How do I create a secure password? (infographic)

How do I create a secure password? (infographic)

Summary: With cyber-crime rising rapidly, how can you take individual steps in preventing online data theft? The easiest way is to choose a strong password.

TOPICS: Security

We're finally beginning to see the true repercussions of cyber crime, with every day highlighting yet another hacktivist attack or the theft of personal information online.

From Zappo's security breach to phishing scamsautorun software and the theft of Norton's anti-virus code, there seems to be a global trend of gaining personal information through digital networks rather than relying on more 'traditional' means.

Killer Infographics recently put together a security-based infographic for Lifehacker, which offers a number of tips for online users who are concerned about increasing cyber-attacks. Focusing on strong password choices, it is an interesting take on how to show users the ways in which they can put online security in to their own hands. Tips on creating a strong password include:

  • Keeping your passwords varied, and not re-using them for at least one year.
  • Avoid Querty-based patterns (for example, 12345).
  • Mix capital and lower-case letter formats.
  • Substitute letters and mix in numbers whenever possible.
  • Switch word orders.

Infographic source: Killer Infographics


Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Calm down with the font sizes/styles!

    It may have visual flair, but I found it challenging to read. The mix of fonts styles and sizes make much of the content difficult to read, especially when sentences mix BIG BLUE LETTERS and ittybittywhitetext. If you're going to call out certain ideas, at least highlight/emphasize coherent phrases. (Lookin' at you, "Microsoft, how secure is my password, free", "Vowel", and "Before")

    The most interesting stuff was also the most legible - the sections "10 Worst Passwords of 2011" and "Password Statistics". The were also the only sections that DIDn't have the FUNKY MIX of CaSe, FONT, siZe, and STyLE.

    At least, those are my thoughts.
    • RE: How do I create a secure password? (infographic)

      @R_Connelie@... Some more tips:<br><br>PASSWORDS MUST NOT BE GUESSABLE! I repeat, NOBODY must EVER be able to guess it! "I think it's safe" is NOT enough, you must KNOW that nobody can figure it out!<br><br>Always use passwords longer than 12 characters! Random 8 character passwords can already be cracked by botnets of moderate size today at a fairly high rate, and even 12 character passwords will be in trouble soon. But for most not-so-sensitive things, 12 characters are safe enough. But I always go for 20 characters nowadays for new passwords. Password length is king!<br><br>Go ahead and make sentences if you want. But NEVER EVER AT ALL use any existing phrase or saying. ANYTHING THAT EVER HAS BEEN SPOKEN OR WRITTEN are likely to be in *some* database somewhere or be found by a persistant attacker (somebody might try every phrase in your diaries), and is INSECURE.<br><br>Make it as random as possible. Going for phrases? Screw up the grammar, intentionally. Use misspellings. Make them sound strange. Make it sound like Yoda. MIX LANGUAGES! Know several languages? Use it to your advantage! And better yet, use other languages too that are close to the ones you know and mix words from them in, because you'll remember those.<br><br>Don't shorten them down. If you've got a good sentence, DO NOT SHORTEN IT! Do NOT turn something like "the moon is blue and crazy" to "tmibac", because that's "lossy compression" and thus *throws away* data that an attacker otherwise would have to get correct. With the shorter password, he only need the first characters right while he otherwise would need to get everything right. Because the attacker could also guess for the mouse is boxed and cool" and he'd get the same shortened password, which proves that it's a bad idea (he don't need to make a correct guess, only a good-enough guess).<br><br>Bad passwords - and why:<br>l33tsp33k - short and easy to guess<br>password - the first an attacker will test<br>youcan'ttouchthis - well known phrase<br><br>Good passwords:<br>this r4ndom Be, a MUCH ranDOm - Strange grammar, more then 5 words, letters are NOT consistently replaced with numbers, not a known phrase, upper and lower case mixed<br>cant cant cant be gueeeeesed cant be guessed - Is repetition really bad? Only if the attacker *knows* you're using repetition. Otherwise he won't know if the first three words are unique or identical, and so he must try all possibilities.<br>crackelyCkrackety KRACK thIS - now we're making up words.<br>This lsenord is very mycket sfert - mixing languages (swedish and english) and even mixes up words ("skert" and "safe") (edit: Crap, ZDNet don't allow those extra swedish characters...)
  • RE: How do I create a secure password? (infographic)

    A) thisisasentence
    B) MoNk3Y

    Even though (A) consists of dictionary words, (B) is still easier to hack through brute force trial-and-error due to the number of characters (15 vs 6). Don't over-complicate your passwords; otherwise, the only person you're making it difficult for is yourself.
    • Better than that even

      Assume in example (a) that the attacker knows you have sentence made up of 4 words and that they use a dictionary of 60000 words to brute force attack. There are then approximately 60000^4 = 1.3x10^19 combinations to consider.
      In example (b) assume the attacker knows nothing, then there are approximately 90^6=5.3x10^11 combinations.
      The weak sentence is over 24 million times more secure than the second example. Even if the second example had 8 characters, the sentence would still be 3000 times more secure. Make it a 5 word sentence and it's stronger still than a 12 character 'complex' password.
  • RE: How do I create a secure password? (infographic)

    Or use lastpass (or keepass)?

    For the user that doesn't access critical information with it (or rely on one of them to access them) then you should be fine and don't have to worry about methods to create secure passwords or even remember them.
    • RE: How do I create a secure password? (infographic)

      @lewiscb Not true. Especially if you are connected to a corporate network. Or even to the Internet. Unless you really don't mind YOUR PC being used as a botnet to access other systems that you would be allowed to access yourself.
    • RE: How do I create a secure password? (infographic)

      @lewiscb This is only true if the user in question is not in any way connected to other users who access sensitive information. If they are connected via network, e-mail or social media they can inwittingly infect everyone they know.
  • My PC asked for a password of at least 8 characters ...

    ... so I chose SnowWhite&The7Dwarves ...
    ... but this is apparantly not PC, so I changed it to ...
    ... SnowCaucasianComplexion&7Height-ChallengedIndividuals ;-)
    • RE: How do I create a secure password? (infographic)

      @johnfenjackson@... That's pretty cool. If you are a good typist though. I had a passphase that was over 150 characters including puntuation. I could never remember it nor type it but, since it was one of those corporate mottos that was found everywhere in the company, it was easy to copy and paste into a decryption engine. (Not good for login though).
  • RE: How do I create a secure password? (infographic)

    Easy, just go on to and all your stuff will be secure for ever.
    • RE: How do I create a secure password? (infographic)

      @celticshaun So if you have chosen a weak password for your account, and use it for all your other online accounts, and then one of those sites is compromised, is going to protect you how?
  • RE: How do I create a secure password? (infographic)

    I think you meant "Avoid QWERTY-based patterns", instead of "Querty".
  • RE: How do I create a secure password? (infographic)

    I can create secure passwords all day long, the issue is many web sites do not support all special characters, or limit you to xx characters, or some other querky limit
  • One more important tip

    Don't use the same password everywhere!

    It's very common for a secure password to be stolen from an insecure site then reused to get into sites like banks. A good tip is to have 3 tiers of passwords:
    - Password for bulk sites.
    - Password for sites with personal information.
    - Password for sites with financial or medical information.
    • RE: How do I create a secure password? (infographic)

      @trophygeek: The easy way to accomplish this is with software like KeePassX. It's 100% free (as in free beer and as in freedom) and it uses the well known and well tested AES encryption algorithm. You only need to remember ONE password, KeePassX stores the rest encrypted.
      Your single "master password" is "transformed" using SHA256 into the encryption key that it uses for AES to protect your stored passwords.
      There are no known methods to crack SHA256 or AES, so if nobody can guess your master password, the stored passwords are safe (assuming your computer is secure, if you've got spyware then it can steal your passwords!).
      • RE: How do I create a secure password? (infographic)

        @Natanael_L Thats why there are security systems that don't completely rely on typing something as a keylogger can get those. It all depends on how secure YOU really need to be assuming you can't be made into a botnet at a corporate-level.
    • Works in theory, but...

      mileage may vary depending how accurately people classify sites/systems and the reality is, it's not that black and white in some people's minds.

      For example, someone may have multiple e-mail accounts through free services like Gmail, Live, etc. One of those may not be used much for personal correspondence, it may just be their "junk" account for daily deals, mailing lists, etc. On the surface, this may seem harmless and fall into one of the less critical categories. But, the second they order something from one of those services or use it as the password recovery address for a "sensitive" site, it needs to be bumped up to the most highly secured level, but how many people actually do? I'm guessing many don't and that opens the door for daisy chain type breaches. Hack the easy account and you can likely move up the chain until you get to some account where you hit pay dirt.

      Your approach can work, but it requires some thought and discipline to be successful.
  • RE: How do I create a secure password? (infographic)

    Only reason for upper lower case and numbers and punctuation is if people are watching you enter it. Save yourself some grief if it's only going to be entered in private and use several unrelated words. Isn't going to be guessed in your lifetime. Making passwords that don't need writing down will greatly increase your security versus passwords requiring sticky notes,
  • What are the real odds?

    If a site locks one out after three guesses how can any cracking software beat that without having access to the hash file? <br>Why change a strong password every year? It does not reduce the probability of it being hacked one bit. But it does promote folks falling back to easier to remember passwords. This applies to the archaic mandatory change of passwords every couple of months still promulgated by IT departments. Even Microsoft says it is a bad idea.<br>11122 is just as strong as 73972.. the odds of it being hacked is exactly the same. <br>I do support using different passwords on accounts, and all should be at least eight characters long, twelve is better (if the program allows long passwords). <br>A ten character password of just lowercase letters is more than twice as strong as an eight character one with a mix of upper and lower case, and much easier to remember. <br>The key to a good strong password is length and rememberability... unrelated words with a length over twelve characters will do most folks just fine.
    • Disagree on the 10 character vs 8 character

      Um - 26^10/52^12 < 1, so I don't know how you figure that a 10 character password of just lowercase letters is stronger than a mixed case 8 character password. Length trumps character mix, but just adding two characters of a limited set doesn't do you much good. I don't know how most people crack passwords, but I'd be suprised if they all had non-informative priors for each character.