What is a secure password? The best password is one that even you can't remember. Of course that doesn't work particularly well if you ever want to access your account again. The problem is that options for password cracking and account hacking have increased substantially in the past 20 years while the ability of humans to remember passwords has remained the same. So what is a secure password? Is there such a thing?
In the beginning password advice was simple. Don't make your password anything someone could guess. For example, don't use your dead son's name for a password particularly if your computer is capable of starting a nuclear war.
After the threat of someone outright guessing passwords came the threat of the "dictionary attack" in which a password cracking program compares your password to words from a dictionary. This led to updated advice that your password shouldn't be anything someone could guess and it shouldn't be a word found in the dictionary.
As faster computing power has become widely available it has become much more viable for password crackers to decrypt whole files of passwords particularly since companies don't always use the strongest encryption (if any) on their password files. The common advice to combat against compromised password files is to have a longer password because longer values are harder to decrypt. (Crypto experts will cite exceptions to that rule, but its generally true.) Using a mix of small and capital letters, numbers and symbols also makes decryption more difficult because there are more possible values.
So, What is a secure password? First, it follows all the old rules.
Choosing a secure password starts with the basic advice that has existed for years.
- A strong password shouldn't be something someone could guess.
- A strong password shouldn't be a word found in the dictionary.
- A strong password should be as long as the system allows.
- A strong password should include a mix of small and capital letters, numbers and symbols to the extent the system allows.
What is a secure password? See above, particularly item number 1.
The rules above may seem obvious to tech savvy people, but annual lists of most common passwords reveal that many users still don't follow them. "Password" has been the most common password for years, which is a violation of rules 1, 2, 4 and probably 3.
- A strong password shouldn't be on a list of most common passwords such as this one from last year.
What is a secure password? One that is unique for each system.
- Do not reuse your password on multiple sites or systems.
Yes, I know. That means you'll have dozens of passwords and you just can't remember that many. Fine.
- At least don't reuse your passwords for important sites and systems like your bank account or email.
If you want to use the same password on sites that require an account for commenting that's probably not a big deal, but you do not want to reuse password for accounts that your really don't want someone else to access. Remember: your most important password may be your email account since it is likely that someone could reset many of your other passwords just by gaining access to your email.
Is this sounding like enough of a pain in the butt yet? And I'm just talking about passwords not the possibility of someone getting access to your account because you click on something malicious or authorize the wrong app. Oh, and you never would be tricked into sending your password in reply to a phishing email claiming there is a problem with your account, would you?
What is a secure password? One that isn't your only method of security.
In case you hadn't figured it out yet, passwords suck. You should try to make the strongest password you can but it is best to not rely on a password as your only means of security.
- When possible activate dual-factor/two-step authorization on your accounts.
For Internet accounts this usually means that you need to enter a code that is sent to your phone whenever you try to log in on a new computer. It's not a perfect system, but it makes it harder for someone who has cracked your password to actually use it. Information for using 2-step verification for Gmail, Google+ and other Google accounts is here. Other web sites including Facebook offer similar options.
In Summary, what is a secure password? What is a strong password? What is a good password? It's a really annoying, highly imperfect hurdle that we all have to deal with.
For more tips see my list of Information Security Basics.
Subscribe to Listing Toward Forty. Type your email address in the box and click the "create subscription" button. My list is completely spam free, and you can opt out at any time.