How Secure Is Your Secure Password?
Simple tips to help make your passwords more secure
Websites and apps sometimes force password rules on users. You’ve undoubtedly come across websites where you have to use a combination of uppercase, lowercase, numbers, and punctuation marks.
These kinds of passwords could actually be less secure than you think.
Rules governing so-called “secure” passwords were devised in 2003. The man who came up with them now thinks they are “misguided”. But why?
When a secure password isn’t secure
Bill Burr came up with the password rules that many websites now use. He included them in a paper for the National Institute of Standards and Technology, and they quickly became adopted as good practice guidelines.
Unfortunately, although the password guidance seemed sound at the time, it encouraged users like you and me to be lazy. And laziness is usually a security killer.
When coming up with a password to meet these requirements, many of us substitute numbers for letters, with a random punctuation mark somewhere.
So something like “mypassword” would become “myp@ssw0rd!”.
But these kinds of substitutions are very easy to crack, even with a basic graphics card and some hacking software available from the darker corners of the web.
There’s another problem, which is highlighted in this article: Burr’s password guidance recommended that every user change their password at regular intervals. This is another cue for users to be lazy, making only slight changes, or recycling close variants of the same password.
According to Dashlane, the average UK internet user has 118 different passwords at any time. It’s no wonder that we recycle them when we’re constantly asked to change them. ( Apple, Microsoft; take note.)
How to come up with a secure password that you can remember
Password managers (like Dashlane and LastPass), as well as some browsers, will generate passwords for you. These random strings are more effective than the ones we try to come up with ourselves.
If you want to come up with a truly secure password yourself, Scientific American has some good advice: it should be a phrase that can’t be guessed by a family member in five tries, and can’t be copied if someone watches you type it once.
It recommends that you come up with a mental picture, convert that into a phrase, and use that as a password.
If that sounds like too much effort, try the strategy recommended by Lifehacker:
Avoid dictionary words, names, and dates
Mix up characters
Make your passwords as long as possible.
The third option is the four-word phrase -- providing you can think of a new, unique, random phrase for each site. It’s a big ask, but it’s a start.
Overall, remember: if you have a system of some kind, then there’s a good chance an algorithm can figure it out. Password managers are by far the safest option.