You’ve heard it for years: “password” is a terrible password to use. But, it hasn’t stopped millions of users from picking the simplest and easiest-to-guess passwords, like “123456” and “password.” If you use one of these passwords, go change it now to something else. Anything else. Then, come back to continue reading about how to create the “perfect” password.
[waits for readers to change their passwords and return to the post]
It’s important to note that while there are password best practices that you should follow, which we’ll cover here, no password is 100% secure. But, by following some of these password best practices, you’ll slow down a hacker’s ability to crack your password, thereby greatly reducing your risk of getting hacked. Hackers often take the path of least resistance, and if it’s going to take too long to crack your password, they’ll turn their attention to lower hanging fruit.
So, if you can’t create the “perfect” password, let’s focus instead on creating a strong password.
Editor’s Note: Are you looking to improve the security posture of your organization? Download our FREE Cybersecurity Toolkit, which includes handy desk reference guides, posters and checklists that you can share with your teams.
Diversify Your Password Risk
Almost daily, we read about various applications, services and companies that fall victim to data breaches. These breaches expose sensitive information like email addresses, passwords and other personally-identifiable information that put you and your organization at risk. You could have the strongest password possible, but if you use the same, super-complex password across the entire internet, you’re putting all your password eggs in the same basket.
For example, using the same password to log into both Facebook and online banking is a bad idea. This is because if your password gets compromised on Facebook, your online banking login also becomes compromised. When passwords are cracked, hackers add them to massive databases of stolen passwords for other bad actors to access. These password dictionaries become the first passwords that hackers try when trying to hack into accounts.
You might read an exceptional blog post on how to create a strong password (like this one, perhaps?) that might share some examples of strong passwords, or a friend might tell you their extra-clever strong password. Resist the urge to borrow their creativity and use the same password. Instead, focus on crafting unique passwords that only you know. If the passwords are only known to you, it’ll be very difficult for hackers to guess your password. The six inches between your ears are tough to hack.
Your password should be at least 8 characters long, but longer is better. A simple, seven-character password (“abcdefg”) can be cracked in 0.29 milliseconds. If you just add one more simple character (“abcdefgh”), the password would take 5 hours. A nine-character password (“abcdefghi”) would take 5 days to crack. So, you can see that just by adding one more character, your password is exponentially more secure. If you bump your password to 12 characters (“abcdefghijkl”), it’ll take a hacker 200 years to crack your password.
Replace Your Password with a Passphrase
So, we’ve determined that longer passwords are harder to hack, but that can also mean that they’re harder to remember. Instead, think of your password as a series of words strung together in a phrase. You could take three or four words that are completely unrelated and turn them into a phase (“CorrectHorseBatteryStaple”). As you’ll learn later, this is a good start, but it’ll still need to be modified to be considered strong.
Use the Whole Keyboard
When you only use lowercase letters for your password, there are 26 different characters that can be combined into a password. If you would consider using both uppercase and lowercase letters, you would double the number of possible characters to 52. When you add in numeric letters (1-9) as possible characters, your total characters add up to 61. To further increase the mathematical complexity of your password, you can use symbols (@, %, #, etc.) to bring the total character set to 80. For example, “Password” can be cracked in 0.20 milliseconds. But, it would take 14 years to hack “P@ssw0rD.” You do the math.
Don’t Use Complete Words
The general rule is that if any part of your password (or more accurately, your passphrase) can be found in a dictionary, you need to start over. When hackers build scripts to crack passwords, they use the entire dictionary as a starting point of possible passwords. After they check for single words (“horse”), the password crackers start combining various words together (“horsebattery”). Instead, you might think about replacing characters with symbols or numbers (“hors3ba!!ery”). That way, no part of the passphrase shows up in the dictionary, and that same password might just as well be any other random string of 12 characters.
Keep Your Passwords Fresh
Some websites force you to reset your password after 90-120 days, which can be a hassle but is technically good practice. Even if you’re not forced to update your password, you should anyway. Periodically updating your password ensures that if your password was ever previously compromised, the compromise is resolved as soon as your password changes. However, it’s important that you create a completely fresh password, not make it part of a series by taking the old password and adding a “1” or a “2” at the end. Hackers know that users loathe having to remember a completely new password, so these series variations will be the first tactics they’ll try.
Putting it all Together
So, what’s a good example of a strong password? I’m glad you asked. One of our favorite examples is Corr3ctHors3Ba!!eryStapl3. It uses all the tips above: it’s easy to remember, uses a passphrase without using complete words and includes several mixed-case letters, numbers and symbols.
However, if you find these mixed-character passwords difficult to remember, security experts have revised their recommendations to say that connected passphrases with numbers and punctuation at the beginning or end are still secure. So, CorrectHorseBatteryStaple@2018 could also be a strong, secure password.
IMPORTANT: DON’T use any of the passwords shared in this post! Just like any password that is compromised in a data breach, publicly posted passwords get added to the same password dictionaries, rendering them immediately compromised. Remember to be unique.
Now, go forth and update your passwords!