In a previous article, I outlined four types of passwords you shouldn’t create unless you want your account hacked. Given how valuable your passwords are, it’s important that they be secure, yet not too hard to remember. Not only do passwords protect your e-mail account, your social media accounts, and any web services you use, but also many accounts linked to your credit card, such as your Amazon, eBay and PayPal accounts.
Here are four tips showing how you can create secure passwords:
With passwords, bigger is better. With the power of todays computers, a 6-character password can be cracked easily using “brute force” techniques (where a computer simply tries every possible combination of characters) in mere seconds. An 8-character password may take hours if it’s complex enough; 10 characters would take even longer. If you want to be really secure, go for 12 characters or longer. But also make sure that your passwords aren’t of the type that are commonly used, such as those listed on this Wikipedia page.
There are four types of characters you can use in passwords:
There are 26 lowercase letters, 26 uppercase letters, 10 digits and, depending on the web site, as many as a couple dozen special characters (most sites won’t let you use certain characters).
If you create a password with 8 random digits (that is, numerals only), there are 108 (100 million) possibilities — everything from 00000000 through 99999999. If you use, however, 8 random lower-case letters, the number jumps to 268 (over 208 billion, with a b). With a combination of numbers, upper- and lower-case letters, and special characters, the number of possibilities for an 8-character, pseudorandomly generated password can be in the trillions.
Combine this with tip #1, using a longer password, and see these numbers expand faster than the universe during the Big Bang. Of course, these numbers assume truly pseudorandomly generated passwords. For example, if you were to choose an 10-character password like Password1!, it wouldn’t take long to brute-force crack the password. But a 10-character password like y8E&@.o3Tc — which is just as long and also uses upper, lower, numbers, and special characters — would be significantly more difficult to crack, because it doesn’t incorporate words or predictable patterns.
The best way to create unique passwords is to generate pseudorandom ones and store them in your password manager—but we’re getting ahead of ourselves; that’s tip #4.
Let’s assume that you need to come up with a password that you’re going to need to type often, so it needs to be memorable, but you also want it to be relatively strong. Here’s an easy way to create unique, memorable passwords that are difficult to crack. You can use a password like this for the user account on your iPhone or your Mac, which is very important: if anyone can get into your phone or computer, they can access your e-mail, your files, and all your personal information.
To start with, try to come up with a short phrase or sentence that will be memorable to you, but preferably isn’t an axiom or anything in any public record like a book. As an example, let’s say you’re a big fan of the Game of Thrones TV series, and you think it’s the greatest of all time (“the GOAT,” as the kids say). You shouldn’t use gameofthrones or a variation thereof as your password, which could quite plausibly be in password cracking dictionaries (databases of known or likely passwords). But your first thought might be to create a password similar to this — please don’t use any of these examples:
gotisthegoat
That’s 12 characters, so it’s fairly long, but it’s all lower-case letters. Let’s throw in a couple of upper-case letters to make it more complex, but not in predictable locations (such as the first letter of the password or a word within it):
gOtistHegoAt
That’s a bit better. But now, let’s spice it up with a couple of digits. These have to still be easy to remember, right? How about this:
g0tistH3goAt
And the addition of even one special character theoretically makes this much harder to crack:
g0tistH3g@At
If something like that is too difficult to remember, you can simplify it a bit. To make it a bit more memorable, let’s just use one capital letter, one digit, and one special character, and add a 13th character on the end for good measure:
g0tistHeg@atz
Again, don’t use these specific password examples. But if you’ve gone through this exercise on your own, you now have a password that is relatively secure while also being memorable. According to the site How Secure Is My Password, the last example above would supposedly take about 2 million years for a single computer to crack—but that seems questionable. After all, computer technology is getting faster, AI is being used to crack passwords, and quantum computing is on the horizon. Even setting aside future advancements, relatively inexpensive technologies are easily available to attackers today, such as cloud computing clusters. GRC’s Password Haystacks page estimates that it would take a “massive cracking array” up to 165 years to crack this password based on today’s tech—a far cry from the 2 million years the other site claimed.
A password like the last example above is also complex enough that an average person watching you type it (an attack called “shoulder surfing”) may have a hard time comprehending what you’re typing, let alone memorize it. So a password like this should be good enough for logging into your computer or your phone.
One downside is that this password is difficult to type, but the next tip explains how to get around that.
Even if you have one really secure password memorized, you shouldn’t reuse it for all your web sites and services. This is because of credential stuffing attacks; if one site’s database gets breached, hackers may try to reuse publicly exposed username and password combinations to log into other sites. Since remembering several dozen complex passwords is implausible, you’ll need a secure way to store all those unique passwords. That’s where a password manager comes in.
If you primarily use Apple devices, you can use the Passwords app in macOS and iOS to store passwords. The Passwords app (which leverages Apple’s Keychain technology) is what “remembers” passwords when you enter them in Safari, along with the passwords you use for Mail and other programs. You can also use one of many password managers available (choose one that’s reputable and well-known—but not LastPass). Just make sure that the master password you use for this software is as strong as the example above.
Some password managers give you the option to choose “easy to type” passwords, which is a nice bonus. So, for example, you could generate something like Egad-FIERY6-jesters — which is both longer and easier to type on an iPhone or other digital keyboard than the g0tistHeg@atz example from earlier, and it’s not terribly difficult to memorize if you need to.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
