5 July 2018 | Robin Nicholl
England66 – that should do it! No? How about
qxP5!@42… what – forgotten it already? The first example is plain dumb; the second, whilst obviously much more secure, falls down by nature of its complexity.
What’s really important in a secure password? Well, apart from being difficult to guess (which rules out your favourite football team and the tattooed wording emblazoned on your arm), it’s length. Estimates (and algorithms) vary, but a password such as
qxP5!@42 might take a computer from a few hours to 12 days to crack, whereas online strength tests1 suggest
EasyAsCake$1967 (see below) could take up to 5 centuries!
Forget everything you thought you knew
One of the authors of the decades old NIST (the US National Institute of Standards and Technology) password guidance has recently recanted his original recommendations: namely that passwords should contain capitals, special characters and numbers, and be regularly, forcibly updated. This latter recommendation has resulted in lazy (normal?) behavior such as users simply incrementing their password each time the system requires a change – so,
And, even when seemingly random, these ‘standard’ 8–12 letter passwords of the
qx~p8L2# variety are actually surprisingly easy for a bot to crack: it might look like gibberish to you or me, but it’s a language that computers speak fluently.
The current recommendation2 is to use longer, more human-readable (and therefore easier for the owner to remember) pass phrases. A good example might be to use a memorable phrase, but perhaps change a word: for example,
EasyAsCake. Another method might be a short string of unrelated, random words, such as
As many sites will still require certain types of character to be present, such as a mixture of lowercase and capital letters, numbers and special characters, it’s good practice to include these in your phrase to avoid them being rejected: the above example (which already covers the first two points) might then become:
One size does not fit all
It’s tempting to choose a password and use it everywhere: for your online banking, email account, Netflix, your business website, etc. Don’t. If your single password should be compromised, you’ll have an awful job changing it everywhere it’s been used. Though it’s not really practical to have a different password for every site, it’s at least worth having several and mixing them up. Another method that many swear by is to use a password manager: there are many out there3.
- Don’t use easy-to-guess passwords
- Long passwords (passphrases) are best
- Use something you’ll be able to remember
- Don’t use the same password everywhere