“Password must contain at least one uppercase letter, symbol, and number!”
I’m sure we’ve all seen this phrase when signing up for a new account online. In the earlier days of the web, there wasn’t as much concern about web security, making simple passwords quite common. But while plain passwords are easy to remember, they are incredibly unsecure.
Let’s take a look at the first five entries in SplashData’s 25 worst passwords of 2013:
Enticing though they may be, those five passwords could be guessed in under a second. And that’s just using just a desktop computer!
In our line of work, when handling client information online, we commonly run into passwords structured something like “arthur42.” Just a name or a word followed by a number. You might think that the number makes it secure, but in reality, it only makes the password minutely more difficult to crack. Rather than an instant guess, it jumps to 11 minutes. Capitalizing the “A” increases decryption time to a whopping 15 hours, but I think we can do even better.
When a website urges you to add a symbol and number to your password, you may find yourself wondering, “What good will that really do?”
Going back to our example above, let’s try adding another number and a single symbol. “Arthur423$” would take 58 years. That’s 1,411 times longer than the password above! While that’s definitely an improvement and you’re vastly better off using that than “arthur42,” we can still do better.
The reason these simple passwords are easy to crack is because the automated tools used to crack them have a huge dictionary of words to pull from. They’ll automatically (and very quickly) try those words and variations on their spelling and capitalization while also trying to append numbers to them until they finally get a match. So while adding a “$” or “3” doesn’t solve our problem, you can see how utilizing symbols and numbers can greatly boost the security of your password. Less than a second to 58 years is quite a jump!
So, what would we consider to be a good, strong password? I personally use a random password generator that just now gave me “M$j%[email protected]*O.” Using the same parameters used to gauge “arthur42,” it would take your average desktop PC 16 billion years to crack it. Since that’s 3 billion years longer than the age of the universe, I think we’ve found our secure password.
“M$j%[email protected]*O” may be secure, but it’s not very easy to remember. Some people come up with memory tricks to remember their passwords, but that’s not always possible. So what are our options? How can we be secure, but not have to rack our brains trying to remember dozens of super-complicated passwords?
Personally, I use a password manager. A password manager is a program that keeps track of your passwords for you in an encrypted database. It only requires the memorization of one super strong password to be given access to all of your accounts. Now, this may seem like an “all your eggs in one basket” approach, but any good password manager will require multiple means of verification (commonly known as two-factor authentication). That way you — and only you — can have access to your passwords.
My preferred manager at the moment is KeePass, which allows you to store your passwords in a secure, encrypted database file. To unlock that encrypted file, you can utilize up to 3 methods of verification: encryption key file, password, and Windows account verification (which will limit access to the database to the user who created it). I utilize the encryption key file and a strong password. The downside to KeePass is that it requires a good bit of setup and a little extra know-how to use it effectively.
A more user-friendly method is LastPass, which exists as a website and browser plugin for managing passwords. The major advantage LastPass has over KeePass is the browser plugin detects what site you’re attempting to log into and auto-populates the login form for you. The major disadvantage is that your encrypted passwords are stored on a 3rd party’s server rather than locally on your own machine. But since LastPass also offers two-factor authentication via several mobile apps for an extra layer of security, it’s still a strong option — and much preferable to “arthur42.”
While prompts to create a stronger password may seem like an annoyance or inconvenience, the value of a strong password cannot be overstated. The easiest way for someone to gain unwanted access to your email, social media, or other online accounts is by guessing your password. The weaker the password, the easier this becomes. Tools like LastPass and KeePass can be very helpful for utilizing strong, complicated passwords without the hassle of having to memorize them.
Tagged: best practices, online security, password, security