The surprisingly easy to remember password that you can use for EVERYTHING (probably) is:
spadedGrutch24-[name of website]
Typical usage example:
For facebook: spadedGrutch24-face
For microsoft: spadedGrutch24-micr
For mybankname: spadedGrutch24-myba
Wait, what? That doesnt look easy to remember at all! Well, read on. This tricky looking password is actually very simple to remember. But you can generate another by refreshing this page if you like.
It is based on the 6 letter word spaded that we randomly generated and it is always typed twice to ensure we get a nice long password. The current year number and one punctuation character are inserted too. You will also add one or more letter, partial word or word yourself, see below.
To remember the full password, you only need to remember:
Make them 5 characters long at least!
In order to be secure and convenient, there are a surprising number of rules we need to satisfy. Many security rules make passwords hard to remember or type, so we use a system to help.
If you have to write it down, someone might see it. You head is the safest place.
Well, to be honest, if your password is long enough, these things arent really adding anything to your security. But, since some systems will insist due to out of date security notions, we have no choice but to include them in our system. Otherwise, we might find places where we cannot use our password system. Thats why we can just use the year number - it isnt adding to our security, it only exists to satisfy this requirement.
It would be quite secure to use a password like correcthorsebatterystaple but some systems will not accept it anyway.The common password hashes for all dictionary words have already been calculated so converting their hashes back to dictionary words are really easy. It isn't such an issue when you use words as part of a strong password, but on their own, or in combination with silly ideas like L33T speak or a simple number added, they are insecure. We can use a dictionary word in this password system, because we will not be using them in an insecure way.
Because the hashes for all combinations of characters up to 12 could already be calculated and stored for easy cracking if your password were caught up in a leak. Hashes are explained below.
That is true, which is why you should add that one character difference - the first letter (2 if you want) of the service should be added into your password. The reason is so that if the muppets who made the system don't protect your password properly, only one (or maybe, some, in the case of multiple services with similar names) of your passwords are leaked.
Well, in truth your should not have to. The periodic change only helps reprotect you in the unlikely event your password (or weak password's hash) was somehow leaked. If you use a proper password though, there almost no chance of hackers learning your password even if the hash was leaked.
Your password isn't always known only to you, it is possible that the owners of the system you are logging into know it as well. Do you trust them?
They should NOT know it, but you are not in control of how they make their system. What they should do is store your password using one-way encryption, converting your password to a hash, which is call hashing.
The hash of the word 'password' for example is:
5f4dcc3b5aa765d61d8327deb882cf99 (using the md5 method) or
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 (using the SHA1 method)
Because no matter how many times I try to hash the word 'password' with a certain cipher, I will always get this same answer, I can save only the hash in my database instead of the password.
When someone logs in, I can hash their password, compare the hash with the database, if it matches, then I know you typed the correct password, but I did not need to have your password recorded anywhere in my system.
I can increase security more by salting the passwords. You can google that one :)
Hackers keep a file of pre-calculated possible passwords and their hashes. If a database leaks your password's hash, and the hash is already in their dictionary, they can lookup your password. A small example might look like:
Password | SHA1 hash |
---|---|
Password123 | b2e98ad6f6eb8508dd6a14cfa704bad7f05f6fb1 |
Pumpk1n45 | 0a95b944d894742f388628e5637d05d39282438e |
Bruiser1974 | d38b1971dc91cec93e5f230e4e3a8621c3a6d650 |
69Mustang | 9b7002e9c3e1734e5ed211d269613064e5c8cc7f |
If your password hash leaks, and is in this list, a bad actor can easily reveal your password by comparing it with the pre-calculated hash dictionary. It is generally accepted that every combination of up to 12 characters is already calculated. Dictionary words and commonly used passwords are also already calculated, including with numbers at the end, and with characters replaced with similar looking symbols, too. If they have a particular account that they are interested in, they will check the hash against the dictionary first - if your password is less than 12 characters, it's broken right away, without any hard work.