Many people’s first reaction to a password change is annoyance: You’ve been using a password for a while without any problems, you had it memorised, but now you’re told that you have to set a new password and memorise that.

But in a security-conscious world, and with lots of confidential data around an establishment such as Queen’s, you are responsible for keeping your account secure. A change of password is a good thing; it removes any chance that someone who has previously obtained your password, can access your confidential work or details. It also keeps things fresh, and allows you to update your password to something more secure than your previous one.

So, how do you set a password that works for you, while covering all the requirements?

What makes a “good” password?

A good password is:

  • secure (i.e. difficult to hack)
  • difficult for someone to guess
  • memorable*

*Or alternatively, for an extra-secure password, use a random character generator and a password manager to “remember” it – see below.

Secure

The requirements of a secure password are set by the account provider (in this instance, Queen’s University). In most cases, providers require a password to contain the following:

  • At least 8 characters (these days, some account providers require more, such as minimum 12)
  • Lower-case letter(s)
  • Upper-case letter(s)
  • Numeric character(s)
  • Symbol(s) such as &,;@=^

Most account providers also require that the password is not the same as one previously used. Some have additional, more intricate requirements, such as eBay not allowing the word “eBay” to feature in its users’ passwords.

Difficult to guess

Avoid using:

  • Obvious names, such as your name, your address, the names of your family
  • Dictionary words or phrases that make sense, such as “red balloon”
  • Favourite hobbies, TV shows, etc.
  • Published phrases, such as from literary works or lyrics
  • Obvious strings of characters, such as:
    • 1234567…
    • ABCDEFG….
    • QWERTYU…
    • password

Remember, the hacker could be a person who knows something about you, such as your address, name or hobbies, or it could be a computer program trying millions of different combinations. For the latter, common phrases and extracts from published literary works existing on the internet will be the easiest terms for it to try.

Easy to remember

Don’t write it down!

I’m sure we’ve all seen it. Written in the corner of the whiteboard; the note paper kept in the wallet… and the worst culprit of all: the Post-it note stuck to the laptop or computer screen.

A blank sticky note, stuck and pinned to the wall.

These are all a bad idea, for obvious reasons. Anyone who gets into the room when no one is there, or steals your wallet, or your laptop, can obtain a password – and that could get them into all sorts of confidential areas if it’s an account that gives you access to multiple systems.

Here’s a cautionary tale from the Hawaii emergency agency in 2018 (note that this is an external site and may contain advertising). A photo was posted online, which included a forgotten sticky note in the background. It contained a password that was easily readable by anyone in the world. Don’t make the same mistake!

So, how can a password be difficult to guess, but easy to remember? Here are a couple of tips to help you think of a password that works for you.

Try using partial words

Take your preferred words, and scramble them up a bit. Say you have a list of names of aunts and uncles that you would like to use as your password:

BrendaBrianNiamhTerry

As mentioned above, using complete words is not a good plan as they exist on the internet and they could be guessed by a computer hacking program. Additionally, using the names of people close to you isn’t ideal, as a person who discovers something about you could ultimately guess these.

So, how about just using the initials? Or, even better, the last three letters of each name?

ndaianamhrry

Just add a few capitals, numbers and symbols, and Terry’s your uncle:

Nda%1an^Amh&rry

Tell a story, or conjure up an image

Pick some completely random words, then make up a story, or conjure up an image to link these together, such as this extract taken from an XKCD comic strip (licence details):

Cartoon depicting an imagined horse, looking at a battery with a staple stuck in it. The horse says, "that's a battery staple." A voice out of frame says, "Correct!"

correct horse battery staple

Again, just take those words and make them password-worthy, by using only a few letters of each, adding numbers and symbols, etc.

corrhorsbattstap
c0rrH0rsb4ttst@p 

Random character generators: the most secure password?

Finally, a different approach is to use an entirely randomised sequence of numbers and letters. You can create one of these using a free generator such as passwordsgenerator.net. The obvious drawback to this is that it can be very difficult to remember the password afterwards, and especially multiple different passwords for different services.

So the common solution is to save your passwords in a user account in your web browser, or to use a password manager such as LastPass. Just be aware that the one weakness to these services is that you must still remember one password to access the rest of your passwords. And it must be really secure, because otherwise if someone guesses it, they could have access to all of your saved user accounts.

The take-home point is to ensure that whatever you do, pick a secure, memorable and difficult to guess password, using the tips above.


Tony Furnell

E-Learning Officer in the School of Medicine, Dentistry and Biomedical Sciences at Queen's University Belfast. Passionate about digital literacy, making life easier for users of technology by designing better systems, and incorporating equality, diversity and inclusivity (EDI) (including accessibility) into teaching and daily work.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *