Time and time again we are presented with a registration form on some website which (like me) you wish to fill out as quickly as possible, and this could lead to small mistakes in your choice for an up-to-date optimal password.

Many times I choose an easy to remember password containing a series of letters and numbers, usually sequential, and of course I additionally add a special character or symbol, simply because I know that is what is expected of a "strong" password.

So I end up with something along the lines of:

tennis3022$ or Tennis1234$ or Tennis$111

And im totally satisfied!

My choice fulfills the password strength requirement on my form, so I click register and go on with my life.

Little did I know that each and every time I choose a password such as this - in 2019 - I am exposing that account to a very high risk from a brute-force attack.

Before we move one, let me state that one thing you should not doubt, is that the plethora of tools and techniques for password-cracking have been increasing and improving over the years. What was pertinent ten years ago for password creation, most definitely no longer applies today and this is a fact not often mentioned and minimum password requirements remain mostly unchanged in many places.

It no longer matters if you place one character as a capital and one symbol at the end of your 6 letter word... This is almost useless for a high-end brute-forcing attack. Instead we must extend our complexity by mixing things up a little.

An addition could be that unique emails linked to leaked accounts may contain differrent (or perhaps similar) passwords, and these could be tied together to your actual email's address, whereby permitting a malicious user to attempt to login (as you), using a combination of passwords which have been previously exposed and stored for your email address.

In essence I would simply like to warn and urge you to reconsider this fact the next time you are having to fill in that password field on any form.

The British National Cyber Security Centre (NCSC) recently released a gigantic list of the 100,000 most used passwords which were hacked and leaked to websites such as “Have I been pwned?”.

One big negative factor which was noticed: password reuse. 

"Password re-use is a major risk that can be avoided – nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band."

Of course the list contains some really easy to guess passwords but there are numerous with single special characters and capitals too - just the types of passwords I have been using until recently. These were passwords you would think are safe - I know I did.

Of course you are never safe from a hacker stealing user data directly from a website, and in that manner stealing your password - but what we wish to prevent is that which is under our control: Unauthorized access from brute-forcing attacks (learn about brute-force attacks HERE).

You can view the original giant list of leaked passwords HERE.

Granted, it may not affect all of us, as many have already adopted super complex password patterns into their lifestyle. But for the rest of us lagging behind, it's time to wake up.

So what can we do to combat this evolving danger and how do we as individuals remain safe?

Choose Your Passwords Wisely

Let me give you an easy idea to take away as a guide the next time you want to create a password - all it takes is a thought:

Choose a word (or combination of letters) with at least 8 characters.

Replace letters with numbers where possible (1337 5p34k?).

Replace letters with symbols where possible.

Add another pair of symbols to act as a separator.

Add the name of the website at the end, but spelt backwards (or reversed if made up from multiple words).

Okay time to give you an example of how you could formulate an easy to remember strong-as-heck password.

This is known as your very own secret formula!

(although the one im about to outline is technically my secret formula - I invite you anyway to use it as a guideline to create yours)

In each step I depict what is changed in BOLD.

1: Let me choose a word (at least 8 characters):

geostima

2: Replace some letters with numbers:

g30st1m4

3: Replace some letters with symbols:

g30$t1m4

4: Add separator symbols:

g30$t1m4[]

5: Add the website name reversed:

g30$t1m4[]0xpublish

Voila! There's one tough cookie to crack right there after just 5 simple steps!

Your password is now totally unique - every website will have its own password and - super duper complex!

Some of you might not like my formula, or might think its too difficult to remember or use, but thats irrellevant, you must create your own, just be creative!

You can easily create your own formula for passwords (which only you could and should know - never ever share your secret formula) - this allows you to be very dynamic and can also help you remember them (or in the least figure them out).

This method (at least when looking at my specific example) means the only thing you would actually need to know is your key-word and separator characters. The website name you can take from the page and the number/symbol switching you can do on the fly.

One of the most important things to remember is to NEVER share your passwords with anyone; and hopefully from now on: never share your password creation formula either.

I hope this article will help some of you in future. Stay safe!