Passwords are a necessary evil if you use a computer and the Internet for almost anything these days. A typical user has to remember 19 passwords on average, and a whopping 80% of us use the same password for multiple online accounts. Password-cracking technology has changed over the years and the definition of a “strong password” evolves over time. Some years ago, a strong password required about 8 characters, with mixed cases, at least one number and one special character, and could not contain words found in the dictionary – something like this: j6tLwFJ!.
Here’s the good news. Security experts are now saying that a very long password, even if it is made up of words found in the dictionary, is more secure than a short, complex password.
In an offline attack scenario (100 billion guesses per second) it will take only three days to crack j6tLwFJ! but 203 billion years to crack Pop!GoesTheWeasel. Which of these two passwords would you rather memorize? This is not to say we should use passwordpassword as a password. The calculation above is based on the time required to mathematically run through the permutations of the characters used. In practice, no hacker will attempt to break a password this way. Hacking programs will first try the most popular words used as a password, such as password, iloveyou, monkey, football, baseball, dragon, abc123, 12345 (up to 9), qwerty, letmein, superman, batman, and common names such as Michael, Thomas, Jennifer, Jordan, and Charlie.
My favourite way to pick a password is to use the first character of each word in a sentence of about 14 words and add a special character or two:
MhgfpiMM90Y!49 = My holy grail fountain pen is MontBlanc Meisterstuck 90 Years 149
The time required to crack this password in an offline attack scenario is two billion years.
If you are not sure whether your password is strong enough, there are online password strength checkers you can use. Here are a few examples:
So now you have a super secure password. You have a perfect sentence that you can remember well and you can fit in numbers and special characters nicely. It is tempting to reuse this on all your online accounts. You may argue that you only go to reputable websites of big companies. It should be safe, shouldn’t it? Remember the Heartbleed bug in 2014? This bug exploits the OpenSSL cryptography library which is used by two-thirds of the websites on the Internet. The compromised or vulnerable websites include Instagram, Facebook, Pinterest, Amazon Web Services, Tumblr, Google, Yahoo, Etsy, GoDaddy, Flickr, Netflix, SoundCloud, YouTube, and Dropbox. Still not convinced? Have a look at this interactive infographic.
Even if you have a very good memory, remembering 19 sentences (and which one is for which online account) is still quite challenging. This is where password managers come in handy. For a nominal annual fee, password managers keep track of all your passwords in encrypted format so you need to remember just one master password to unlock your password manager. Most of them allow you to sync across multiple devices so you will always have access. You can also use a password manager to generate strong, difficult-to-break passwords.
You might ask whether password managers are safe. After all, two well-known password managers, Dashlane and LastPass, were both affected by the Heartbleed bug. Password managers keep track of all your passwords and “safe notes” such as credit cards and bank accounts. You have a lot riding on the password manager’s integrity as a strong gatekeeper. There have been debates and studies detailing web flaws, authorization flaws, user interface flaws, and, last but not least, the bookmarklet flaw. There is a calculated risk in everything, and security is often a trade-off with convenience. Password managers automatically fill in your user name and password for you to save you the trouble of manually entering a random string of characters, and it turns out that this is something not easy to do securely. That said, it is still better to use difficult-to-guess passwords and password managers than using an easy-to-guess password over multiple websites, and until wearable authentication technology matures, this is as painless as it gets.