How Strong Does a Password Need to Be?
Passwords can be challenging to manage. After all, there are two ways that your passwords can potentially be breached: social engineering wherein a cybercriminal guesses them or tricks you into handing over your credentials, or by using tools and algorithms to crack them. This means that you need to ensure that your passwords are complicated enough to avoid either means of guessing them—but not so much that you can’t remember it, either.
The Password Creation Challenge
As you’re putting together your passwords (or dictating a password policy for your company) there are two things that you need to keep in mind:
- A hacker may try to brute force attack any password that cannot be guessed or cracked, rapidly trying each combination possible.
- A password’s security and its resistance to brute force attacks are two different things.
It helps to take away the term “authentication measure” when considering it and instead look at what it serves as: a lock protecting your business and its resources. Your password serves as the key to open this lock.
To apply this analogy, let’s say that you have a vault holding all your secrets. Someone trying to get into the vault will likely try all the “usual suspects” in terms of passwords—those that a lot of people tend to use. If none of those work out, they’ll delve into some of your personal information for significant dates or events.
Afterwards, they’ll simply resort to the brute force methodology… which, if carried out for long enough, will ultimately deduce the correct combination.
So, how can you really ensure that your passwords remain secure?
Balancing Complexity with Predictability with Memorability
We’ve long encouraged a few best practices, in terms of password creation. These generally include:
- Sufficient length, ideally over 16 characters
- A combination of numerals, letters, and symbols
- No privileged or personal information, or that which can be found online or on social media
- No common words or numbers
- No consecutive letters or numbers
Optimizing Your Password’s Security
In addition to these practices, we also must account for the computing processes that many hackers will use. To overcome this, it is important to add some significant complexity to passwords to help make the job more difficult.
About 41 percent of all passwords are composed exclusively of lowercase letters. This is well known by cybercriminals, and so many of them will only include lowercase letters in their first round of brute force attacks. Therefore, adding other symbols, varying cases, and numerals can help make their brute force efforts take much longer—which encourages them to give up the ghost in favor of other targets.
This means that a secure password is one that is highly unlikely to be guessed, while it also requires a large amount of time for a brute force attack to stumble across it.
At the same time, you also need a password to be memorable. Sure, a password like “8g$jkj__bU-b32m” may be plenty secure against a cybercriminal and perhaps even their algorithm for a while… but is that something you can easily remember?
If you’re like most, that isn’t very likely,
Fortunately, when it comes to passwords, just close isn’t close enough. They have to be exactly right in order to work, which makes their memorability particularly important. While this can create a bit of a challenge for the user, it also makes things more difficult for the attacker.
That’s why another theory has come to the fore nowadays regarding password security: utilizing a few random words, incorporating numbers and some varying capitalization, and padding either side with symbols.
This is because each variable added into your password makes it that much more challenging to brute force them, as we suggested before. Since many passwords are only made up of lowercase letters, a lot of cybercriminals will only check for passwords with that variable to save their own time. Each variable added could potentially make it take much longer to crack.
Taking all these principles into account, we recommend that your passwords should look something like this:
A process like this makes the password more usable, simply because it pretty much definitely won’t be guessed, has plenty of characters, will be resistant against a brute force attack, and isn’t impossible for you to remember.
Of course, we recommend that you come up with your own password, rather than just use the example we’ve provided.
The Next Issue: Remembering Them
Finally, we must address the issue of keeping your passwords straight. There is no denying that the most challenging best practice for many—using a different password for each account—becomes even more difficult with passwords this complicated. However, a simple tool can help make this far easier: a password manager.
A password manager is a type of software that takes your collected credentials and securely stores them for your reference, keeping them secured behind a single master password. This enables you to use sufficiently secure and unique passwords while only needing to remember the one you use to log into the manager itself.
TAP Tech is here to help you with effectively every aspect of your cybersecurity. To find out what more we can do for you, reach out to us at 203-744-9760.