Password Managers and vaults have become a necessity these days. Our sprawling online presence means that we all have dozens and dozens of passwords to access online services, whether it’s bank accounts, social media or shopping carts. Each of these passwords should be unique AND strong enough that they cannot be cracked. Password Managers like Keeper, LastPass, and Dashlane take care of this really well. They help generate strong passwords and securely store them for you. Their secure “vaults” allow you to access the passwords when needed, making your online activity a whole lot more convenient and secure. BUT, in order to secure the password manager vault itself, it is crucial that you make a super strong “Master Password”. PLUS it should be suitably memorable that you can enter it to access your password vault.
So, how do you come up with a strong yet memorable master password? Keep reading. It’s not as difficult as you think.
You Know The Drill
If you’ve ever been prompted to enter a new password on any site you are probably with the old familiar warnings to make it unique and unbreakable:
- Use uppercase and lowercase letters
- Use numbers
- Use symbols
- Use at least 8 characters
- Don’t use words from a dictionary
- Don’t use the same password twice
- Don’t use personal information
OK, that’s a long list. So how about PssWrd1! that’s a pretty good password right? It covers all the criteria above, doesn’t it? Yes, it does. And I think I could remember that, couldn’t you? Well, let’s put it to the test.
- We will use three free online tools to analyze the password:
- Gibson Research Corporation (GRC)’s Password Analyzer
- Kaspersky’s Password Checker
- Security.org’s Password Strength Tool and
- The Passwordometer
So according to GRC the password PssWrd1! would take 2.13 thousand centuries of for online attack at several hundred guesses per second to crack the password or, if using an offline fast attack scenario, 18.6 hours or, if using super computer array, 1.18 seconds. Seeing as most attacks would be online guessing attacks, that’s not a bad result. Or is it?
The GRC model uses random combinations. The problem with passwords is that they often contain familiar or frequently used characters or words. So, these can be targeted by cyber-criminals first. And my password contains a variation of one such commonly used string of characters: “Password”. This was 2021’s second most popular password. The Passwordometer also looks at combinations but doesn’t look at sequences of familiar characters and words and it gave a strength rating of 68%.
That’s why Security.org’s tool gives a breaking time of 8 hours on a computer and Kaspersky’s checker tool told me “A password change is long overdue! Bad News: [Your password contains] Frequently used words.” In fact, recent research from Hive Systems has shown that an 8-character complex password can be cracked in just 39 minutes when the latest graphics card processors are used. They also found that a 7-character complex password could be cracked in just 31 seconds!
OK, so maybe we need to improve our passwords. How do we do that? How do we make a strong master password? Here are some tips
Tip 1: Think Passphrase Rather Than Password
Experts recommend using a mixture of letters, numbers, and symbols in each password. This will make it harder for hackers to crack the passwords because there are more combinations used. So, we should try and increase the length our password. But long passwords are also more difficult to crack. One way to create a long password that is also memorable is by using a phrase as opposed to one word.
In the world of cryptocurrency, you will come across seed phrases. Seed phrases are a string of 12 words and these 12 words are the keys to your cryptocurrency. Lose these and you’ve lost your cryptocurrency. That’s why you need to secure your seed phrase from loss or theft! But the 12-word (sometimes longer) seed phrase ensures that your wallet is secure and almost unbreakable, as well as being memorable – they are a string of real words after all.
Ok then, so let’s make a phrase that I can remember: my house is green. Let’s stick it together:
myhouseisgreen
OK, I can remember that! But this doesn’t contain any symbols, numbers or upper case characters like we are told are necessary. So how strong can it be? It does however contain 14 characters, which is the average number a password should have to start getting “strong”. Let’s see what the tools tell us.
Security.org replies with: It would take a computer about 51 years to crack your password. Ok, we are moving in the right direction. It doesn’t matter about the missing symbols, numbers or upper case letters- because we increased the number of characters, we increased the strength.
So, let’s see if we can improve on it…
Tip 2: Mix It Up With Upper & Lower Case Letters
Ok, so now we are going to take the password and switch up some of the letters to upper case. We are going to be able to remember the passphrase because every work in the phrase will start with an upper case letter:
MyHouseIsGreen
Now, let’s see what security.org kicks back. Wow. We’ve gone from 51 years to 800,000 years! And GRC reports that a supercomputer array would take 343 years and an online attack would take 3.43 hundred billion centuries!
Hive showed that an 18-character password that has just just numbers could be cracked using the latest graphics cards in three weeks. However, one with the same number of characters but which uses lowercase letters too would take 2 million years to crack. That’s the importance of mixing those characters!
Tip 3: Add Some Padding
Ok, so we have a pretty strong password. But this next tip will take it further because we still do have a string of words. We can add some filler or “padding” to the Passphrase to help reduce the risk of guessing familiar dictionary words together. Padding are random characters or symbols in between the meaningful passphrase.
So, let’s try putting the characters && between each word in the passphrase
My&&House&&Is&&Green
Let’s check out the performance of this passphrase. Jeepers! Check it out! According to Security.org it would take a computer 2 septillion years to crack. How many zeros is that? And GRC claims it would take a supercomputer 9.01 million trillion centuries to guess!
Ok, I think we might have gone far enough. But hey, while we’re here, let’s see if we can improve it a little more. We can take it to another level by following one more tip.
Tip 3: Switch Out Characters with Symbols
The final tip to create a super strong but memorable master password is to switch out some of the characters. In my example here, we are going to switch out the letter i’s with an exclamation mark, after all, exclamation marks do look a bit like upside down i’s, and the s’s with 5’s. Again, they can look a bit similar and that’s something I can still remember.
So, our super strong memorable passphrase now becomes:
My&&Hou5e&&!5&&Green
As Kaspersky says: “Nice Password! Your password will be brute-forced with an average home computer in approximately…10000+ centuries.” GRC puts it more precisely at 11.52 thousand trillion centuries! And Passwordometer gives it a 100% strength rating.
But, recent research from Hive Systems shows just how fast technology is progressing. New processors mean passwords and passphrases can be attacked more efficiently. That means passwords are more susceptible. The table below which was produced by Hive Systems, shows the impact of password length and character variety on their performance against brute-force attacks from new generation processors.
So, stop thinking password, and start thinking padded passphrase. It will help you construct a complex master password that is still easy to remember because of the system you use to create it. Here are some other examples that could work:
Tip 4: Meaningful & Favourite
Instead of an actual phrase, you could use the same idea of upper and lower case letters, padded out with other characters, and instead create a list of your favourite or meaningful “whatevers.” For example, my favourite colour, city, drink and the year of the moon landing, padded out with – on the outside and — on the inside:
red-London–Coke-1949
Or maybe a meaningful vacation:
My2017Swiss-SkiTrip=Amazing
Or four meaningful dates strung together separated with increasing / characters
1955/1981//1998///2005
Or maybe you could take a year and write it out
nineteen-eighty-nine=BEST-YEAR!
Ok, I think we’re done… but wait. There’s one final bonus tip.
Bonus Tip: Use Multi-Factor Authentication
So, you have a super strong memorable passphrase for your password manager. That’s excellent. However, there’s always the slight risk that your computer is hacked by malware and a keylogger is installed. Of course, this could potentially compromise your master password if the keylogger can log it. The master passphrase, although super strong, is fallible against a key logger. So, ideally you would have virus and malware protection on your computer that would detect any intrusion by a keylogger. But let’s say a keylogger is present. What then? The best protection against this is to use multi-factor authentication. Normally it come sin 2FA (two factor authentication).
Two factor authentication is a way to make sure that only you can log into your account by requiring two different types of information. One is something you know, like your master passphrase, and the other is something unknown but which you are granted have access to, like a code that is texted to your phone.
The best password managers provide multi-factor authentication so when you set it, you are required to enter a code that you are sent on another device. Only that code when used together with your master passphrase will grant you access. The code will become unusable after a minute, so cannot be re-used with your password. You would have to wait for another code to be issued. So, while a keylogger might still see your master passphrase, it cannot work around the 2FA. That’s why you need a password manager with MFA like Keeper, Dashlane, LastPass or Roboform.
I personally use Keeper, and it has the most diverse MFA options of all password managers and I’m pleased with their security and password management features. But check out which password manager is the best fit for you- there’s some great services out there to help protect your digital life! And remember to create a super strong, memorable master passphrase!
The Final Score: You Need a Super Strong Memorable Passphrase
A password manager is invaluable these days to both secure, store and manage all the sensitive information required for us to conduct our lives online. Password managers require a master password to access the password vault. This represents a potential weak spot in the security of the password managers and is why creating a secure master password is crucial. To help create a secure yet memorable master password these tips can help:
- Use a memorable phrase instead of a word. This makes it a whole lot easier to recall.
- Make it at least 14 characters long. Length of password improves it’s strength exponentially.
- Switch some characters to upper case. For instance make the first letters in each word capitals.
- Pad your phrase with some symbols. For example, use \\ or <> between words.
- For extra strength, switch out some characters with similar looking characters (e.g. i with !)
- And use 2FA (two factor authentication) with your password manager to reduce key logger threats.
- Check out ideas using the free tools below (but I would suggest not your actual final password)!