Do you find yourself struggling to remember your login credentials? It’s no
secret: managing passwords for every single account we have can be frustrating.
However, with the growing number of online accounts and internet devices, it is essential to make sure each one is
secure. In this guide, we'll discuss what makes a password strong, how to
manage them effectively, and why it's so important to do so.
Why do I need a strong password?
There are a vast array of tools hackers can use to gain access to secure
information. However, most security breaches are caused by either exploiting a
weak or common password or by a "brute force attack". In both cases,
the attacker takes advantage of passwords that lack complexity or strength.
The danger of using common passwords
To understand why strong passwords are so important, let's first look at the
trouble with weak ones. One of the most commonly hacked passwords is "123456". Let that
sink in.
While your password is probably (hopefully) stronger than that, think about
some of the first passwords you came up with. When we try to come up with
passwords, we tend to turn to personalized details. Birthdays, graduation
years, schools, kid and pet names, favorite bands, and even sports team names
all tend to come to mind, but some people just go with "password123".
Unfortunately, many of these details aren't as unique as you might think.
Hackers often utilize lists of common passwords to attack large groups of
people all at once. Those with weak or common passwords are typically the first
victims.
The risk of brute force attacks
A brute force attack is a common and aptly named process that is basically
trial and error on steroids. Theoretically, a person could sit down and
systematically try every combination possible until it works. This would take
forever, but with the aid of a powerful computer, hackers can take millions of
guesses in the blink of an eye.
The truth is, no password is ever uncrackable. The difference between a
strong password and a weak password is the time it takes to crack. While a
5-character password might take 8 hours to crack, a 36-character password might
take millions of years.
What makes a strong password?
Using more characters
If your password only contained numbers, each character could only be one of
ten possibilities (0-9). That means that by sheer chance, someone has a 1 in 10
shot at correctly guessing that digit. Simply adding letters (both upper and
lowercase) to the mix brings that number to 62, and special characters makes it
94. That's a lot of options!
Password Length
While including extra characters and numbers definitely makes it more
difficult to crack, experts maintain that the best defense is a lengthy
password. This is because each additional digit in a password exponentially
increases the possibilities and the amount of time required to break it. The
difference between 9 and 12 characters is the difference between a few hours
and a few centuries.
Uniqueness
So why can't we reuse passwords? That would make things really easy,
wouldn't it? Well, that's precisely why it's a bad idea. Picture this: all of
your accounts are protected by your login credentials like a locked door and
your password is like a key to that lock. If a cybercriminal happens to get
their hands on that key, they'll very likely walk around and try that key on
every door you have, hoping that at least a number of them are the same. It's
never good when a hacker gets into one of your accounts, but by having diverse
passwords, you ensure that one breach does not turn into many.
What is a password manager?
So in order to have a strong password, it has to be lengthy, contain a
variety of characters, and be unique. How are you supposed to remember a bunch
of those? This is where a password manager comes into play.
What are the benefits?
Password managers are programs or services that store your passwords in an
encrypted space and are only accessible with a master password. The idea is
that this one strong master password is the only one you’ll have to remember.
This allows you to make long, complex, strong, and diverse passwords for every
account and removes the risk associated with redundant, simple passwords.
In addition to keeping track of your passwords, many of these services can
randomly generate strong, unique passwords to use for new accounts. With
browser extensions, they offer automatic form-filling so you never have to type
out long and complex passwords.
Finally, most services offer two-factor authentication or biometric
verification as an added layer of security.
What are the risks?
With a password management service or tool, you are effectively putting all
of your eggs in one basket; a concrete, steel-reinforced, vault-like basket,
but one basket all the same. While it's true that you risk all of your
passwords by storing them in a single place, experts agree that this is a much
safer alternative. The risk of hackers breaching your password management
service is far less than the risk of having weak, redundant passwords.
Can password management tools be trusted?
There is an element of trust involved, to be sure. You are essentially
saying, "I trust that this company will keep my passwords safe."
However, that's not really a new concept if you think about it. If you have any
accounts online, whether it's a bank, credit card, or social media account,
you're already trusting a number of companies with your information. Companies
like LastPass and 1Password use 256-bit AES encryption to secure your passwords and have no
possible way to see any of them. In a nutshell, this means your passwords are
protected using a method that would take millions of years for a supercomputer
to break.
What if the password management company gets hacked?
It's possible but unlikely. The truth is, no one in the cybersecurity world
refers to anything as being 100% safe or protected. It's always expressed in
relative terms, such as "this option is safer than the alternative".
So while they'll never refer to themselves as impenetrable, password management
companies hold themselves to incredibly high security standards. More than
likely, your passwords are safer with them than anywhere else.
If you're interested in reading about these companies' track records, LastPass and 1password
are both very transparent about their security policies.
Which password manager should I use?
There are a number of different companies that offer such services, but the top
contenders are LastPass, 1password, and Dashlane. They vary slightly in terms
of their functionality, but they will all help you protect your passwords and
your accounts. The best service is one that you will consistently use.
How can I manage my passwords without a password manager?
Make passphrases instead of passwords
If after reading this, you’re still not sold on the concept of a password
manager, there are still ways to make yourself safer. As we discussed, longer
passwords are always better, and there is a way to make them difficult to
guess, but easy to remember. Remembering strings of random characters is
incredibly difficult, but remember meaningful strings of characters is
something we’re very good at. If you’ve ever had a song stuck in your head,
you’ve already had practice!
For example, rather than trying to remember “y0pBdf.7;dfkj;wj893489sdf,” try
to remember the phrase “50-Kittens-played-poker-for-5-hours!” (don’t use this
one). In that passphrase, we have upper and lowercase letters, numbers, and
symbols. It’s also 36 characters long, which means the sun will explode before
a hacker can brute force it. Now maybe this particular passphrase isn’t
memorable for you, but you get the idea!
Another example of this is something called "diceware",
which is simply a way to randomly generate passphrases randomly using dice.
The paper method
Writing your passwords down on paper is a method which many experts disagree
on; some say it's safe, some say it's a poor practice. Like a password manager,
writing your passwords down allows you to create unique and lengthy passwords
without worrying that you'll forget them. With paper, it is literally
impossible for anyone to electronically acquire them. However, it is possible
for someone to simply steal them and you run the risk of losing them to a
simple coffee spill. It is also worth noting that for the general public,
hacking is a difficult obstacle, but reading a piece of paper is not.
If you're going to use the paper method, there are certain things you must
absolutely avoid. For starters, don't keep your list of passwords anywhere near
electronic devices (like under your keyboard at work). This is the first place
a criminal will look. If at all possible, don't travel with it either. If your
luggage is lost, or if the TSA decides to search your bag, you could be in big
trouble.
Finally, the paper method means real paper, not electronic documents. Never
store your passwords in a text file (or any file) on your computer. Passwords
stored in this fashion are incredibly vulnerable as they have no encryption or
protection.
Password security is all about managing risk versus convenience. In the end,
no solution will work if you don't utilize it. Fortunately, password managers
are a safe and easy method for protecting your valuable information.