It seems like every day you have another website to log into and you need another unique & secure password. And you probably ran out of ideas for new passwords about 20 passwords ago. So here is one method to create easy to remember passwords which are also very strong.
This method is a substitution cypher, just like a decoder ring. It has also been used by geeks for years, but is rarely shared with most people. I started using this method a lot more when I worked on DOD projects and had to regularly change my password to some long indecipherable thing. In fact some projects the computer generated complicated passwords, so people had to write down the password on sticky notes because it just too complicated to remember (great security there).
You’ve heard over and over that your password should be at least 8 characters and have symbols, numbers, and both upper & lowercase letters. But why?
The answer is math.
When your password has only lowercase letters, then the number of possible options for each character is 26. If your password was only 4 characters long and only lowercase, then there would be 475,254 possible combinations. For an online attack, you’re looking at about 8 minutes to crack it. That’s not very secure.
If you add uppercase letters, then the number of choices is 26+26 (26 lowercase, 26 uppercase). Still using a 4 character password, that is 7,454,980 possibilities. It now takes over 2 hours for an online attack. Pretty big difference, right?
Now if we add in numbers (10 possibilities) and symbols (33) possibilities, our number of possible options for each character is 26+26+10+33. Using the same 4 characters, there are now 82,317,120 possible passwords. An online attack searching all of that would take nearly a day.
If we double the number of characters to 8, the number of possibilities is now 6,704,780,954,517,120. That’s a lot, and to search that would take about two thousand centuries for an online attack. So imagine if you had a 12 character password.
This is why it is recommended to have such a complex and hard to guess password.
But having these elements in your password isn’t enough, algorithms to crack passwords start by using common words and items associated with you, such as your birthday. So it’s important not to have dictionary words, names of anyone in your family (including pets) or dates of anything significant in your passwords.
If your daughter is named Cindy and she was born on January 3rd, the password “Cindy0103!” would actually not be that hard for a computer to guess, since the hacker would start by giving the computer anything the hacker knew about you.
Now that we’ve covered some password basics, let’s on to creating some good passwords. First, you need come up with a simple password that’s not too hard to remember. I happen to be a very visual person and remember things best when I remember a picture, so a lot of my passwords are words related to something I see. This could be something on the site, a picture in email I have open, or could be something on my desk.
For this example I will use “giftcard” since I have one of those on my desk. In fact, I could even write down the password “giftcard”, because what I input into the computer is going to be a lot more complex.
Converting to Secure Password
Now that we have our password (which for the purpose of this tutorial we will only use lowercase letters in your simple passwords), we need to create a our substitution cypher. This is pretty easy to do, we just want to make sure that we put some strong elements on a few key letters. If you remember wheel of fortune, common consonants in english are RSTLN. We will also put strong characters on the vowels, AEIOU.
This is what our cypher looks like so far. I’ve put a symbol on all of the vowels which basically guarantees that at least one symbol will show up in the password we create. I’ve also put numbers on some of the common consonants. This means just about any password we come up with using an english word will have at least one symbol and at least one number.
At this point we have two options, we could continue making our cypher or just stop where we are.
Keep our Current Cypher
If we keep our current cypher we already have numbers and symbols. If we replace in our password “giftcard”, we get “g#f7c&4d”. Now already this is a pretty strong password. However, it doesn’t contain any uppercase characters. To remedy this we could come up with a simple rule such as “always capitalize the second non-replaced consonant”. This would give us:
The password now meets all of the criteria for a strong password. And to create that password we have 10 substitutions and one rule to remember. It may take a little work to memorize, but it is doable to memorize that much.
Making a More Complex Cypher
Let’s say you want an even more complex cypher. That’s pretty easy, we mix upper and lowercase letters along the remaining 16 letters in our cypher. To get something like this:
Now that we have assigned a substitution to each letter of the alphabet, we just need to apply the substitution to “giftcard”.
Storing Cyphers & Passwords
It is important to remember that if your write down your password and your cypher that you store them apart. One approach is to create a password protected file on your computer where you store your cypher (here is a tutorial for creating password protect Word files). Or, if you are good at memorizing things, you can memorize your cypher (this is what I have done) and then just keep the plain text notes of your passwords. Without the cypher, all someone would really know is how many characters are in the password.
Taking a quick look over at GRC’s calculator for time to crack a password, both of our 8 character password comes out at over two thousand centuries for an online attack. That’s pretty doing pretty well.
Unfortunately, not all online services allow you to use symbols in your passwords. For these services you need to have a second cypher with no symbols. This can be done by taking the original cypher and using either uppercase letters or numbers for the vowels.
There are a number of variations on this technique using different approaches for the substitution cypher, but the principle remains the same. Use words that don’t have any particular association with you (such as “giftcard” in this example), and then modify them by substituting out letters for numbers, symbols and uppercase letters.
Feel free to create your own variations on the cypher, and have fun with it! I hope this tutorial helped!