April 22, 2014
The 7 Keys to Strong Passwords
by Scott Aurnou
Twelve characters are the absolute minimum, but passwords can be both easy to remember and hard for an attacker to crack.
Creating a strong password may seem like a chore, but sometimes it can literally be the only thing standing between a cybercriminal and your personal and financial information or access to your company’s network and intellectual property. Here are some tips for creating a strong password (that you can actually remember):
1) The most important factor in creating a secure password is length. A longer sequence of characters (letters, numbers and possibly punctuation marks) means more possible combinations to help thwart an attacker. The absolute minimum should be 12 characters. If a password has eight characters, for example, modern password cracking software will break it in a matter of hours. A difference of four characters in a password may not seem like much, but there is a huge increase in the number of possible combinations it will yield (and hence attempts that the cracking software will have to make before it can break the password in question). Even if only letters and numbers are allowed, there are 14 million times as many combinations with a 12-character password vs. an eight-character one. If punctuation marks are included, the 12-character password is 81 million times as hard to break. Simply put, longer passwords are always better.
2) Use a nonsensical (or completely personal) passphrase. You can pick a password that is both easy for you to remember and hard for an attacker to figure out. If you really want to, you can mix in random characters like $, @, etc., though hackers are well aware that people try this trick. Truth be told, it’s really the length that makes a passphrase difficult to crack, so the special characters will essentially make the password more difficult to remember while not making it any harder to break.
When creating your phrase, make sure it really is unique to you (or genuinely random). Avoid famous literary quotes and song lyrics – hackers can check for those. A good nonsensical passphrase might be something like: CyanStapleWashingtonBanana44 (don’t use this exact one – or any other suggestion you see online. Hackers can find those, too). A personal phrase can be effective because it relates to something that’s memorable to you. Just make sure it isn’t a widely known event. Perhaps you can use that time you were surprised at the aquarium: “BlueLobstersAreReal!” It’s long enough that a machine won’t break it anytime soon; no one is going to guess it; and you will remember it.
3) Don’t use the same password for multiple sites. Reusing passwords is known as “daisy-chaining.” If one account gets compromised, it will instantly expose others with the same (or a similar) password to attacks.
4) Don’t have a file or email called “passwords” anywhere on your computer (or saved in an email). These are easy for a hacker to find.
5) Change passwords regularly – perhaps every few months. If a database storing a site’s passwords has been compromised (which is often not discovered right away), changing a given password makes it effectively useless to an attacker even if it’s stolen and eventually cracked.
6) Use “multi-factor authentication” whenever it’s available. Additional “authentication factors” are just ways to ensure you are who you say you are. This can mean something like a fingerprint scanner or a code sent to your phone via text message that is then entered in addition to your password. If an attacker only has your password, she still won’t be able to get access. If you’re curious to see what this looks like in practice, Google has a good explanatory video here.
7) Avoid using security questions, if you can. Frequently, these questions are used as a way around the dreaded “I forgot my password” problem. The questions may sound helpful, but they almost always focus on information that can be found elsewhere online (where you went to school, pet’s name, favorite color, etc.). Any hacker will know to look for this information and can use it to get into your account – and potentially lock you out. Unfortunately, some sites require you to use the questions. If possible, try to select questions that don’t have just a few or even a single answer that a hacker can find (your mother’s maiden name, for example).
Remember that there is no such thing as an impervious system, but that doesn’t mean you should make it easy for attackers. If you’re a difficult target, they may well move on to an easier one.