But the better the password, the harder it is to remember. So what do many of us do? We settle for a simple word or sequence of numbers. Or, if we do create a clever password, we write it down near our computer. Maybe it's so "good," we use it on multiple accounts.
Why should we care?
Personal data is regularly stolen from companies, and not just small companies with lax security. Attackers have successful gotten data from companies like SONY, Adobe, Facebook and LinkedIn – companies that manage account information for thousands or millions of people. The username (often email address) and password pair is the lock you put on your personal information. Once an email address is found and public, it’s only a matter of guessing the password.
Your email address may already be known to hackers. You can explore the collections of known email addresses with sites like: HaveIBeenPwned.com
Sadly, you can’t control how a company treats the data you hand over. And, with each breach, the collection of stolen accounts creates a useful database against which to crack newly stolen names and passwords. However, if you use a powerful password, your data isn’t very useful to a hacker.
The good news: There are a couple of reliable approaches.
Finally, the security landscape changes all the time. Great advice one year, when discovered by hackers, could become bad advice the next. Yearly improvements in technology help hackers as well - for example, quantum computers might make light work of cracking that trillion-year password - or not.
At the very least, prioritize your efforts. For websites or apps that access financial accounts or other sensitive data – you need strong passwords that you don’t use anywhere else. Fix that now!
1 Don't use common passwords that attackers have already discovered or are common: If any of your passwords are in top 20 common passwords of 2019 list Change them Now!!
Here's a fun list of the top 100 worst passwords from 2018
Why? Hackers search for these common passwords first, and that nets them a lot of fish.
2 Avoid words that can be found in a dictionary in your language.
Example: Labrador, underwear
Why? It's not hard or time-consuming to compare your password to an entire list of dictionary entries.
3Mix uppercase, lowercase, numbers, symbols. Doing this increases the "search space depth."
Example: in an eight-character password here's how long it takes to figure out a password with an offline, fast attack (100billion guesses per second):
lowercase only: abcdefgh = 2.17 seconds,
add uppercase: Abcdefgh = 9.08 minutes,
add a symbol: Abcedfg! = 7.66 hours,
add a number: Abcdef8! = 18.62 hours.
Why? When you increase the "search space depth," you increase the amount of time/effort required to hack. The search depth of Abcdef8! is 26 + 26 + 10 + 33 = 95. The search space length = 8. The count of all possible passwords with this alphabet size and up to this password's length = 6,704,780,954,517,120.
4 Length is as or more critical than entropy - a bazaar mix of letters and symbols that you'll never remember.
Example: D0g--------------------- would take 95 times longer to crack than PrXyc.N(n4k77#L!eVdAfp9
Why? The first password is simply one character longer than the second. The attacker succeeds only with an exact match. Both examples are using the mixed uppercase, lowercase, number, special symbol, but the first is one character longer, which increases the amount of time:
D0g--------------------- = 9.38 hundred billion trillion centuries
PrXyc.N(n4k77#L!eVdAfp9 = 9.88 billion trillion centuries
So, both passwords above are great, but you will remember the first: Dog with zero for the "o" followed by 21 dashes.
Use a full character depth (upper, lower, number, symbol) to create a word or sentence you'll remember - then make it long - pad it with symbols or some pattern unique to you.
The best method is to create passwords (as above), use them only once and remember them. If you’re unlikely to do this, a password management tool is next best.
For this option to be useful, you want the ability to sync across all of your devices. You still need to create, or let the tool generate complex long passwords unique to each account. The advantage here is you only have to remember the password to the Password Manager. So make that a good one.
At our company we often use 1Password or KeePass, but the following reviews at the end may help you vet out a password manager that makes sense for your situation.
How Big is Your Haystack Lets you experiment with different passwords and estimate the time it takes to guess them.
From Troy Hunt: Here's Why [Insert Thing Here\ Is Not a Password Killer.] Why passwords are probably here to stay.
A deep-dive discussion of Password Managers from Bruce Schneier on Security.
2019 Reviews of Passord Managers:
From cnet.com: The Best Password Managers of 2019
From Digital Trends: Best Password Managers
Musings on Quantum computing: Scott's SuprememQuantum Supremacy FAQ!