Password strength is a common discussion topic, and people still don’t understand the importance of it. If you Google “most common passwords” you will see that people still use passwords such as: password1234, p4ssw0rd or even 123456.
People then think they are safe, but is this sense of security real security? Not really.
What makes a safe password? Instantly you will think on the validity tests that most websites provide. Yes, the websites that ask you to have 8 characters, one capital letter, one number and one special character.
But is that strong enough? Not really.
Let’s suppose that you can use 8 characters to form a password, and you can only choose normal characters from the keyboard (all visible characters present on your keyboard), so we limit it to the ASCII characters from 33 to 126, leaving us a total of 96 characters to choose from:
This means there are trillions of combinations, but take into account that computers can do millions of operations per second so that is not a big number for a computer. Now consider a password that is 20 characters long but we only use the 26 letters of the alphabet, with no numbers, no special characters and no capital letters. A 20 letter long password will probably not be very secure.
Well that was unexpected! There are a lot more combinations even with just lowercase letters.
By now you are probably starting to get it, a secure password involves a lot of characters, the more the better.
To prove this theory, we used an online password meter to see how our different passwords are performing. Note that this is an estimation, you shouldn’t take the time it takes to crack seriously as computers are always improving.
Do these tests correspond with the theory explained earlier? Surprisingly yes. The commonly used “password” and “p4ssw0rd” might be cracked instantly due to being dictionary words and using numbers instead of vowels. You won’t be the first to change an “a” for a “4”!
What most websites consider a safe password, for example “g4$bHabU” (it has 8 characters in total with lower and upper case letters, numbers and special characters) is not secure enough as it can be cracked in about 9 months.
Now if you expect me to say all your passwords should be 20 random letters because it will take 5 billion years to crack I am going to disappoint you. Yes that is the most secure password you can get from all the tests, but who is capable of remembering that password? Not many people. However if you use a relatively long password made of easy to remember words and you put some random characters on it like “!tarantula.sand.banana.helicopter?” you get a really safe password.
Multiple passwords
Now that we understand the problem on how to make a secure password we need to understand that you cannot use one password for everything, because once someone has your password, doesn’t matter how secure it is, they will have access to all your accounts.
How to prevent this?
Really easy, make a common password and change part of it depending on the website you are using it for. Like in this example:
- Facebook: “!tarantula.friends.banana.helicopter?”
- Twitter: “!tarantula.eagle.banana.helicopter?”
- Pinterest: “!tarantula.camera.banana.helicopter?”
- Gmail: “!tarantula.postman.banana.helicopter?”
As you can see the passwords are still considered secure and they are easy to remember. Of course this comes at a price: Social engineering might break the remaining passwords once someone gains access to one of your passwords. But that is part of the next chapter.
Password expiry
Every now and then we hear stories about hackers who manages to get access to passwords in X or Y website, this shows us that even if our passwords are secure, other factors might make our password visible to other people.
Against this problem there is only one solution: Change your passwords frequently. Do you know that Hotmail has a feature to force you to change your password every 72 days? This is a perfect feature because even if someone gets access to your password it means that in less than 72 days that password will be worthless.
Safe practices
I taught you how to create a set of secure passwords that will be really difficult to crack, but it won’t help you if your first action is to save them in a clear text file (Word, Excel) on your desktop, or if you put them on auto fill in your browser. If someone gets access to your computer through a virus you will be in big trouble, as they will know where every major browser keeps the stored passwords and every clear text file with name passwords will be retrieved.
So how do you make it difficult for hackers to get all your passwords? If you have a lot of passwords that you won’t be able to remember even with the previous tricks, there are a few options for you.
LastPass
Lastpass is an online password vault: You will be able to store all your passwords securely and have access to them all around the world. You will only have to remember the master password, which of course has to be the most secure password you have.
KeePass
KeePass is similar software where instead of having your passwords online, they are stored offline. This has its advantages and disadvantages: If you lose the password file, you lose all your passwords. On the other hand if internet goes down, you still have all your passwords.
Paper
Depending on how sensitive the passwords are you can write them down on paper. It means that regardless of how good the hacker might be if he/she doesn’t go to your home, the passwords will be safe. If you chose to go with this option, don’t frame the paper with your passwords, hide it a little.