a proper password. How often do you hear a celebrity who’s account has been hacked because their password was their daughters birthday, something that you can easily lookup on Internet. Or how many people use passwords like ‘password‘, ‘qwerty‘, ‘abc123‘ and more?
Well, like all of you, I also use passwords, and as a webdeveloper I have lots and many accounts which require logins. So let me just give you some little pointers on how you can use safe and proper passwords.

Never use the same password twice!

This one is pretty obvious, but not to everyone. A lot of people use the same password for all their services. Sure, it’s easy to remember, but once an account has been hacked, they can easily hack all other services where you’ve used that password. But now I hear you wine: “I can’t possibly remember all kind of different passwords for the different sites I visit!?!”. Well, to give you a short answer: Yes you can:

Create different passwords that are easy to remember

It’s very easy to make a strong password which is easy to remember. You just have to think of them in three parts:

  1. A part which is easy for you to remember, this could possibly be the password you might have been using al along. It would be wise to also include an uppercase and a number in this part, since some sites require your password to match these conditions. For this example, let’s pretend that this part is ‘Foobar1337’.
  2. Next up, lets use some non-numeric character, but I wouldn’t recommend to use a high ASCII-character. Once I included an upside down questionmark (¿) in my password, but this could become trickier when trying to login on another OS or mobile device. For our example, let’s say we use a hash character: ‘#’.
  3. Last but not least, and this is where the magic happens, let’s create a part which is unique for the domain you’re on. I’ll give you some examples:

Include part of the domain name in the password

For example, say you’re on twitter.com. You could:

  • Take the name of the website ‘twitter’.
  • Take the first two characters of the domainname: ‘tw’
  • Or the last three: ‘ter’
  • Or the first and the last character: ‘tr’
  • Hey! Let’s just include the top-level domain with that: ‘tw.com’‘ter.com’‘tr.com’.
  • …or even reverse it: ‘moc.wt’ or ‘tw.moc’.
  • Throw in some uppercase here and there: ‘TW’ or ‘TR.COM’.

As you might have noticed, the above rules already could have created a bunch of passwords:

  • Foobar1337#twitter
  • Foobar1337#tw
  • Foobar1337#ter
  • Foobar1337#tr
  • Foobar1337#tw.com
  • Foobar1337#ter.com
  • Foobar1337#tr.com
  • Foobar1337#moc.wt
  • Foobar1337#tw.moc
  • Foobar1337#TW
  • Foobar1337#TR.COM

The possibilities are endless, and the only thing you need to remember is the static part of your password and the ‘algorithm’ of the last part. This makes it very easy for you to create a unique password for each site you visit, without having to remember a 1001 different passwords, because actually, you still have to remember just one.
Oh, and for the first part I’d like to point you to this comic:

Difficult passwords

Credits: XKCD

Indeed, simple passwords are more difficult to hack and easier to remember. Another interesting read-up is the password haystack calculator from Gibson Research Corporation. It states that a password like ‘fG#8_R2@Qwz’ (10 random characters) is way easier to brute-force than a password like ‘…………………………1’ (30 dots followed by a one). Which one do you think is easier to remember?

Visitors give this article an average rating of 5.0 out of 5.

How would you rate this article?

3 thoughts on “A guide to using proper passwords”

  1. Simon says:

    So when somebody hacks 1 account he can see your ‘formula’ and has access to all your services as well. It doesn’t matter wether you use ‘the same password’ or ‘the same trick’ does it?

    I’d say: use a tool like 1password and generate random passwords

    Off topic: that absolute positioned green block is pretty annoying on a mobile device! 😉

    1. Giel Berkers says:

      Of course, when your account is hacked (and the password is not hashed and salted, but that’s another topic), and the can backtrace your ‘formula’ then indeed, that’s a weak spot, but still not as weak as using the same password everywhere.

      I agree with you on services like 1password, but when you work on multiple devices and locations (and you might not have the proper credentials to install such software on those devices), you might want to consider this formula instead of a random generated password.

      Off topic: thanks for the advice. Still haven’t had the time to dive into making my site responsive, but it’s on my (rather long) todo-list 😉

      1. zimmenSimon says:

        That is the beauty of 1Password. It syncs with dropbox and has a web interface when you need it (via the dropbox website). There is a mobile app as well.

        In the end it’s all just letters that can be brute forced 🙂

Leave a Reply