- Unique: Don’t use the same password twice.
- Random: Use a password generator to create highly complex passwords which take advantage of the maximum length and character types allowed by the service.
- Password Manager: Securely store your passwords so that they are accessible from any device you use.
How Do Passwords Get Broken?
Before we get to what strong passwords look like, it is important to understand how they are breached in the first place. How do attackers figure out your password? There are generally two types of potential attackers, and each follows a different strategy.
- Attacker #1 knows you. It might be a family member such as a spouse or child, or it could be someone in your office. This kind of attacker is someone who will try to guess your password based on what they know about you. They might try your children’s names and birthdate combinations, pets’ names, your favorite vacation spot, etc. This kind of guessing based on known information is a form of social engineering attack. Though unpleasant to consider, we have to think about how to defend our data against people we are close to.
- Attacker #2 knows nothing about you. They are not going to attempt to play the game that attacker #1 did. Attacker #2 is going to use software to try millions of possible combinations to randomly stumble upon your password. This attacker is going to do the same thing to thousands or millions of other accounts, so they are looking to break the weakest of passwords. This attacker’s software will combine words from the dictionary, names, numbers, and other common bits of info that people tend to include in passwords to make them feel personal and easy to remember.
The kinds of passwords people typically use are designed to work for them, and to be easy to remember. In order to be easy to remember, they use references which are personal and unfortunately, weak to both forms of attacks I have just covered.
Rules for Strong Passwords
The first rule is that every account in your life must have a unique password. Absolutely never use the same password twice because that is one of the easiest ways to fall victim to the domino effect where one breached account gives the attacker access to other accounts. (Take, for example, the case of John Podesta.)
A strong password strategy is a combination of a highly complex password, and a way to remember or retrieve that information. A weak, easy to remember password is easy for an attacker to break, and a complicated password you can’t remember won’t do you any good either. I will cover some tools for securing and storing passwords in the next section, but for now let’s talk about what makes a strong password.
The first thing to consider when crafting a password is that you want to take advantage of all of the options a given site, service, or form will allow. Common options include:
- upper and lowercase letters
The strongest possible password for a given service will include the use of all of those options while being the maximum allowed length. Length can be hard to determine and not all sites make their length requirements visible. Just keep in mind that each character adds mathematical complexity and increases your odds of security. The shortest passwords are always the first to be broken by attacker #2’s software.
With that in mind, it is advisable to use a password generator because the best result is made up of random characters. If you want to protect against attacker #1’s tactic, then the best way is to take knowledge out of the equation. Random characters are also a very good defense against attacker #2 who is targeting references, words, and phrases commonly used by people.
The ideal way to think about passwords is thinking of them the way that you do physical keys. You don’t really know anything about the specifics of the shape of your key. You don’t know exactly what size each ridge is, or where each peak is located relative to the next. You just reach for your key ring, and put it into the lock. A collection of unique, strong passwords properly secured in a password manager achieves the same effect.
Use A Password Manager
Most people store passwords either in their own head, or through a note-taking system with pen and paper. As I have mentioned, a password that is easy for you to remember is probably a weak one. Passwords which are more complex, but written down somewhere physically have other problems. That password is potentially able to be viewed by people in your home, office, or wherever it is stored. And because it is something physical, it exists in that one place, and doesn’t travel with you wherever you are. It also cannot be copied and pasted, which makes entry annoying. All of these hassles contribute to people choosing to use weak passwords. Weak passwords seem to make life easier than strong ones.
That is until you are familiarized with a password manager. A password manager is an app or service which securely stores account information in a vault-like system. All of your data is stored in that secured environment, and then it is up to you to chose a nice strong password to secure the door to that vault. That one password becomes the only password in your life. Every other account login becomes as simple as clicking a button, just like selecting the right key on your keychain.
There are many companies out there offering these services on an individual or corporate scale. Commonly they are cloud-based, so that you can access your passwords via your smartphone and through any computer you use. It is an elegant, modern solution to an old problem.
The primary criticism regarding this solution is that you are creating a single point of failure. If that vault is accessed illicitly, then the bad guys get everything. In theory, that’s true, however these password managers understand the threat, and offer you many methods of securing your vault that go beyond just a password. Password managers typically implement some form of 2-Factor Authentication.