Passwords are About to get Easier
If I do things right in this blog, by the time you're done reading, you'll have a better understanding of creating a great password and the process won't seem as daunting. We're all told we need strong passwords. But why? What is strong enough? And why must I change my passwords so often? After all, everyone seems to have a zillion passwords nowadays changing them is a PITA. While certain technologies are starting to appear to replace passwords, passwords themselves aren't going anywhere for a while.
Having a secure password means creating a strong password. Password strength is measured by entropy. This is a calculation of how unpredictable a password is. Different systems have criteria for what they consider a strong password. Some older systems only allow for 8 character password, which limits the strength the password can be. With such limitations in length, complexity was entered into our password creation. Complexity refers to adding special characters, lowercase and uppercase letters, and numbers. You can check out password strength calculators on the internet to see the difference in using various characters. Another way to make the entropy greater in a password is to make it longer....very long.
Creating a Great Password
Creating a great password isn't really that difficult. You do need to do it in the confines of the system you need the password for. Systems that require the complexity required above must contain certain types of characters. It doesn't need to be difficult to adhere to these rules and still create a password you can remember. Make substitutions of regular letters with symbols, such as replacing an "S" with a "$". You can do the same with numbers, replacing and "L" with "1" instead. Password complexity rules have been around for a while and even though some are shying away from them now in favor of passphrases, many systems still require complexity. For those systems that do not have a limit on the length of a password, go for the gold and make it a long one! Instead of a password, use a passphrase.
Let's take a look at the difference in length and complexity. We'll start off with a complex password that is 9 characters: I$LmdFvm!
Using a password strength checker we can see that the password wouldn't take very long for a hacker to crack
Now let's take a look at a passphrase: I still love my old dog Fido very much!
You can see it's a lot stronger and easy to remember. But what if we combine the two? Making a Passphrase complex...let's see.
We'll use: I still L0ve my old dog F!do very much!
You can see a HUGE difference. Keep in mind these are by no means set in stone and with technology evolving every day, I doubt that octodecillion year thing will really hold up, but that's a subject for a different blog. This demonstrates the differences length and complexity make in a password/passphrase. Try playing around yourself and see the difference here. Oh, and your password isn't sent over the internet when using this tool, but I still suggest replacing a word or two from what you're going to use. Passphrases are easier to remember and more secure than short, complex passwords.
Changing passwords every so often is something many systems demand that users do. It can be a pain, and most people find their way around it by putting a 1, 2, or 3 at the end of their current password. One person I know told me she has to change her password monthly, so what does she do? She simply adds a 1 after her current password in January, a 2 in February and so on. So, my question to you....do you think an attacker would be smart enough to try that? I do. Some people suggest this change requirement doesn't help with security and just aggravates users. Personally, I believe in changing passwords and do so myself on a regular basis. Where I can use passphrases, I will change a few words in the passphrase, and after a while, I change the passphrase completely. Instead of "I still love my old dog Fido very much!" I may use "I still love my old socks very much!". Do you think an attacker will jump from dog to sock? Still easy for me to remember. Why do I change passwords? I'd rather be safe than sorry. If a system or service I subscribe to has a breach, maybe, just maybe, I'll change my password before an attacker gets to my account info from the breach. Passwords should definitely be changed after a breach, even if one is only suspected.
How many passwords do you have? I don't even want to try to count how many I have. Managing your passwords may be just as important as the passwords themselves. After all, what good is a password if you don't know what goes where and how that information is stored. Many people use spreadsheets to store their passwords. I've also seen passwords stored in Note file on mobile phones. Do you see a problem with this? I do. Excel files are easy to get into and you wouldn't even know it had been done. What if you lose your mobile phone, do you really want someone accessing all of your banking websites?
Enter Password Managers. These programs and services help you manage all of your passwords and keep them secured by encrypting them. Instead of remembering too many passwords to count, you create one very good "master password" to access the others. Most of the services are priced very reasonably for the protection and convenience they give. They also have business versions so owners and managers of companies can distribute accounts and who has access to what information. These services will host your data making it available for you from any internet connected device. Just because these services can hold onto your data, it doesn't mean they can read it. Almost all of the services state right up front, they do not have access to your data saved and if you lose your "master password" you'll lose your data.
Creating a good password doesn't have to be stressful. Where possible, use a passphrase you can easily remember. One older systems with constraints, use some special characters in key places to adhere to requirements, yet still make them easy to remember. I hope this can help you in your daily password usage.