So What Makes a Good Password?

by Tony Richardson CISSP

Passwords are not going away any time soon. It is an ubiquitous authentication method deeply entrenched in legacy and modern apps and websites.

Perhaps the biggest crime risk of our time is the risk of being hacked. A hacker who gains access to your personal accounts and data can do anything from ransacking your savings to selling sensitive data on the dark web — and this can be even more devastating if a business gets hacked. As Troy Hunt of the website Have I Been Pwned commented, “Making good password choices is the single biggest control consumers have over their own personal security posture.” But what makes a good password?

Avoid Obvious Passwords

Researchers at Digital Shadows found that about one in every 200 online logins used the password “123456”, with “password” and “qwerty” also among the most common. Other people use something obvious, such as the name of their favourite band or football team.

The problem with these is that they’re very easy for hackers to crack. Commonly used hacking software can identify passwords like “123456” or “password” in less than a second, while passwords with personal associations, such as the name of a pet, can be found by stalking you on social media.

Make Your Password Long — and Complicated

An effective password shouldn’t be less than twelve characters — and the longer the better. This is because each character you add exponentially increases the time it takes for the software to crack your password.

To make life even harder for the hackers, use a combination of character types. This includes both upper and lower-case letters, as well as numbers and special characters such as % * # & and the like. Where possible, use these to replace letters, such as $ for S or 2 for Z.

Use Multiple Words or Sentences

Another way to make your password more complex is to make it up of several unconnected words, separated by numbers or special characters. The words can be memorable to you, making them easier to remember, as long as they’re not the kind of easily guessed words mentioned above. For example “Acme27

Alternatively, think of a memorable sentence (perhaps a favourite quote) and convert it into initial letters, numbers and special characters. For example, Shakespeare’s “To be, or not to be: that is the question” might become “2B,on2B:titQ”. Although it would be better to use something a little less well known.

Use a Unique Password for Each Account

It takes time to create a strong password, and it can be tempting to use it for multiple accounts, but this can give hackers access to every account that uses that password. Even if you’re no longer using it, you’ve no way of knowing that it hasn’t been hacked in the past.

It might seem fairly unimportant if, for instance, hackers can break into your login for your model rail enthusiasts club. However, if you’ve used the same password for your Amazon account or your work login, the results could be catastrophic.

Use a Password Manager

The problem with creating strong passwords is that you have to either remember complex series of characters, or else save them on your browser — and that can make them as vulnerable to hacking as if you’d just used “password”.

The solution is to use a password manager. This will fill in your login details, just as if you’d let the browser save them, but they’ll be stored remotely behind state-of-the-art security. Which means you’ll only have to remember one password — but make sure that one is as fiendishly difficult as possible for the hackers.

Obviously, some password managers are more secure than others, but whichever you use, it could be the single most effective thing you do to keep yourself safe online. If you want to know more about this, or any aspect of password security, get in touch with us.