Perfect Passwords author Mark Burnett collected nearly 6 million publicly available passwords and discovered that the overwhelming majority were simply “password, “123456” or “12345678.” Critics of this statistic could point out that outwardly available passwords aren’t likely to be as secure as private passwords, but the Oct 2013 Adobe theft of over 150 million private passwords revealed the same common usage. The reliance on such insecure passwords illustrates the general misunderstanding of password strength, which begs the question: What makes a good password?
It Should Be Memorable
Passwords are only useful if you can remember them; otherwise, they don’t just keep hackers out, but you, as well. Along with ease of entry, this factor attracts users to simple, less secure passwords. After all, a lengthy, randomly created password is difficult to remember or type.
Password managers, such as KeePass, LastPass, 1Password or browser-integrated managers, remove these concerns by compiling and automatically entering passwords for you. Using one of these solutions empowers you to create secure passwords without having to remember them, but if you prefer not to, then memorability remains a concern.
It Needs to Be Unique
Another common mistake is reusing passwords on multiple accounts with the similar mentality that remembering numerous unique passwords is unlikely. However, this approach renders your password vulnerable on any site that uses it, which increases the likelihood of it being discovered. For example, if you reused your bank password on a less-secure forum, a hacker wouldn’t need to circumvent the bank’s security system; he just needs to get through the forum’s meager security and try your login details on all the major banking websites. Therefore, always use unique passwords for each account, especially important ones.
Make It Difficult to Guess
Using common or acquirable information, such as birthdays, anniversaries, names and phone numbers makes it feasible for a hacker to guess your password. A plethora of personal information is available through search engines, social media and directories. Thieves regularly peruse these sources to locate specific targets. Similarly, using common dictionary words, passwords and acronyms opens the password to dictionary attacks that try combinations of words from a database to quicken brute-force type attacks. Therefore, your password should be a complex assortment of mixed capitalization, numbers and symbols that are impossible to guess.
Opt for Length
The longer your password, the less susceptible it is to brute-force attacks that try possible combinations. To illustrate the effectiveness of password length, a two-character password that uses any of the 94 characters on a keyboard would have 8,836 combinations, but a 12-character password would have 476 sextillion combinations, i.e., 476 followed by 21 zeroes. At one time, eight characters were deemed sufficient length, but those days are long passed. Now, at least 12 –or even better, 20– random characters should be used.
Passwords vs. Passphrases
In general, a password is a continuous string of characters that could include letters, numbers and symbols. Passphrases, on the other hand, tend to be a sequence of individual words.
A common recommendation is to use passphrases rather than passwords, because they are harder to crack, but that statement is misleading. Passphrases tend to be lengthier, which affords them greater security, but a randomly generated password of the same length would be significantly stronger.
As a comparison, a completely random 12-character password would take 251 centuries to crack using cracking speeds achieved by Distributed.net’s RC5-72 network-based project, but a 12-character, three-lowercase-word passphrase would take less than a second using a dictionary attack.
The main advantage of using a passphrase is the ease of remembering it, so if you dislike password managers and don’t like copying/pasting from your own [secure] collection of passwords, then passphrases are definitely the way to go; just make them at least six words long and consider throwing in some capitalization and punctuation.
Password Creation Systems
Many users attempt to create secure passwords by employing seemingly clever systems, such as L33k Speak, which replaces letters with visually similar numbers or adding an exclamation point between individual letters. However, these methods are widely known and add very little to a password’s overall strength, even if an account creation page’s strength bar says otherwise.
Just remember: If you can construct a logical password system, a hacker who devotes his time to cracking passwords has probably also considered it. The exception is if there is an unknown key, such as obfuscating a passage from your favorite book.
Even strong, unique passwords are vulnerable to poorly carried out security practices. Accessing accounts on public computers or failing to use an updated anti-virus program potentially expose you to keyloggers that intercept and transmit passwords as you type them. Failure to use a strong firewall could allow a hacker access your computer to retrieve password lists or other sensitive information. Writing your password in a notepad next to your computer makes it vulnerable to physical discovery and could very well be grabbed by a thief along with your computer. To make matters worse, your password is potentially accessible by security breaches on the account’s server, which is completely outside your control.