Up until fairly recently, it was advised to use a password that contains a minimum of 8 characters – IN MY OPINION, THIS IS NO LONGER ENOUGH.
There are multiple opinions on what constitutes good password practice but foremost it should be something that works for you. There is little point in having a long, complex password if you have to write it down.
Many believe that using a password manager to generate and store your passwords is a sensible method. This way, they can be long, complex passwords you don’t need to remember, and they don’t get re-used. However, consideration needs to be given to where these passwords are stored and how they are secured. Cyber-crime, in general, is on the rise. How long will it be before cybercriminals focus their efforts on password managers/safes?
If you decide to accept the risk, then password managers such as the Last Pass give you the capability to create more complex passwords. They can be used to create truly random passwords. The longer and more complex, the better. The length and complexity of the password will be limited depending on the sites and services you use, as to how long it is and what characters you can use etc.
For example, some websites may only allow up to 12 characters with no ability to use special characters. However, nowadays you are more likely to find that, at least with good websites, you can enter in long passwords with all sorts of characters with no restrictions.
It is recommended that when creating passwords in a password manager, to use a minimum of 12 characters. Many cybersecurity professionals recommend using 43+ characters containing upper- and lower-case letters, numbers and symbols. Nathan House (Cyber Security Professional and renowned Educational Instructor on Cyber Security) says because his password manager is storing the passwords if a website or service allows it, he uses 43 characters on sites he cares about and that allow it.
If you use a password manager and it works smoothly for a particular site or service, it makes no difference if it’s a 4-character password or a 43-character password in terms of any burden to you. You simply click on the same things anyway and from a security standpoint – it is much, much more beneficial for it to be a long password.
When it comes to Disk Encryption or Whole Disk Encryption, file encryption, the master password to your password manager or anything of significant value to you which you don’t want to be decrypted – if you are protecting something with 256-bit encryption (strong enough in most cases) and you want the optimal size password, a 43 character-long password or more is best.
If you are going to step down your encryption to 128-bit, then 22-character passwords or more are best.
If you are going to step it up to 512-bit encryption, then 86-character passwords are most suitable. This provides optimal input for the encryption. Given the high level of security with 512-bit encryption, it has to be considered that this will not always be practical as rebooting will be much slower.
However, we are talking maximum security here for ‘ultra-critical’ data such as Disk Encryption, Master Passwords etc. The sort of passwords of which you do not have many of. The above information relates mainly to personal passwords or those that are not centrally managed. However, consideration should also be given to your corporate password policy if you have a mechanism for enforcing this:
As a bare minimum, a centralized policy should be in place across the board:
- Has to apply to everyone including VIP’s
- Should be complex
- Should be changed every 90 days
- Should remember the last 12
How do I create a password both complex, easy to remember and without a password manager?
Well, there are 3 properties to consider when creating a password:
1. Is your password easy to break?
2. Is your password easy to remember? (CRITICAL)
3. Is your password easy to type?
The difficulty in cracking a password is based on its entropy and randomness away from human patterns.
Things to avoid when creating a password:
- Using Patterns – especially if the password is short (less than 20 characters). Don’t use predictable patterns such as ’qwerty’ or ‘q1w2e3r4t5y6’. These will be in every hackers’ brute force dictionary.
- Common Short Phrases – These are just more common patterns that humans create.
- Dates/names – All dates are common patterns and if they are in your password, it will easily be cracked.
- Information associated with you that could be easily obtained such as through social media. Such as:
- Pet names
- Address
- Children/Partner names
- Favorite holiday destination
- Do not use the same password across multiple accounts/websites
- Do not use dictionary words
Combination of the above patterns can be easily cracked (i.e. psiloveu1988). No matter how long you make the password, if you are just using a combination of common patterns, they are as easily hackable as the patterns alone.
One method to consider is the 3 Word Password Method
- Use 3 unique words
- Use upper and lowercase letters and numbers
- Use symbols
- An example below has 187 quintillion combinations and would take 10000 – 20000 to crack
CL3anC@r7omm0row - In contrast, a simple 8 character password of all lowercase letters would take 2 seconds to crack
Password statistics - A standard brute force program can output 100billion guesses/second.
- Advanced programs crack at 400 billion guesses/second.
- 7 character passwords cracked in less than a second.
- Not all online services prevent brute force attacks
The average UK resident has over 26 online profiles yet they only use 5 passwords for all of them
90% of passwords chosen by hackers are vulnerable to hacking.