What on earth is a strong password?

As I write this in April, the tech news is full of Heartbleed–a security vulnerability that allows hackers to steal passwords from seemingly-secure websites. As the designer of the new website for the Community Centre, I’d like to reassure you that www.bfobrca.org has not been affected by this problem. We don’t collect user information or passwords and the site is hosted on a server which does not use the affected software.

On a wider basis, what does Heartbleed mean to you? If you use any affected sites, which include social media sites such as Facebook, Pinterest, Instagram and Tumblr, entertainment sites like YouTube, Netflix and Flikr or gmail and yahoo email, you should change your password as soon as possible. If you use the same password on other sites, such as your bank, you need to change those too. But don’t choose a password that’s too easily identifiable with you—your birthday, your child’s name—or something on the list of the most commonly used passwords, which include 123456, password, abc123, qwerty and, for some strange reason, monkey! Make the new password a good one, a strong one.

Experts recommend the use of a password manager such as LastPass. If you don’t feel comfortable using one of these (or if you do use one and need to create a master password), here are some hints for coming up with a strong password.

The key is to find a password that a hacker can’t guess, but you can remember. This sounds hard, but can be easier than you think. One of the best ways I’ve come across is the mnemonic technique: use the initial letters of a memorable sentence, then add some non-alphabetic characters. So, for example, I might think “If I won the lottery I would buy a house in St Tropez!” Using the first letter of each word gives “IIwtlIwbahiST”. That’s a great start, but to make it stronger still, substitute in some numbers and add the punctuation back in. To me a b looks a little like 6 and i could be 1, giving “IIwtlIw6ah1ST!”

Now there is just one very important step you need to take: make the password unique for each website you use.  If you’ve got a great memory, you can create a new password for each site. But if not, use the combination above as the core of your password and add a few letters from the website address. A new password for your google email account( https://mail.google.com) would, for example, be “IIwtlIw6ah1ST!oog”. And there’s your unguessable but easily memorable password (don’t worry–those complicated-looking substitutions will soon become second nature).

Bear in mind that this technique isn’t a replacement for a good password manager—but it’s definitely better than using 123456!

---

I originally wrote this article for the Summer 2014 edition of the BFOBRCA Community News.