/* Menu creation problem '1958-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1958-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1958-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1958-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1958-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1958-475', Bok=0, Snm=0, Omen=) */
Contact us
Let us put you in the driving seat of your new Web Site

Putting technology in ITs place:
Business and People first!

Click on link to rightWhy Business before Technology
Call us now
Maintain your own site
Click on link to rightSelf Maintenance Sites
[Home]   [Site Map]   [Privacy]   [Toggle Print]   [Contact]   [Bottom of Page]

Your passwords for web-sites - making them memorable but safe and secure

Summary of creating and using password securely

This paragraph summarises Password planning, creation and use with an emphasis on keeping your passwords separated into levels to avoid criminals being able to use passwords used for trivial sites to escalate their access to those that really matter. The basic threats to creating good passwords: Brute Force, Dictionary and any variant of Information-based are described and then the threats to their security when using them in a variety of scenarios where risks are escalated.

The rest of this page is devoted to illustrating the methods by which you can create secure passwords for web sites as opposed to passwords stored on devices where the hacker may gain physical access. What cannot be expressed here are rules, instructions or algorithms that would define a method of creating a strong password as the act of publishing to the web would in itself destroy any security in it's use.

What can you do to make a password more secure

The complexity surrounding the topic of passwords is something that no "normal" user should need to know although I have tried to articulate those issues in many web pages over many years - my conclusion is that I should write a short article (below) which tells readers WHAT they should DO and NOT WHY! I am also LIMITING my advice here to passwords for web sites rather then PCs, mobile 'phones, Laptops, Routers and other devices which could become physically accessible by thieves - see Passwords for insecure devices if that is also a matter that concerns you.

Consider what threats and in particular the source of them cause the greatest exposure - a physical thief, a youth with a 'hacking' laptop, a co-worker or an acquaintance; through to bored kids at college, hackers in Russia / China / Africa... They all have different 'attack vectors' - physically stealing a laptop, take over your PC or router (locally to begin with!) or simply scraping data, including user names and passwords, off a discarded computer hard drive, only numbered for ease of reference:

  1. The most important aspect of managing passwords is to treat them in categories according to their value or risk/consequences to you - the lowest level can be throwaway in almost all respects and that is that every level is distinct from all others and cannot act as a 'set of ladders' for a thief to ascend. If you use the same or similar passwords for banking as you do for small retail stores on the web then you have given the thief an escalator when you thought you were playing "Snakes and Ladders".
  2. For simplicity, let's refer to them as levels as used in a computer game - Level 1 should be so basic and simple that anyone can play - Level 3 however has to become part of the game where no-one can follow-you, no matter how well they know you - personally, historically, by observation/monitoring and no matter where they attack from or with what weapons. What might differentiate level 3 from a level 5 password is that the former might be an "amateur" web site whereas the latter might be for more trustworthy web sites due to more competence and/or integrity of the owner, management, designers or operators. See Password planning, creation and use for more detail, including how to avoid hackers being able to escalate from one of your low risk sites to one or more of your higher-risk sites.
  3. Really good passwords need to withstand the variety of attacks that already exist (Brute force inc. rainbow tables, Dictionaries, Data harvesting etc.) and ideally try to anticipate those that are not yet economic for the thief. However, passwords MUST be EASY ENOUGH! to remember in your head.
  4. Writing OR just STORING the whole of a password down in one place IS NOT A GOOD IDEA for protecting resources which are high risk/consequences. For example - I would not use a single electronic or software safe to store the whole of a password for any financial (or other important) web site just as I would not store that in my wallet or mobile 'phone.

    That is why our conclusion is that the best building block is based on the first character of words in sentences as that is a very easy and natural way to replay a password, even if being asked for specific characters of it. The extra challenge is that the simplicity of this approach means that it is necessary to choose sentences:

    1. that are memorable - if you can't think of one that no-one else would have said or heard then choose a phrase that is either rude or conjures up a specific image in your mind
    2. where there is more than one unrelated word - for example "blue pigs can't fly". If you need to make a record a reminder then record them separately and ideally on separate media / location - paper in your fire-safe at home combined with an obfuscated text on your mobile would be OK for a low-medium risk password. Add a third location (+ maybe media) for high risk passwords.
    3. which very, very few people would know - obviously NOT lyrics, quotations etc.. Think laterally - a sentence could be WHAT you WANTED to SAY to your BOSS at the Christmas party LAST YEAR! Don't even THINK of using what you want to say to them THIS YEAR because it will have gone through your mind dozens of time before then and 'accidents do happen'
    4. ideally each sentence would not exist anywhere on the Internet! However, when checking this (using "Google with quotes") you must not research more than one sentence at the same PC and certainly not in the same week as your search query strings are logged and it is just conceivable that a hacker could target this data as a source for a new dictionary! For rigour I searched for PART of the phrase ("blue pigs") above and got 197,000 hits, one of which was: (Blue) Pigs might fly! - Pinkbike Forum at www.pinkbike.com/forum/listcomments/?threadid=134426. However, I have left the example to show the importance of this paragraph!
  5. To add some complexity, uniqueness AND length (IF! needed!) to the above you also need a SIMPLE set of rules - ONE FOR EACH LEVEL and VERY DISTINCT which insert odd characters into the password and IDEALLY make them broadly unique to the web site you are visiting.

      To add COMPLEXITY sometimes referred to (even by me!) as variety:

    1. Choose at least one (but not the 1st) character to change to upper case if one (not 1st) is not already so. Then choose a position for at least one "special" character (not a-z, A-Z or 0-9) that is commonly available on all the devices you are likely to use (inc. Internet cafe abroad!) and where you have a fallback if the character is not allowed by the web site when you create the password... For instance - if you chose the '=' sign as a complex/special character then your fallback might be to use 'EQU' on web sites that don't allow an equals sign.

      To add UNIQUENESS for any particular web site:

    2. Choose a way of selecting, morphing and then positioning 2-4 characters from the web site that you are logging-in-to so that it is likely to to result in a relatively unique set and position of characters.

      To add LENGTH is easy but again must be distinct at your (3 or 4?) different LEVELS of password:

    3. If what you have created above already exceeds 7 characters for a "level 1" web site or exceeds 10 characters for a very important (level 5) site then you don't need to add any more. As long as you have followed the rules up to here then it is OK to extend the length with a memorable word, acronym or reference number at this point because any hacker will be unable to use dictionary and other simple methods - adding length to an already complex and unique password stops what is called "brute-force" technique of trying every combination of every possible character in every possible position of a password!

    General tips when creating passwords in addition to the above

    As a general rule it is better to use passwords which make them unusual compared to the vast majority, so, for example - where possible, while retaining memorability etc.:

    1. Choose uncommon letters and numbers - 1, 2, a, e, i, o, r, s are all common
    2. When adding special characters - avoid the front (1st) and end (last)
    3. When adding numbers - avoid the end and bear in mind that some web sites do not accept them (or specials?) at the front
    4. When using or making characters upper-case - avoid the front

    But as stated above, for the latest best practice on this topic visit: Passwords - best practices which is this page if you are viewing it on-line.

    This page © Business before Technology 2008-2020 - see the respective sites of the owners for their copyright as well as terms and conditions

    Links and other information last validated on 22nd May 2009. Please use the Contact us page to suggest any additions or revisions.

Like the site?

Site Construction by usiness
before Technology
Click on link to rightClick here
[Top of Page]   [Home]   [Site Map]   [Toggle Print]   [Privacy]   [Contact]

© Business before Technology - All Rights Reserved 2003

Business before Technology Limited, Company number: 4969011.
151 Chester Road, Norbury Moor, Hazel Grove, Cheshire SK7 6HD
*¹¹ Note that calls to 0844 884 2244*¹¹ will cost 7p per a minute, your telephone provider (including mobile providers) may add an additional access charge.
14Jan16: not 0 or 0 !