How to Create Strong Passwords and Remember Them
Passwords are like door keys. We rarely think about them until we lose them, or worry someone else could have them.
Considering how heavily we rely on passwords to access the apps, accounts and devices we need to even get off the ground in the morning, it’s surprising how little thought we put into them.
And this isn’t only true of the general population. “Even people who’d consider themselves security conscious in the physical world can leave their digital twins exposed online,” explains Professor Daniel Dresner, Professor of Cyber Security at the University of Manchester.
“Using passwords is a flawed system. And as cyber criminals adopt technologies such as machine learning, passwords are likely to become obsolete."
“But until something better comes along, it’s a good idea to level up your password game.”
Why are We so Bad at Creating Secure Passwords?
News articles about password mistakes and cyber security attacks are a dime a dozen. We’re saturated with warnings that if we don’t change our passwords, someone will clear out our bank accounts and sell everything we own on the dark web.
“Much of this is sensationalism with a side order of fear, uncertainty and doubt,” Dresner adds.
“However, as too many things we want to access online rely on passwords, it's still a very good idea to be careful out there.”
Despite daily stories of data breaches and the accompanying finger-wagging, more than two thirds of people use the same password across multiple accounts.
So, with a stream of security and password-related advice coming at us, why aren’t we listening?
“It’s often about memory,” Dresner continues. “Anyone is capable of creating a strong password on the spot. But remembering it when we need it is a different story.”
“So many websites demand mental algorithms from us. They make remembering the combination of letters, numbers and special characters so far from what we might be comfortable with.”
“This causes us to downgrade our attempts to create a secure password. So instead, we end up creating one that’s guessable.”
“And if we can guess it, you can be sure the criminals’ software will be able to as well.”
My Passwords are Probably Fine, Right?
Another trap many of us fall into is assuming hackers won’t target us individually. Around one third of people don’t feel that they’re in danger of being hacked.
Surely a hacker wouldn’t concern themselves with one account when they could go after big businesses and hold them to ransom instead? Right? Wrong!
What do Cybercriminals do with Stolen Passwords?
Cyber criminals can do significant damage once they’ve accessed your account. Some of their motivations include, but aren’t limited to, the following.
To Steal your Money
A cyber criminal could guess the password to one of your accounts which holds payment information. From there, they can perform an account takeover. This involves changing your password, locking you out and using your payment details for their own ends. This is also a key part of identity theft.
To Steal your Identity
To many people, identity theft sounds like a far-fetched concept that only happens in movies. On the contrary, it’s surprisingly common and up there with credit card fraud as one of the top motivations behind cyber crime. Duplicating someone’s identity can be done with minimal data. Email addresses, bank accounts or credit cards may be opened with basic details such as a name, address and date of birth. Criminals can then use this to access money or benefits in your name. This could damage your credit score and your chances of gaining approval for mortgages or other forms of credit.
To Target your Friends or Employers
Spear phishing, or carefully targeted attacks, see cyber criminals break into your accounts and gather details on the people you know or the company you work for. They can then use this to pose as you and solicit more information from their targets. One click on a malicious link or a seemingly innocent comment could give a criminal all they need to compromise a friend, a loved-one or an entire business.
What Can you do to Mitigate Risk?
How to Create Strong Passwords and Remember Them
- Don’t complicate it - We all know the advice to create passwords with combinations of special characters, upper and lower case letters and numbers, etc. Thankfully, this is no longer considered best practice. Instead, the National Cyber Security Centre recommends using the ‘three random words’ method. A password comprising random words unrelated to you or your life is likely harder to crack and easier to remember. Whether a website’s password complexity requirements will allow you to do this is another story, explains Professor Dresner. “Don’t blame the customers and employees. Blame the people who expect us to use systems that are not only unintuitive but actively deny us the opportunity to follow the science of good passwords.”
- Adopt a password creation convention - Echoing the three random words method, adopting a convention could help you create secure and memorable passwords. Examples include the Bruce Schneier method, or the person-action-object (PAO) memory method.
- Consider using a password manager - Uptake of password managers was initially slow, but they are becoming increasingly popular as they prove their worth. They work by storing multiple usernames and passwords in one place and pre-populating the fields on a login screen. They can also generate and store random passwords for you. Examples include Keeper Security, Dashlane, 1Password and Nord Pass.
- Two-factor and multifactor authentication - While many people see extra steps to login as inconvenient, data shows that it can significantly boost security. According to Microsoft, your account is more than 99.9% less likely to be compromised if you use multi-factor authentication. Many websites give you the option of switching this on or off when you register. You also don’t have to use it every time you log in. Typically it kicks in again after periods of inactivity or when logging in using a new device.
Great Password Resources
Taking the above on board will definitely improve your password security. But twinning this with ongoing awareness is even better.
Here are some great tools for keeping password security front-of-mind in the long-term.
- Find out if your data has been breached and in which major incidents at Have I been Pwned?
- Hold yourself accountable for password security by taking the Password Pledge and spreading the word by sharing.
- For IT professionals and system owners, the National Cyber Security Centre offers this excellent guide to creating password strategies.
Perfect Your Backup Plan
If this post has got you wondering how you can better protect your most valuable data, from documents and music libraries to photographs and PDFs, download a free trial of Macrium Reflect for home users here and business users here.
About Professor Daniel Dresner
Daniel is the first Professor of Cyber Security at the University of Manchester, which he joined after 22 years with The National Computing Centre. He takes a diverse community-based approach to cyber security and runs exercises to help people learn how to cope with the risk of online harms.
He is a founder of the IASME Consortium, where he applied his work in standards development to champion cyber security for SMEs.
He is a vocal advocate of the local cyber ecosystem and furthers the opportunities cyber security offers innovation and growth as part of the Greater Manchester Cyber Foundry and the DiSH – Digital Security Hub in Manchester City Centre.
Daniel has regularly lectured about risk and cyber defence to cohorts from India and the Western Balkans at the Defence Academy of the United Kingdom for the Chevening Programme. Daniel also revived The Ratio Club thought leadership group for cybernetics – which included Alan Turing – as part of his research work promoting the balance between people and technology.
He contributes to books and conferences and appears on the BBC explaining cyber security to the wider community. He is a Fellow and Founder member of the Chartered Institute of Information Security. Daniel was voted one of the top 20 cyber security influencers worldwide 2018-2021 and Best Educator at the Security Serious Awards 2022.