Maybe you feel like choosing a strong password to protect your accounts is challenging, or maybe you have a different password for every account and find it hard to keep track of them all. Either way, managing your log-in credentials can be a frustrating task, and sometimes people crack. That’s how you get ridiculously bad password habits like these.
Out of all the possible password combinations out there, one out of every 142 created is '123456'. This may seem like a good idea at first since it’s easy to remember, but when you and 7 million other use the same sequence, you lose the unique, unpredictable nature a password must have to be secure. And yet, people keep doing it. The string ‘123456’ has been the most commonly used password for the last five years!
A password that’s easy for somebody to guess can’t do its job. That’s where practicing good password hygiene comes in. For starters, let’s just get this out of the way: Don’t use ‘123456.’ It’s short, it’s predictable, it’s insanely popular, and it’s just plain lazy. Ditch the ‘keyboard slide’ and shoot for more length…and we don’t mean ‘123456789.’
Length vs. Complexity
According to the FBI and the National Institute of Standards and Technology (NIST), password length is actually more important than password complexity. This may come as a surprise to many people since websites and apps usually flip their priorities, requiring you to add complexity (upper/lower characters, numbers, special characters) before length.
The average password is 9.48 characters, which could be a lot worse…but it could also be better. Most experts recommend using strings that are as long as possible, preferably 16 to 24 characters (or more).
But why does length matter more than complexity? Well, it all comes down to entropy, a way of measuring how unpredictable (or hard to guess) a password is. Entropy is measured in bits. A password that is already known has zero bits of entropy. One that would be guessed on the first attempt half of the time has 1 bit. A password with fewer than 28 bits of entropy is considered very weak, whereas a good benchmark to shoot for is 30 to 60 bits.
Entropy involves a little bit of math (you can read about it here), but just understand that you can achieve greater entropy either by increasing the pool of possible characters (upper and lowercase, for example) or by making a password longer. Since there is a finite pool of characters on your keyboard, this option soon runs out. However, you can always make a password longer.
You might be worried that making exceedingly long passwords would make them hard to remember, and you’re right. That’s where taking a step back from complexity helps you out. Whereas a password like G25sDq67@#5^se4&; is nearly impossible to memorize, “WagonChipDebtNap” is easy to remember—and it’s just as secure.
A longer string of words is usually considered a passphrase rather than a password. In addition to being easier to remember—and thus reducing the threat of hardcopy theft—passphrases have some distinct advantages. Their length makes brute force attacks impractical. In addition, passphrases that are chosen well—that is, chosen at random and not because they’re a related string of words—will be invincible to dictionary attacks.
Bad Password Hygiene
As you’ve seen, using simple passwords with no special characters and a minimum length may be easy to remember, but it invariably makes your accounts vulnerable and allows bad actors to gain access to your account with minimal effort. That’s why you’ve got to make your passwords longer—while also not forgetting to include some complexity.
You should also avoid using the same password across multiple accounts. If one of your accounts got compromised, a hacker would be sure to try the same credentials elsewhere, potentially allowing them access to huge portions of your life. Using passphrases should help you remember multiple, strong passwords.
According to a Turkish researcher, only 12% of passwords contain a special character. Just under 29% consist of letters only, while about 26% are lowercase only. And to prove just how unoriginal people are, 6.6% of all passwords are covered by the most common 1,000. These are supposed to be unique, unpredictable credentials and people are treating them like shows on Netflix—“I guess I’ll just watch what everyone else is watching.”
Now that you’ve decided to practice good password hygiene, you might still be worried about remembering them all. Maybe you’ve considered using a password manager. Is one right for you?
A password manager is a software application that’s designed to securely store and manage all your online credentials. The manager stores these in an encrypted database locked behind a master password you create. This way, even if you choose some ridiculously complex password you have no hope of remembering, you are covered. One popular, device-spanning password manager is LastPass (See the PCMag review here), but there are many others you can consider.
Are password managers safe? The simple answer is yes, they should be. Most password managers use zero-knowledge security, so that way even the company that makes the app doesn’t even know your passwords (which obviously is good). As with everything though, your information is only as secure as the company protecting it. If a hacker can access your password manager, they can see everything in one go. Still, experts largely agree that using one is good idea.
Keeping Your Information Secure
Making good decisions when it comes to choosing passwords isn’t always easy. That’s because it’s easier not to. But for the good of your privacy and security, you’ve got to ditch ‘123456.’ You’ve also got to move on from using the same password across multiple devices. It’s just asking the bad guys to take over.
You can start securing your information now by making your passwords longer. The next time a company or work system makes you update your password, choose something longer. Maybe you should try a passphrase, instead, if the system lets you. That’s a great option in terms of ease of use and security. Alternatively (or simultaneously), you can try letting a password manager keep track of all your personal credentials for you. Regardless of what you choose, it’s not good enough to do nothing (unless you’re already practicing good password hygiene, in which case, congratulations!).
Your cybersecurity doesn’t end with picking a good password, though. In fact, it goes much further—as you surely know. What you might not know is the nitty gritty of protecting yourself and your business, and that’s where our CISSP-led team of experts comes in. That’s us at Machado Consulting. Let us show you the difference that working with an IT partner, not just a provider or vendor, makes for your information systems. You can reach us here or by phone at (508) 453-4700.