When anything gets hacked, the security breach is usually down to human error rather than any kind of software glitch. And the root of that error is usually someone on the system using an embarrassingly weak password.
A weak password is on that it’s easy for any third party to guess. And even after high-profile hacks such as Yahoo!, Talk Talk and Tesco Bank, the most common password in use in 2016 was still 123456.
The second most common password? 123456789.
Choosing a password like this is like leaving your car in the wrong part of town with the windows open and your key in the ignition. It’s an opportunity almost too good to be true for hackers and cyber-criminals. And with networks of several thousand zombie machines under their control, all scouring the net for weakly-guarded accounts, it’s simply a matter of time until they find yours.
Why do people choose such absurdly simple passwords?
When you’re asked to create a password two things happen inside your head. First, you try to think of something – anything – that might make a decent password. But in response to this your mind instantly evacuates itself of absolutely everything. You’re left looking around at things in the room for inspiration: Lamp. Chair. Desk. Screen. Keyboard. Qwerty.
The second thing that happens is that you evaluate those possible passwords for two qualities: Originality (whether anyone is likely to guess your password) and memorability (whether you are likely to remember it).
While you might use lamp or keyboard they’re not actually related to anything but what’s sitting before you at that very moment, so you’re probably going to forget which you chose by the time you next log in. To make matters worse, you’ve probably also been asked to include at least one number and use a mixture of upper- and lower-case letters.
Could you remember K3y8oard for the next time you log in? You doubt it. So to get out of this tailspin, you defer solving the problem altogether. You choose 123456789 or pa55word and tell yourself you’ll change it later.
But you don’t. And then you get hacked.
How to create a password that’s both secure and memorable.
In contrast to the stereotype, hackers don’t sit alone in the dark, whiling away the hours trying to uncover your password by tapping guesses into a login screen. They’re much smarter than that. Unsurprisingly, they have machines to do all the hard work – lots of them – which use lists of known passwords coupled with pattern-recognition software. You can assume that any known word that you can type is a vulnerable password. Words, combinations of words and any logical alphanumeric sequence that you can think of – q1w2e3r4t5y6 for example – are the first things they try.
So if you can’t use real words or patterns of characters, how can you create a password that you’ll be able to remember, but which could never be guessed by a marauding horde of zombie computers?
- Think of a person you used to know.
The more obscure and mundane they are, the better. For example, they could be a former neighbour, an old schoolmate or teacher. You don’t even have to know their full name, just who they were to you.
- Describe their relationship to you in a simple statement.
Try to include numbers by adding a significant year when you knew them, or your age at the time.
- Use the initials of your statement to create a string of characters.
Include capital letters where appropriate, but don’t complicate things by inserting them arbitrarily as you’ll forget where you put them.
If you went to Eton school and in your second year a boy called David ran the tuck shop, your statement might be:
David Cameron sold me a Curly Wurly at Eton when I was 12
From this your password would be:
For extra security, include some punctuation in your statement:
In 1987, when I was 12, I bought a Curly Wurly from David Cameron at Eton!
So your password would be:
Now all you need to do that is to mentally connect the image of your old school chum / former prime minister to the login screen that you’re using the password for. How you do this is up to you, but a simple way to do it is imagine them reading out the name of the website you’re logging into. From then on, every time you see that login screen, that person will leap into your head and trigger the statement. From there you have your password, completely unique and impossible to guess, yet easy for you to remember.