Your password is too short. Now it needs to include a number. Don’t forget to add a special character.
Passwords are frustrating to most people on the Internet. Balancing between something strong enough to keep you from getting hacked and easy enough to remember is tough.
Why are strong passwords important, and how can you keep track of them? Let’s look at some best practices to keep your accounts safe.
Your Email Password Is More Important Than You Think
I’m always surprised how most folks treat access to their email. “So what if they get my email password? It’s just my email.” That’s a phrase I seem to run across every time I discuss password security.
The truth of it is, if someone looking to do damage to you gains access to your email, they own you. Every account you have sends the password reset to your email. So, if a bad guy gains access to your email, they have access to your bank, credit card, and any number of other accounts.
Since your email gets tied to so many other accounts, your email password should be among the strongest you have and should never be reused anywhere else.
Speaking of reusing passwords…
Use a Different Password for Every Account
Brute force is one of the more common methods bad actors use when trying to steal credentials. Brute force involves guessing passwords randomly as fast as the system will allow in hopes of guessing correctly.
Most well-built websites will see someone attempting to brute force guess a password and will make efforts to stop them; usually, this is as simple as not letting them try for a short time. But, if you have an account on just one poorly coded website, it might not prevent someone from eventually guessing your password using brute force.
Having one account compromised is bad enough. If you reuse your password, having one compromised account means all your accounts are compromised.
Don’t Use Confidential Information
You might think that using a combination of some pseudo-personal information makes your password easy for you to remember. And you would be right. But it also makes your password far easier to guess.
If you are on social media, your birthday, your phone number, and the names of your spouse, children, and pets are trivial to find. However, even if you are not on social media, this information is still relatively easy to find.
Some people even use their social security number as a password, but the truth is, your SSN isn’t nearly as confidential as you think it is. Your social security number has likely already been part of a data breach, but if not, someone guessing your SSN-based password gives them both your password and your social security number.
Avoid Common Passwords
Whenever there is a data breach that includes passwords, I’m always amazed by how many people use very common passwords.
You might think you’re clever setting your password to ‘qwerty,’ but that’s been one of the top 10 most common passwords since we began using passwords. The same goes if your password is ‘123456,’ ‘password,’ or ‘princess.’
So, if you find your password on a list of most common passwords, it’s time to change it. If you use one of the passwords and someone tries guessing your password, these will be the first ones they try, and it’ll take far less than a second for them to run through the whole list.
Avoid Using Single Words
If you look at the most commonly used passwords above, you’ll notice that many of them are straight out of the dictionary. With just under half a million words in the English language, you might be left with the impression that an obscure word would make a good password.
But computers are quite fast, and if you give them a list (for instance, the dictionary), they can click through all the words in it pretty quickly. When you start guessing thousands of guesses every second, cranking through the dictionary takes only minutes.
Much like the brute force attack, this is one of the more common ways someone will try to guess your password. It’s (not so creatively) called a Dictionary attack.
Length Is More Important Than Complexity
A longer password is usually more difficult to guess than a shorter one, even when the shorter one is more complex because the total number of combinations multiplies with every character you add.
If you have a super complex, 6-character password (complete with uppercase, lowercase, numbers, and symbols), someone intent on guessing your password can try every combination in well under a day.
However, a 16-character, lowercase-only password would take several thousand millennia to guess every possible combination.
But Complexity Still Matters
Even though that 16-character, lowercase-only password is incredibly hard to guess, adding extra complexity to the password makes it virtually impossible.
I say “virtually” because it is still possible that someone gets lucky and guesses your password on the first attempt. But to guess it within a few years would take some winning-the-lottery-multiple-times-in-a-row luck.
If we add uppercase letters, numbers, and symbols to the 16-character password, we go from several thousand millennia to several million millennia to guess every combination.
Make Your Passwords Truly Random
The best password is one you can’t remember yourself. A genuinely random, 16-character password that includes upper- and lowercase letters, numbers, and special characters is incredibly hard to guess.
Don’t trust yourself to randomly pick your password because we’re all human and will fall into bad habits like selecting predictable patterns. Instead, you’ll be better off using a generator like passwords-generator.org.
They also have a nice feature that will not use similar characters (“Is that a zero or a capital O?”) and ambiguous characters (“What that a curly brace or a square brace?”). This relieves the frustration of figuring out if that character is a “1” or a lowercase “L” and doesn’t make your password significantly easier to guess.
And, while I can almost hear you ask, “If I can’t remember my password, how will I ever remember my password?” The answer is that you should…
Use a Password Manager
So, now you have genuinely random passwords unique to every one of your accounts, and you can’t remember any of them. So, how are you ever going to know your password?
You can use a password manager. There are several outstanding password managers out there. LastPass and DashLane both have “free for personal use” accounts likely to be all you ever need. Another is 1Password, which doesn’t have a free tier but is still competitively priced compared to the other’s non-free versions.
Another option is the good, old-fashioned pen and paper. There’s nothing wrong with keeping all of your passwords in a notebook. (Address books work well, where you can put “Facebook” on the F page where you can easily find it later.) Just be sure to keep your password book in a safe place.
One method to stay away from is storing your passwords in a file on your computer. All it takes is a quick bit of malware, and every one of those once secure passwords are compromised.