Culture Tech

How do I make my passwords safe?

We hear it all the time — everyone reuses their passwords. It’s just an accepted fact at this point. The reason is simple; remembering a unique credential for every site that you sign up with is just not practical for us mere humans. Coupling that with the insane amount of different websites and services that the average person subscribes to (average for U.S. users is 130 accounts, according to Dashlane — you’ve probably forgotten about most of them by now), and it’s a recipe for failure. It’s unfortunate, but passwords are still the most efficient way to manage user authentication. It doesn’t have to be so painful, though.


First off, please use something unique. SplashData, an internet security firm, publishes their list of the worst (most common) passwords on a yearly basis and it is really disheartening as a cyber professional as to what makes the list. You can look through the list yourself here.

The top 10 winners of 2017 in all of their lazy, misguided glory:

1) 123456
2) password
3) 12345678
4) qwerty
5) 12345
6) 123456789
7) letmein
8) 1234567
9) football
10) iloveyou

I’ll keep this short: don’t use those.

The good news is that a lot of sites prevent you from using such simple passwords by enforcing password complexity and, annoyingly, ask you to change it every 30/60/90 days for business practices. So how do you decide on your password? Is it “Winter_2018!”? “InsertSportsTeam”? Or something more generic? How many of you use more than just a password, or what we’ll call a passphrase?


The key to passwords is length. This is one of the general password requirements that I can agree with. The longer it is, the longer it will take to break when considering many of the methods attackers use to guess or brute force passwords. Passphrases, by design, are intended to be longer strings of characters that make sense to you, but no one would be reasonably able to guess. Something as simple as “IHateMyBrothersTruck_4187!” is going to be a lot stronger than most out there.

But you don’t want to use the same passphrase everywhere, right? So now we’re back to the initial problem.

What can you do?

Well, it depends on how complicated you want to get. You can get a password manager that will generate and remember your passwords for you. This is arguably the most secure way to go about password management, but those have their own limitations and learning curves. The more user-friendly option is to develop a pattern that you base your passwords off of.

Keep with the passphrase theory, but add something in to make it unique to the site. For example, Facebook. If your passphrase is Today!$notTomorrow. Perhaps throw an acronym in there that you can derive from each site? That way, they stay just unique enough to not compromise everything if one of the services that you use gets breached.

Why does it matter?

Keep in mind that this idea is by no means exhaustive. There are many things that you can do to be more secure online. From a bad guy perspective, here’s why password reuse matters; when there’s a breach, all of those emails and passwords are all collected. Those email/password pairs are then run against every popular site to see which accounts can be compromised and further exploited. Going back to the Facebook example: if your password is Today!$notTomorrow, and I try that elsewhere with your email address, I’m likely going to get in. If I try Today!$notTomorrow_FB anywhere else, it’s likely not going to work anywhere aside from Facebook.

It’s a simple pattern, one that wouldn’t take a bad guy long to figure out. But here’s the thing — they don’t care. Time is money and if they have 1,000 passwords that DO work, they’re not going to come back to those that didn’t. Nothing in security is 100%; the trick is to make it hard enough for an attacker to get them to move on.

0 0 votes
Article Rating
Notify of
Newest Most Voted
Inline Feedbacks
View all comments
2 years ago

I’m actually pretty good at passphrases that are utter gibberish to everyone but me. Great, right? Until some scumbag got my enough of my bank info and was trying to steal my identity. They called my bank and changed my password then started to clear out my account. Luckily, I use the bank app warnings, knew within minutes and was in a branch within 30 minutes of the changes. I beat the Fraud Department by 5 minutes of catching the incident, they returned my monies in a couple of days and provided letters to help with returned payment fees from… Read more »

Would love your thoughts, please comment.x
%d bloggers like this: