How to create and remember strong passwords

Marja threw me a challenge in her Spam from Xavier comments to write about creating strong passwords. The idea comes from our Lab Blog, where Sean posted about this a while ago.

I am one those people that have a very short attention span for technical instructions, so let me try to explain this as shortly and clearly as possible. Just in case you are like me. 🙂 The idea is to use a system that allows you to do 2 things:

1. Remember your passwords through writing a part of it down. The only thing you need to remember is a part that is the same for all your passwords; a pin if you will.

2. Create passwords that are good and strong, unique and can’t be guessed

Here are the step-by-step instructions:

1. Think of a “pin” for your password, this is the part that is same for all of your passwords. The pin should be 3 characters or longer,  it could be something like “25!” and this part should be kept secret.

2. For each of the web sites that you need a password for, you create a code that helps you remember what site/service the password is for. For example aMa for Amazon and gMa for gmail.

3. Continue the password with a random set of 4 or more characters,  for example: 2299 or xy76. You should use different random characters for your different passwords.

4. Write down parts 1 & 2 on a note and keep is safe so you don’t forget it. In this example you would end up with a note in your wallet with this written down:

  • aMa2299
  • gMaxy76

5. When using the passwords, add your pin to them. Remember again that the pin should not be written down anywhere!  You can decide the location of your pin too. With the example pin “25!” created in the first step we would  end up with 2 passwords that could be:

  • aMa229925! or 25!aMa2299
  • gMaxy7625! or 25!gMaxy76

Tadaa, you now have passwords that are unique and can’t be guessed! And of course you only need to remember a part of it! By having unique passwords you can also make sure that even if someone finds out one of your passwords, the others are still safe.

As a final note, should you choose to use this system, you should come up with your own passwords and not use the ones used in this post or in our Lab’s post.

Hopefully I managed to make it sound relatively easy. If not drop me a question below.


More posts from this topic


F-Secure Helps Mop Up Malware from Avalanche Crime Network

A multinational law enforcement operation gave internet users a big gift just in time for the holiday season! In late November, Europol, the FBI, and several other organizations around the world worked together to takedown Avalanche – an international crime network behind cyber attacks that some estimates say have caused hundreds of millions of dollars in damages since 2009. The network allowed criminals to conduct malware and money laundering campaigns throughout the globe. By providing criminals with hosting services and other infrastructure, Avalanche helped attackers send over one million malicious emails each week in order to spread malware to individuals and companies. Exact numbers for the extent of damage Avalanche inflicted on victims are unavailable. But according to Europol, Avalanche helped criminals cause over 6 million euros in damage to financial institutions in Germany alone. The takedown resulted in seized servers, searched premises, and even a few arrests. F-Secure Labs helped support the multinational effort by sharing their malware analysis expertise with law enforcement officials. “The analysts on our Threat Intelligence team often provide law enforcement with technical assistance for their investigations. When asked to participate, we reviewed thousands of samples seized from Avalanche to validate law enforcement's analysis,” says F-Secure Security Advisor Sean Sullivan. “Matching the seized samples with what we have in our malware database helped law enforcement verify that those files were not only harmful, but that the industry was detecting them and able to help victims.” Avalanche hosted what the US Justice Department described as over “two dozen of the world’s most pernicious types of malicious software”. Some of the more notorious malware families hosted by Avalanche included the Dridex and GameOver Zeus banking trojans. Anyone that thinks they could be infected by these or other types of malware can use F-Secure’s free Online Scanner to help them clean their PCs of many different types of malware infections. And since most malware (besides ransomware) runs silently alongside your regular programs, running something like Online Scanner is necessary if you’re not already using a reliable AV program. ”Collaboration between the industry and law enforcement is the only realistic way to fight cyber crime,” adds Sean. “And even though this is good, it’s not like we’ve defeated online crime. Cyber crime services are a big industry, and the criminals using Avalanche will probably spend Christmas shopping for new tools to use in 2017.” [ Image by Pierre Honeyman| Flickr ]

December 16, 2016
F-Secure Hour of Code

Kids join F-Secure for the Hour of Code

Studies have shown time and time again that computer science skills are invaluable tools to have in today’s world. And last week at F-Secure headquarters in Helsinki, F-Secure fellow Maaret Pyhäjärvi invited her colleagues’ kids to come to the office to take part in the Hour of Code. The Hour of Code is an initiative from designed to introduce kids to the wonderful world of coding. And while coding has a stereotypical reputation of being difficult, labor intensive work, Maaret (winner of this year’s Most Influential Agile Testing Professional Person award) feels that this reputation ignores how the right knowledge and skills can empower kids to take full advantage of the benefits technology offers. “I teach kids, because in a world full of computers, we want our kids to grow up knowing how to be creators, not just consumers,” Maaret told me.  “I started teaching when I realized that while this stuff is ‘cool’ for the boys, the girls are still often not interested. They have too few models of doing this, and people sometimes portray this job that I love as something it isn’t: asocial and boring.” The Hour of Code is designed to teach anyone holding the preconceptions pointed out by Maaret a lesson about how coding can be fun and engaging. And I mean that literally. provides anyone interested in throwing their own Hour of Code event with all the support they need to create a fun, engaging lesson for kids up to grade 9 (they also have a page with extra learning resources for kids to continue their computer science education). It even has lesson plans to use with groups of people that have limited internet access or no actual computers. At F-Secure, the kids overwhelmingly voted for a Minecraft-themed exercise when Maaret gave them a choice between that and an activity based on the latest Disney feature (both available on the Hour of Code website). The coding exercise was followed by some drawing, and then a pizza and pop party. It was a great way to spend a morning. It’s also a great way to encourage kids to begin learning about computers responsibly at a young age. Anything that can be said here about the importance of computer know-how in today’s economy would be superfluous. But not many people realize that there's a discrepancy between the kind of computer skills being taught in schools and the kind of computer skills needed by employers. According a recent Washington Post article, only one-quarter of schools in the US teach computer science courses, even though there are currently half a million unfilled jobs that require a computer science education. And while today’s kids are hardly going to fill that gap anytime soon, they do need to start learning the fundamentals needed to develop more advanced computer science skills. For example, a free MOOC called Cyber Security Base with F-Secure recently organized by F-Secure and the University of Helsinki requires some basic knowledge of coding in order to participate. So even though Computer Science Education Week is over, you shouldn’t let this discourage you from giving kids the support they need to get into programming. Check out this website for more information on setting up your own Hour of Code. And here are resources you can use to learn more about coding, programming, scripting, and more (although they’re more advanced than the Hour of Code). Tutorials and Courses via the World Wide Web Consortium Introduction to Computer Science and Programming from MIT OpenCourseWare Code Racer – A video game designed to teach coding (these are development instructions as the actual game is no longer on the web)

December 12, 2016

Are ‘Free’ Browser Extensions Worth the Price?

Are you ok with advertisers having access to your web surfing? Are you ok with them knowing your search terms, translated texts, visited websites, and clicked Facebook profiles? If not, you might want to have a quick look at your browser extensions. Browser extensions are plug-ins designed to give web browsers additional capabilities. Toolbars giving you features such as specialized search functions, web page analytics, and similar capabilities are popular examples of browser extensions. In most cases, they’re freely available for download from websites, making them a great way to improve the user experience of your favorite web browser(s). But browser extensions found themselves in the spotlight last week after an investigation by Northern German Broadcasting exposed the data collection and sharing practices of the popular Web of Trust (WOT) browser extension. According to reports about the investigation, WOT, which was designed to inform users whether or not the websites they visit are trustworthy, was collecting and selling data about their user base. Now, this in itself isn’t news. Many companies that provide services based on crowdsourced information monetize the data they collect in one way or another. Basically, you pay for these products with your data. And WOT states that they collect and share user data in their privacy policy, so they’ve done their due diligence in disclosing this to users. However, the investigators claim that they were able to match “anonymized” data shared by WOT with specific individuals. And this highlights a significant problem with monetizing user data: completely anonymizing data is very difficult and is an ongoing challenge. WOT is not the first company to fall down this slippery slope. In 2006, an employee at America Online (AOL) released search data for hundreds of thousands of users. The data was anonymized by replacing names of users with numbers. But this wasn’t enough to protect the identity of affected AOL users. In less than a week, the New York Times was able to correctly link a user with their AOL search records. So anonymizing data isn’t as straightforward as it seems. But what does all of this have to do with browser extensions? Well, browser extensions are a common source of something called potentially unwanted applications (PUA). The criteria defining what is/is not a PUA can be quite intricate. But basically, PUAs are programs that have harmful effects for devices/users, but do not qualify as malware. They often mix genuine value with negative “side effects” that can be well-hidden or perhaps even undisclosed. This doesn’t mean browser extensions are automatically PUAs (in fact, some security solutions like F-Secure SAFE’s Browsing Protection are actually browser extensions). Web browsers will often provide a well-curated selection of browser extensions to help users find good ones that enhance the capabilities of browsers in order to improve the user experience. And since browsers are most people’s gateway to the internet, improving the experience offered by browsers can improve people’s experience across a wide range of online services and websites. So you shouldn’t be afraid to trust browser extensions, including things like WOT. They often have significant benefits to users. However, you should be aware of how “free” pieces of software (not just extensions, but basically any free software) stay afloat. Companies that develop these products and services need to make money of them. And if they’re not charging you or relying on other sources of revenue, they’ve probably found a way to build their business using your data. Contains information translated from Der Spion in meinem Browser. [Image by Terry Johnston| Flickr]

November 15, 2016