A simple guide to strong passwords

In my last post about email security, I talked about why you should have strong passwords, especially for your email accounts, but I didn’t address how. Here are some rules of thumb to help you secure your digital world.

1. Use a password manager

There are a trove of password managers available. Most populare are 1Password, LastPass, and Dashlane. 1Password is my favorite. The company provides a robust product that integrates seemessly with every OS (including linux) and web browser.

2. Use a password generator

Humans are notoriously bad a being random. If you don’t believe me try this excercise. Most password managers provide a password generator capable of generating truely strong and random passwords. While this can be a string of random characters (including numbers and symbols; e.g. o7JXb[g7VnPF4kHX9Dh^), passwords don’t have to be hard to remember to be random. A series of [truely] random words pulled from a dictionary file (e.g. uniaxial-sandman-format-strophe) is more secure than a shorter, but more complicated password. While passwords comprised of only one or two words are vulnerable to dictionary attacks, strings of three or more words are much harder for computers to guess. Using truely random passwords eliminates the risk of your password being guessed by a hacker based on your interests, where you live, or what you do, most of which is publically available thanks to the internet and social networks.

3. Make it long

I recently signed up for a new account. The password had the following requirements:

  • between 5 and 8 characters
  • one capital letter
  • one lowercase letter
  • one special character

The company was simply adhering to the best practices in information security… 10 years ago.

A lot has changed in 10 years. For one, computers are much more powerful. What used to require a rack full of servers can now be done on your iPhone. Unfortunately, this includes cracking passwords. Computers can try millions of passwords every second, taking less than an hour to brute force an eight-character password (i.e. trying every combination of characters until the correct password is found).

Therefore, any eight character password is merely a deterance that can be easily overcome (unless paired with other security measures). For some companies, increasing password lengths is not just a matter of checking a box. Some legacy infrastructure and software stores passwords in database fields with length limits. These limits are not easily changed, since it involves re-building the database. When companies restrict the length of your password, you should be as random as possible and demand that the company update their security.

Most websites, however, do accept long passwords. You should use 16 characters as your minimum password length. Ideally, it would be over 20 characters. Don’t worry though, if you’re using a password manager, you won’t have to remember it!

If you follow these three rules, you will be way ahead of the game. Maybe someday we will start seeing completely random passwords on the most common password lists.

Previous: Email Passwords
Next: Microsoft's reversal on password expiration