When you ask most people about what makes a great password, their response usually has something to do with the strength (e.g., the use of letters, numbers, special characters) of the password itself. However, in this article, we provide you with a deeper understanding of password practices that could better protect your online accounts and profiles. We discuss why the strength of your password actually doesn’t matter, how passwords are actually compromised, and what you can do to improve your password security.
Why the Strength of Your Password Doesn’t Matter
To many people, the focus of password security starts (and unfortunately stops) with the actual strength of the password itself.
This makes perfect sense given that the first part of the definition of a password is “a memorized secret”. So why shouldn’t the focus be on making said memorized secret hard to guess?
pass·word [/ˈpasˌwərd/]: a memorized secret used to confirm the identity of a user. -Wikipedia
However, in the age of supercomputers, the ability to guess passwords has become extremely easy. This brings up an interesting predicament; the fact that we as humans will not be able to feasibly remember passwords strong enough not to be guessable.
We are almost at that point where remembering an extremely strong password is a futile effort. Therefore, we should start to plan for a time where remembering a password is a thing of the past. In the not too distant future, we may look back at password scenes in movies and laugh (similar to when we see someone answering a pager or landline telephone).
Just to drive the point home, a password that is 10 characters long (for example) and includes symbols and numbers has 71.3 quintillion (1.71 x 1020) possible passwords combinations.
According to Kaspersky, this would take approximately 526 years for today’s average home computer to crack. This statistic may not impress you, given we will likely be dead before a present-day ‘average’ hacking enthusiast can crack a password of this strength.
However, today’s supercomputers can crack this same strength of password within a few weeks; and with the rate of increase in processing power and decrease in the cost of computers, hackers could have access to this technology within our lifetime.
Regardless of whether guessing a password is possible, the online platforms and mobile apps we use should not even allow for the 71.3 quintillion guesses to happen in the first place. If the platforms and apps you are using “do security good” they should be employing good password security practices.
One such example of a good practice an online platform could employ is limiting the number of times a user can enter a password. This type of limit could prevent a hacker from successfully performing a brute force attack i.e., an attack where the attacker attempts repeated logins using combinations of letters, numbers and characters with the hope of guessing the correct password or password secret. Many online platforms do not use security practices like this because if a user is locked out of their account they could become annoyed and also hinder use of their services (hence a hit to revenue).
How Passwords Are Actually Compromised
Password complexity is just the tip of the iceberg when talking about what makes a great password. There are other ways attackers can steal even complex passwords.
In their 2018 data breach report, Verizon stated that “…in fact, passwords regardless of length or complexity are not sufficient on their own” as it relates to protecting a user’s account.
Here are a couple of scenarios that are more likely to happen than a hacker being able to guess your password:
Scenario 1: You wrote your password(s) down or stored it in a file on your computer because it was too hard to remember and then your computer got compromised with a virus which gave the hacker access to the password(s).
Scenario 2: One of the sites you use is breached exposing your password and because your password is too hard to remember you used the same one across multiple sites and now the hacker has access to all of your online profiles.
Scenario 3: You literally give a hacker your password because they sent a very convincing email directing you to give your password up (this is also known as phishing).
In all of the scenarios listed above, there was no need for the hacker to do any password guessing.
Also in all of these examples, regardless of whether the technology exists to achieve a quintillion guesses in under a lifetime, your extremely strong password was breached and could now be used to compromise your cyberself.
So What Makes a Great Password?
Unfortunately, passwords are not going away anytime soon. There simply isn’t an easier (i.e., cheaper) option right now to verify your identity. So, for now, when thinking about what makes a great password, consider these tips and tricks to protect the keys that protect your cyberself.
1. Reduce the number of login credentials you have
One of the easiest ways to reduce the burden of remembering passwords is to simply reduce the number of random login credentials you have to remember. One way to do this is by using ‘social logins’ to sites like Google and Facebook to log-in to rarely-used web services or mobile apps.
Social logins can be a great way to simplify your login processes. However, this approach does come with its own risks, namely, privacy. The primary function of social logins is to provide better demographic data to services you associate them with.
So when you choose to access online services with say, a social login from a platform like Facebook, that service now knows everything about your Facebook cyberself. If you choose to use these social login services, you should be mindful of this.
2. Forget your passwords and let a password manager remember them for you
A password manager will take away the burden of remembering passwords in the first place. There are many password managers out there that are free of charge and very easy to use.
You may already use one (e.g., a password remembering feature) if it is incorporated into your cellphone or internet browser. Beyond removing your need to remember all those complex passwords, a good password manager can also help in creating stronger passwords and streamlining the process of changing passwords.
However, you must still take precautions when using these tools to ensure that the master password you use for securing your password manager is strong and secure. For instance, if you are using a password manager on your cell phone or in an internet browser ensure the device password is strong to ensure compromise of a device does not lead to exposure of all the passwords you are storing in your password manager.
3. Use multi-factor authentication where possible
Once you have limited the number of passwords that you have and have made them stronger, the next step should be to enable multi-factor authentication (MFA) wherever possible.
Availability of MFA varies depending on the web service or mobile app developer. This can range from simply registering a specific device (many sites already force you to do this) all the way to having a unique code sent to your mobile phone (e.g, via SMS/text message) every time you try to log into your account.
MFA provides you with additional assurance that even if a password is compromised, an attacker should not be able to access your online profiles.
The biggest issue people have with MFA is that it can be inconvenient to limit yourself to logging in from a specific device or waiting to receive a secondary code; so consider using this primarily on your most high-risk accounts.
We must point out that security-conscious developers should increasingly be using other MFA methods rather than relying on secondary codes via SMS. There have been many cases of ‘SIM swap’ attacks. This is where attackers compromise SMS as a second factor by making a quick call to the mobile phone carrier to get the victim’s phone number reassigned to a phone controlled by the attacker, allowing them to intercept SMS messages.
4. Sign up for alerting or monitoring services
Finally, to ensure that your passwords have not been breached you should consider enrolling in an identity monitoring service.
These services can be range from free services like haveibeenpwnd (which can notify you if any of your accounts were included in a data breach) all the way to more formal (and paid-for) identity theft monitoring solutions like US-based service, LifeLock (no affiliation of ours).
This can be a great way to identify whether your passwords have been compromised.
Passwords are not going anywhere for the foreseeable future. It is important to employ sound password security practices to protect your cyberself from evildoers that may target you directly or indirectly through any of your digital assets.
As stated in this article we recommend you reduce the number of passwords you have through things like social logins which allows for an easier time managing stronger passwords in a tool like a password vault.
Further, we recommend using MFA on your high-risk accounts to make it harder for cyber criminals to compromise your online accounts.
Finally, we recommend signing up for a monitoring service to identify any potential compromises of your passwords so you can quickly change passwords and recover from a hack.