But the better the password, the harder it is to remember. So what do many of us do? We settle for a simple word or sequence of numbers. Or, if we do create a clever password, we write it down near our computer. Maybe it's so "good," we use it on multiple accounts.
Personal data is regularly stolen from companies, and not just small companies with lax security. Attackers have successful gotten data from companies like SONY, Adobe, Facebook and LinkedIn – companies that manage account information for thousands or millions of people. The username (often email address) and password pair is the lock you put on your personal information. Once an email address is found and public, it’s only a matter of guessing the password.
Your email address may already be known to hackers. You can explore the collections of known email addresses with sites like: HaveIBeenPwned.com
Sadly, you can’t control how a company treats the data you hand over. And, with each breach, the collection of stolen accounts creates a useful database against which to crack newly stolen names and passwords. Unfortunately, lists of stolen passwords can be bought and sold for years before they come to light. Imagine how much more vulnerable you are if you reuse that password.
Finally, the security landscape changes all the time. Great advice one year, when discovered by hackers, could become bad advice the next. Yearly improvements in technology help hackers as well - for example, quantum computers might make light work of cracking that trillion-year password - or not.
At the very least, prioritize your efforts. For websites or apps that access financial accounts or other sensitive data – you need strong passwords that you don’t use anywhere else. Fix that now!
Here's a fun list of the top 100 worst passwords from 2018
Why? Hackers search for these common passwords first, and that nets them a lot of fish.
Example: Labrador, underwear
Why? It's not hard or time-consuming to compare your password to an entire list of dictionary entries.
Example: in an eight-character password here's how long it takes to figure out a password with an offline, fast attack (100billion guesses per second):
lowercase only: abcdefgh = 2.17 seconds,
add uppercase: Abcdefgh = 9.08 minutes,
add a symbol: Abcedfg! = 7.66 hours,
add a number: Abcdef8! = 18.62 hours.
Why? When you increase the "search space depth," you increase the amount of time/effort required to hack. The search depth of Abcdef8! is 26 + 26 + 10 + 33 = 95. The search space length = 8. The count of all possible passwords with this alphabet size and up to this password's length = 6,704,780,954,517,120.
Strong password example: C4t--------------------- would take 95 times longer to crack than PrXyc.N(n4k77#L!eVdAfp9
Why? The first password is simply one character longer than the second. The attacker succeeds only with an exact match. Both examples are using the mixed uppercase, lowercase, number, special symbol, but the first is one character longer, which increases the amount of time:
C4t--------------------- = 9.38 hundred billion trillion centuries
PrXyc.N(n4k77#L!eVdAfp9 = 9.88 billion trillion centuries
So, both passwords above are great, but you will remember the first: Cat substituting 4 for the "a" followed by 21 dashes.
Use a full character depth (upper, lower, number, symbol) to create a word or sentence you'll remember - then make it long - pad it with symbols or some pattern unique to you.
The best method is to create strong passwords (as above), use them only once and remember them. If you’re unlikely to do this, a password management tool is next best.
For this option to be useful, you want the ability to sync across all of your devices. You still need to create, or let the tool generate complex long passwords unique to each account. The advantage here is you only have to remember the password to the Password Manager. So make that a good one.
How Big is Your Haystack Lets you experiment with different passwords and estimate the time it takes to guess them.
From Troy Hunt: Here's Why [Insert Thing Here] Is Not a Password Killer. Why passwords are probably here to stay.
A deep-dive discussion of Password Managers from Bruce Schneier on Security.
2020 Reviews of Password Managers:
From cnet.com: The Best Password Managers of 2020 and How to Use Them
From Digital Trends: Best Password Managers
Musings on Quantum computing: Scott's Supreme Quantum Supremacy FAQ!