Passwords have two main purposes: (1) to make it easy for an authorised person to log on to the system and (2) to make it hard for an unauthorised person to gain access to your account. If the password isn’t written down or stored in a password manager, a good password needs to be easy to remember (to meet the first purpose) and hard to guess (to meet the second purpose). A lot of passwords are good for one of these purposes but not the other and it is important to keep this in mind when choosing a password.
If you use a password manager program or write passwords down, most of this article will not be relevant to you because you have avoided the need for the password to be memorable. In these situations, a long, unpredictable sequence of letters and numbers can be an excellent choice. It is important, however, to keep your password manager or password book secure and not to write this important information on a whiteboard or on a post-it note attached to your screen.
Recent research by the National Cyber Security Centre (NCSC) analysed a set of leaked passwords and found that “password” and “123456” were amongst the most popular choices. These passwords are easy to remember but they are also easy to guess, which makes them bad passwords for any system which needs to be protected from unauthorised access.
In the present climate, it is more important than ever to avoid using the same password across different systems. This is because of a common tactic called ‘credential stuffing’. This is where an attacker finds login details that have been extracted from one, compromised website, and tries to use the same username and password to log on to other websites.
Many systems require passwords to include a mixture of capitals, lower case letters and numbers. Although these rules are intended to force you to choose a password that’s hard to guess, they have the side-effect of making passwords harder to remember. In an effort to choose a memorable password, some people have resorted to using a simple, obvious word and then modifying it to meet the rule. They may capitalise the first letter, add “1” after a word or replace a letter with a similar looking digit. If the attacker knows the system they are trying to get into, they will know that it requires all passwords to contain a capital letter and a digit. Consequently, their first guesses might include “Password1” or “Pa55w0rd”, so these are bad passwords to use. As a result of this problem, many security organisations, including the NCSC, now recommend that password systems shouldn’t insist on numbers or capital letters.
There are some clever tricks for creating passwords which are fairly easy to remember yet hard to guess. One method is to choose three or four words at random, which leads to passwords like correct horse battery staple. Another method is to choose a favourite line from a song and to use the first letter of each word. For example, the password “typpapyho” doesn’t seem memorable until you know it is derived from the line, “Take your protein pills and put your helmet on” from David Bowie’s Space Oddity.
Whichever method you choose, remember that you have two aims: a good password should be easy to remember but also hard to guess.