Between new threats and new tech, security is something that can always be improved upon to make sure your systems are as secure as possible. Passwords are the first level of security, and the area that seems to cause the most headache for end users and IT managers.
In an ideal world, every password would be super complex. For example, a 32-character randomized password with capital letters, lowercase letters, special characters, and numbers. This is possible with a password manager – or if you’re really skilled at memorizing random character strings (unlikely).
The reality is that this does not occur, leading to most of us using a password that is not as secure as hoped. There are a few ways that attackers gain access to our passwords, and the most common methods are an algorithm that “cracks” the password and guessing. Usually, these two are combined, creating databases that nefarious individuals can use for gaining access to your accounts.
The biggest issue with passwords is the human factor. We like things to be simple, so we use things that are familiar. When we have to change a password, we change it in predictable ways, and usually write it on a sticky note.
Let’s look at “Password” as a password. Yes, it’s terrible, but really, it’s eight characters with one capital letter. A password cracker will break “Password” the same as it will break “ushtGsgt.” The second example will just take a little longer to crack because programs try common words and phrases first, then start brute-forcing every combination.
Again, looking at human nature, if one hundred people are asked to make the word “Password” harder to guess, most will swap the “o” for a zero. That’s then added to the list of words and phrases checked first. If the same one hundred people are asked to add a special character and a number, most will probably create something like “Password1!”
Why? Because it is easy to remember, and the “1” and “!” are convenient. Since so many of us will use the same variations of passwords, these become common and therefore are more easily broken.
These reasons are why it’s recommended to use three uncommon, unassociated words as a password (and to not use that combination for all your passwords). For example: “GiraffeDiamondCoffee.” An algorithm will still crack this eventually, but it’s easier to remember and not easily guessed so it will take a while to crack.
The longer it takes, the less likely they will actually get to your data. By using three different random words for your passwords, it is much less likely that your combination of words ends up in the frequently used list, adding more security. You can also easily add numbers and special characters to meet security requirements as needed.
The best practice is to use a password manager and use super complex passwords. Otherwise, using three-word passwords like “GiraffeDiamondCoffee” can boost your security. It may look easy – but it is a 20-character password, so it’s more secure than “P@$$w0rd1!”
Computers that are cracking passwords will try every combination and can test over 100-million per second, so a 10-character password (even with numbers and special characters) only has so many combinations. However, a 20-character password using only capital and lowercase letters like “GiraffeDiamondCoffee” has even more. While the second password seems much easier to crack to the human eye, it’s much more complex in reality.
Do yourself a favor: change how you create your passwords and make your information that much more secure – without making it impossible for you to login to your applications and websites.