We all know that the more complicated a password is, the better. They should include a mixture of numbers, punctuation marks and symbols, and upper- and lower-case letters.
Or should they?
Recent research into password security has shown that much of conventional password wisdom is not only wrong, but possibly dangerous.1
Facebook, Twitter, Yahoo, and LinkedIn have all fallen prey to online attackers who have stolen entire databases full of passwords. The passwords are scrambled for security, but this offers little comfort when computer programs can make millions of guesses in just a few hours. Because most passwords are based on words in a dictionary combined with a number or symbol, it can take these sophisticated programs even less time to hack them.
The end result is that common password policies don’t prevent the theft of many users’ passwords, creating a complex, sophisticated, and lucrative shadow industry. Strangely enough, breached passwords can fetch big money on the black market.2
So, what does that mean to you? It means that every password you’ve created is a valuable and vulnerable commodity worth protecting.
To do so, you should go a step beyond choosing passwords that are hard for a human to guess. Your passwords also need to be difficult for a computer to figure out. Here are some tips.
Favor Length Over Complexity
Longer passwords are more difficult to crack. Around 20 characters is recommended.3 Consider stringing together the first couple letters of a favorite movie quote, song lyric, or poem. Random words and numbers strung together are even better. For extra-sensitive accounts, it may make sense to change your passwords on a regular basis. If you like the idea of optimal password protection but worry you won’t be able to handle multiple changing passwords, password managers can help you organize, store, and use multiple passwords safely.
No Plain English
Simple strings of numbers, along with passwords that can be found in the dictionary, are the easiest to crack. Google suggests that your password should contain one or more upper- and lower-case characters, numbers, symbols and special characters.4
Recognize Any of These?
Take a look at the most common passwords, according to Keeper Security.5 If your password is one of these, it might be time to make a change.
Mix It Up
Many people use the same password for multiple accounts because it’s easier to remember. But this could lead to serious consequences. You may not be too concerned about the personal information stored in your LinkedIn or Twitter accounts, but what would happen if hackers used your compromised password to access your email, brokerage, or bank accounts? If you have trouble remembering multiple passwords, you may want to keep a list on your computer, but don’t store it on your desktop or in your inbox. Give the file a misleading name and bury it in a folder where only you can find it.
There’s no such thing as an impregnable password. Still, putting personal information behind a basic password is like leaving your Porsche in a parking lot with your keys on the dash. By taking preventative measures to strengthen your password, you may be able to help safeguard your sensitive personal data and your privacy.
- The Washington Post, 2017
- Business Insider, November 13, 2017
- ConnectSafely.org, May 4, 2018
- Google.com, 2018
- Keeper Security, January 13, 2017