Our digital realities require a lot of passwords.

Your website(s) and host require passwords that should reflect a certain security level.
Every web service you use requires you to identify yourself with at least an email and password combination. As some of these web applications hold sensitive and confidential information about your business, your business structure or even some financial details, you are of course interested in them being secured. You want and need safe passwords to protect your business.

But how can you cope with the requirement of creating safe passwords when you have accounts with dozens or hundreds of services?
  • Do you write them all down on a sheet of paper? (- What if this piece of paper … ?)
  • Do you save them all in an application on your smartphone? (- Hopefully you are using a strong master passphrase to protect them?)
  • Or do you use something simple like ‘123456’ each time, just for the sake of using a password? (- You do know you shouldn’t do this, don’t you?)

So, the big question is, how do you create passwords that you can actually remember and that are solid and safe and don’t put your business at risk?

A Multi-Level Strategy For Creating Safe Passwords

I want to show you a few strategies to set up a multi-level password strategy that is adjustable and expandable to your business requirements.
I distinguish between several security levels.

The first level is the high-security level and encompasses those devices and accounts that – if hacked – would cause the most damage. Included here are the main email accounts, the main payment accounts, the ftp-access to websites and of course your computer.

The second level applies to all web services you are using that are not included in the first level. Many of these web services may be subject to integrations or part of an automated business process.

The third level would apply to all those websites that require a password to make use of the service, but don’t actually play an important role in the functioning of the business and do not require a particular high security level.

Based on these three levels I have developed a password strategy.

For third level applications feel free to come up with something that you feel is appropriate to use as a password. Again, I don’t think passwords like ‘123456’ are a particular good choice in any situation, but:

The second level of the security layer is the most interesting one.
I have learned this technique from the Anonymous collective, and I love it for its flexibility. It’s called an ‘endless password phrase’.

Here’s how it works:
At first, you create some long tailed word that preferably cannot be found in a dictionary. It doesn’t need to make sense, the emphasis here is on a long word that cannot be figured out easily by trial and error. Something like “melonseedpicker”. Add some numbers to it, and a special character.
Example: “34melonseedpicker+”

In a second step you can use this long tailed word on any website – with some adjustments and/or slight variations. For instance, when a certain website requires a password from you, you scan the site’s domain name and use the first and second letter and add it to your long tailed word. Additionally, you can add up the number of letters in the website and also add it to your long tailed password.

Let’s say you are creating an account with Dropbox. Your password for Dropbox then would be “34melonseedpicker+dr7”. If you want to create a password for Twitter, your password would be “34melonseedpicker+tw7”.

With this method you can quickly and easily create passwords that are hard impossible to guess.

Feel free to make some adjustments to the letter and number combinations. You could use the first and the third letter instead, or the first and the last letter. With the numbers, you can also be flexible. If you are good with mental arithmetic, you can come up with some simple mathematical series and create an additional layer of security here.

Even if your accounts were attacked by machines that can run a trillion of attempts per second, it would take them several years to figure it out. – Until then, you will hopefully have changed the long tailed keyword in your passphrase.

Finally, the first level of the security layer calls for a more sophisticated approach.

All apps and devices that are subsumed on the first level of my security strategy use a different password. I either use a different long tailed keyword, or I create a very secure passphrase – a strategy I learned in an article from The Intercept it’s called the Diceware technique.

The Diceware word list, which you can download here, contains 7,776 English words. Next to each word is a five-digit number, with each digit being between 1 and 6.

To create a secure passphrase, you’ll need a six-sided dice, the Diceware word list and a pen and paper.

Roll the dice several times, and write down the numbers you get. You’ll need a total of five dice rolls to come up with the first word in your passphrase. – Don’t just make up some numbers. It is very important that you roll the dice because you are generating entropy by doing so and extracting true randomness from nature.

If you roll the number three, then one, then two, then six, then two, and then look up in the Diceware word list 31262, you’ll see the word “glass”. That would be the first word in your passphrase.

You now repeat this step until you came up with at least a six-word-passphrase.

If you want a stronger passphrase you can use more words; but I wouldn’t use less than six words because the strength of a Diceware passphrase does depend on how many words it contains.

The above mentioned article on The Intercept fetches the math behind passphrase guessing and points out that a five-word passphrase could be cracked in just under 6 months, whilst cracking a six-word passphrase would take 3,505 years on average.

strategy for creating safe passwords

Pin It on Pinterest