My grandma’s web presence is pretty small and her Gmail account is an archive of funny dog pictures. Having lived through pretty much all of history, her risk tolerance is pretty high. My financial adviser, on the other hand, has access to some very sensitive information and bank employees have a mandated low risk tolerance. For grandma’s account, Puppies123 is a totally adequate password. But I really hope my FA has a much stronger password than that.
What does this tell us? The answer to the question, “Is my password strong enough?” depends on 2 bits of context: 1) the sensitivity of the data to be protected, and 2) your risk tolerance.
Before we discuss what makes a good password, let’s first cover this: What’s a bad password? If any of the following apply, chances are you’ve got a bad password: short, common, simple, easily memorable, or from a dictionary.
After a breach at Adobe, a list of nearly 150 million usernames, passwords and reminder hints wound up on the internet. With a simple Google search, I was able to find the list in about 5 minutes, and it holds lots of tips for bad guys looking to break into accounts: For starters, nearly 2 million people used ‘123456’ as their password, with close to another half-million people using ‘12345678’. Typically, bad guys trying to hack an account will start with lists of well-known common passwords like this, and these bad guys get good results.
Good and great passwords: Size matters!
If the bad guys wanted to programmatically attack two accounts, one with the password “123456” and the other with “12345678,” the extra 2 characters in the second one make it several orders of magnitude harder to crack. Length and complexity are the critical factors of password strength, and length is the most important.
Based on that you might think that ‘puppy kitty fish password’ is a pretty long and thus pretty strong password. The only catch is this: The bad guys are very clever. If I start cycling through dictionary words instead of single characters, that password becomes much simpler to crack.
So let’s look at complexity. Usually that means mixing up letters and non-letter characters, but it’s not always that easy. If I showed you ‘pa$$word’, you’ll easily be able to see that it’s ‘password’ with some letters swapped for dollar signs. Though people are good at spotting similarities, as far as a computer is concerned those are two different strings. They don’t match. But here again, the cleverness of the bad guys comes into play: Obviously some characters resemble some letters. So they add permutations to those lists of common passwords, based on visual similarities. They will for sure try both ‘password’ and ‘pa$$word’. Now their lists of common password are even more successful. Real complexity goes beyond the easy swaps.
Combine the two factors to end up with a password looking something like this: ‘f%j_9)2#$@Fddsj78 erjkl879FD$#@’. This is a great, strong password.
Of course, you need a new password like this for every site you register with.
Why so many? Because sharing passwords across multiple services means that if one of them gets breached, all of your accounts across all services are now vulnerable. A list of passwords, each unique to the service it is used for, increases your safety.
But I’ll never remember that!
That’s OK. You don’t have to remember 100 unique passwords. There are a large number of tools (some free, some paid) that do nothing but securely store lists of passwords. You only have to remember one password — the master password for the tool you’re using.
How do we prevent this from being a the weak part of the security chain?
That password should, of course, be long and somewhat complex, but can also be memorable to you. Think “pa$$word tool pa$$word” — but don’t actually use that one, lots of people know it now! Using this strong password, these tools encrypt the database where the passwords are stored, that way if they are lost or stolen, the effort to break the encryption is well beyond the value of the passwords contained. It isn’t impossible to break, but once you know its gone, you spend the time the encryption buys you rotating your passwords.
Don’t put your password on a Post-it note, under your keyboard, etc. and please, don’t share it with anyone!
tl;dr (too long; didn't read) - Use a password tool. Ensure your passwords are long and complex. Don’t use a single password across more than one service. Don’t share your passwords with anyone! If you’ve used a weak password with Wave or used it on other services, please go update your password now!