How to choose a very strong password – Password Management

Security is a big deal. Let’s talk about how you can choose a very strong password, that’s hard to guess or crack and how to do password management.

TLDR: I won’t waste your time with useless details and nonsense. Here are the top tips in order to make sure every account you make anywhere is as secure as it can be:

  • never use the same password twice;
  • make longer passwords, minimum 12 characters;
  • avoid cliche and personal stuff;
  • never log in if you don’t trust your current internet connection;
  • never log in if the website or store does not have a valid HTTPS certificate;
  • incognito windows, private windows, and other browser stuff are usually pointless;
  • always try to use two-factor authentification;
  • if there is an option, opt for using a password (like Windows logon)

If you stick to these religiously, you will in most cases be safe.

Please keep in mind that no matter how strong your password is, if the respective store/website gets compromised there is a chance that your password is compromised. That’s why you shouldn’t use a password twice.

Also, don’t overlook passwords. It is so tempting to save 10 seconds and just enter the same password everywhere. And I’m not being paranoid… but what if? What if someone guesses it? Or worse? These days, everything is online. Private stuff, work stuff, money stuff, hobby stuff… everything. So do yourself a favor and take care of this before it’s too late.

How do I generate my passwords?

Some people use generators, or passwords generated by a password managers. That’s fine.

I use common words for me, that does not personally identify me, and that make up 12 characters in total. I also have a pattern that by repetition I memorized, for switching numbers or letters with symbols.

Seed words can be what I have on my desk: glass, battery, and mouse.

Apart from the seed words I usually use the words capitalized, replace the letter A with the character ^, and replace the letter y with 7. The first word gets an underscore – the _ character – after the third letter. Always. And I split the second and third word with a dash -. After years of following this pattern, I got a lot of strong passwords, and most of them (for the websites I log in to often) I even know by heart.

So what would a password based on the above seed words look like? Like this: Gl^_ssB^tter7-Mouse

You’ll notice that the password checks all the marks of a strong password:

  1. You cannot identify me by it. Everybody owns some of those items.
  2. It has all character classes: numbers, uppercase letters, lowercase letters, and symbols.
  3. It has 19 characters. Strong, tough to brute force.
  4. It is not written down anywhere physically but stored in my secure password manager.

Now, I get that some websites have limits and stuff. Maybe you can use only 18 characters. Be creative! Choose other seed words if you like this technique of choosing passwords.

Why all the rules for choosing a strong password?

Well, to be secure of course! If you stuck around this much in this article, we’re going to go through the reasoning for each of the above rules in choosing a strong password.

Never use the same password twice

This one is easy. If you use the same password everywhere, and one of the websites you log in to gets compromised, something like this might happen: whoever cracks that compromised website’s database and figures out your e-mail and password might try to log in to other websites. Let’s say they found your e-mail and password on a compromised store’s database. And then they try to log in with that data on Gmail. You just got a stranger lurking around your e-mails. Not fun, right?

Make longer passwords, minimum 12 characters

Even with all the cheeky symbols and horrible to memorize passwords, a password that is under 8 characters I have bad news.

Hardware nowadays is pretty powerful. Software and password dictionaries too! That means your average 6 characters password might be cracked in no time!

A 16 character password, might be close to impossible to crack if properly formatted. Or at least take a lot of effort to crack. In fact, it might be so much that it will actually not be worth it for whoever is ill intended.

Also, a long password reduces the chance that it can be guessed by an aquaitance or someone close.

Avoid cliche and personal stuff

No, passw0rd is not a strong password. Neither is 123strongpassword. Stop doing that, you’re asking for trouble.

It is a great practice for certain stuff to have no actual relation to our personal lives. Because someone who wants to do harm, usually uses stuff they know or just found out about you, to harm you. This probably falls under social engineering.

So your birthday, your dog’s name, your spouse’s name, your license plate number, and other things that can accurately identify you, are not great passwords simply because they are among the first things someone will try as soon as they find that stuff out.

Never log in if you don’t trust your current internet connection

Shady coffee shop? A random petrol station? No thanks, I’d actually rather use my phone’s 3G/4G connection. At least I have some control.

Also, wireless is kind of crap when it comes to security. Use wired connections as much as possible.

Or if you insist on using a wireless connection, use DoH (DNS over HTTPS) and a VPN for sensitive stuff.

Never log in if the website or store does not have a valid HTTPS certificate

The lack of a secured SSL connection can tell you two things: it’s either a scam website or the owner does not give a crap about your data and security. (ok or maybe he forgot to renew his SSL certificate and it’s temporary)

I don’t recommend using websites that do not use an HTTPS connection. You can recognize it easily by checking if in the address bar HTTPS:// is present and a padlock is on the left of it.

Incognito windows, private windows, and other browser stuff are usually pointless

Know this: these kind of browser windows, just don’t keep data on that pc after you exit them. That’s it. And even that data can be recovered by specialized software.

Your ISP still sees the full traffic data, the websites you connect to still know your location and IP, and everything else. If you want to be secure, use a VPN that offers full encryption and no logging. Some pointers here about this subject.

Always try to use two-factor authentication or 2FA

It’s simply secure. And hard to beat. And usually it requires the attacker to know your password and have your phone. And that’s pretty hard. I mean, if you lose your phone you usually take immediate action and it’s not like you can go more than a couple of hours without noticing.

If there is a choice, always use a password

So if a password is optional, just use one. For example, you could at one point opt not to use a password in order to log in to Windows. I’d rather have a password. Just in case. I’ll waste those 3 seconds of typing it. It is just another layer of security that’s not ‘that’ inconvenient if we’re being honest.

Good password managers?

Sure. There are some great ones.

I especially like Bitwarden. It offers 2FA, strong encryption and even the public (the one that you don’t host yourself) version offers end to end encryption and other goodies.

But I went with the self hosted route, since I already have a home server / home lab. The advantages of self-hosting Bitwarden are: more control over the data (It’s on my server, locally hosted), you can have some of the premium features for free and you basically have as much storage space as your server has.

I’ve also heard good stuff about Keeper and Dashlane. Never tried them myself to be honest.

That’s it with the strong passwords

This was a long blog post!

So that’s about it regarding strong passwords. I urge you to be very responsible nowadays with your passwords. Everything is digital and it would be a shame to lose access to an account or several just because you overlooked such a simple step in terms of security.

All in all, please keep in mind that if the software or website you are using does not care about security, you are not secure. But if you follow these rules, at least you will be not that vulnerable to potential issues.

Liked this blog post? Share it! It helps spread the word about good practices! Thanks!

Leave a comment