Password Security

5 July 2018 | Robin Nicholl

England66 – that should do it! No? How about qxP5!@42… what – forgotten it already? The first example is plain dumb; the second, whilst obviously much more secure, falls down by nature of its complexity.

Size matters

What’s really important in a secure password? Well, apart from being difficult to guess (which rules out your favourite football team and the tattooed wording emblazoned on your arm), it’s length. Estimates (and algorithms) vary, but a password such as qxP5!@42 might take a computer from a few hours to 12 days to crack, whereas online strength tests1 suggest EasyAsCake$1967 (see below) could take up to 5 centuries!

Forget everything you thought you knew

One of the authors of the decades old NIST (the US National Institute of Standards and Technology) password guidance has recently recanted his original recommendations: namely that passwords should contain capitals, special characters and numbers, and be regularly, forcibly updated. This latter recommendation has resulted in lazy (normal?) behavior such as users simply incrementing their password each time the system requires a change – so, L1verp00L@1 becomes L1iverp00L@2, @3, etc.

And, even when seemingly random, these ‘standard’ 8–12 letter passwords of the qx~p8L2# variety are actually surprisingly easy for a bot to crack: it might look like gibberish to you or me, but it’s a language that computers speak fluently.

Passphrases rule

The current recommendation2 is to use longer, more human-readable (and therefore easier for the owner to remember) pass phrases. A good example might be to use a memorable phrase, but perhaps change a word: for example, EasyAsCake. Another method might be a short string of unrelated, random words, such as LovingTentpoleGazump.

As many sites will still require certain types of character to be present, such as a mixture of lowercase and capital letters, numbers and special characters, it’s good practice to include these in your phrase to avoid them being rejected: the above example (which already covers the first two points) might then become: EasyAsCake$1967 and LovingTentpoleGazump@42.

One size does not fit all

It’s tempting to choose a password and use it everywhere: for your online banking, email account, Netflix, your business website, etc. Don’t. If your single password should be compromised, you’ll have an awful job changing it everywhere it’s been used. Though it’s not really practical to have a different password for every site, it’s at least worth having several and mixing them up. Another method that many swear by is to use a password manager: there are many out there3.

In summary

  • Don’t use easy-to-guess passwords
  • Long passwords (passphrases) are best
  • Use something you’ll be able to remember
  • Don’t use the same password everywhere