Is Your Password Strong Enough?

Category: Security

You wouldn't lock up your car and leave the key in the door as you walked away. But many people do essentially the same thing when they create weak passwords for their online accounts. Don't make it easy for hackers to plunder your bank account or go on an online spending spree with your credit card. Here are some tips to help you create and manage passwords...

How Secure is Your Password?

I used to say "If you can remember your password, it's not strong enough." But my thinking on this has changed, somewhat. Short passwords composed of familiar words and only alphabetical characters are easy pickings for "brute force" password-cracking software. Such software simply cycles through all possible combinations of letters until it hits the set that works. This is why many Web sites insist that you create a password of 8 characters or more, and include at least one non-alphabetical character.

But 8 characters is a poor compromise between security and user convenience. Actually, 12 or more characters are needed to make a password that would take too long to crack with brute force. Don't limit yourself to all lowercase letters, or just numbers and alphabetical characters, either.

The best advice I've seen on this topic is to choose a password that's memorable, which contains a combination of uppercase and lowercase letters, along with at least one number and at least one special character. But on the other hand, length trumps complexity.

Password Security

For some excellent info on how to gauge the strength of your password, see Steve Gibson's article on password haystacks. I also recommend How Secure Is My Password?, which is a password security calculator that tells you whether your password is good or bad and WHY. For example, it'll warn you if your password is too short, contains only common dictionary words, or if it needs more character variety.

If all that sounds confusing, here are some examples of what I'm suggesting:

SAMPLE PASSWORDTIME NEEDED TO CRACK
Mary had 1 little lamb!30 octillion years
the dog ate my homework837 quintillion years
q!M*c.4XP&7+4 million years
falcon4211 minutes
smith5919 seconds

You might think the 12-character one that looks like gibberish is the best, but the first example is actually the strongest, because it's longer, and it contains upper, lower, numeric and special characters. The second example is also better than the third one (even though it's all lowercase) just because it's long -- 23 characters. The first two are uncrackable using current technology, and have the advantage of being easy to remember. Hopefully you can see why the last two are poor choices.

Using the same password everywhere you need one is a bad idea, too. If that password is compromised, a bad guy has a master key to your email, bank account, credit cards, Facebook page, and everything else a password is supposed to keep him out of. Create a unique password for every online account you create, or at least for the most sensitive personal accounts.

Many sites let users choose a "security question" from a list and supply a supposedly secret answer that will serve to confirm your identity in case you lose or forget your password. But think about what you've posted online, and what's available through public records. Your mother's maiden name and the high school you attended are not secrets. Whenever possible, create your own security question with an answer that can't be Googled.

Managing Your Passwords

The leading web browsers ask, by default, "Do you want me to remember your password for this site?" Well, of course you don't! Letting a web browser automatically fill in your password is like telling your car to turn the key for whoever touches the door handle. Disable this "feature" and don't store passwords in your browser.

If you follow these guidelines, you will need help managing passwords. Password management software will help you create strong passwords, store them securely, and automatically enter them on web forms. A master password gives you access to the database as needed. Make it as complex as you can remember. See my article on the Best Passwords Managers.

If you want to take it one step further, look into a security feature called 2-step verification. This can make your online accounts more secure by helping to verify that you are truly the owner of an account. You may have already seen this on some banking websites. For some transactions, your username and password are not enough. After logging in, you may need a pin code sent to you in a phone or text message, before completing a transaction. Google is now offering this type of enhanced security for Google accounts such as Gmail, Google Docs, etc. Using this additional layer of security means that even if you gave someone your password, they wouldn't be able to login.

How do YOU manage your passwords? Post your comment or question below...

 
Ask Your Computer or Internet Question

 
  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 22 Jan 2013


For Fun: Buy Bob a Snickers.

Prev Article:
Is The FBI Holding Your Computer for Ransom?

The Top Twenty
Next Article:
Geekly Update - 23 January 2013

Most recent comments on "Is Your Password Strong Enough?"

(See all 28 comments for this article.)

Posted by:

Robert
22 Jan 2013

I don't trust "How Secure Is My Password" to have and check my password.

EDITOR'S NOTE: Two points on that. (1) You're not providing your username, so even if you entered a real password, it would be useless without the context of the username. (And no, a website CANNOT learn your email address, unless you provide it.) (2) You can always enter a password similar enough to yours, to get an idea of how secure it would be.


Posted by:

Bill
22 Jan 2013

Here's the site I use.

http://www.passwordmeter.com/

I keep track of my various passwords on a Rolodex, whick I deem to be safe enough, barring a home invasion.


Posted by:

Walter Hansen
22 Jan 2013

I always wonder what secure site is going to let a password cracker sit there and try various passwords without locking the account? Most of these password cracking assumptions require the password accepting program to sit there and let them query it several times a second. Slowing or stopping this process isn't beyond the reals of possibility. I've implemented security on some of my severs that does this. Why would my bank let some ip submit 100 wrong passwords let alone a few million before shutting them off?


Posted by:

stephen
22 Jan 2013

-I use one 16 combo random letter, upper & lower my and numbers . I use that password exclusively for infrequently visited sites like the one I vist and don't have a clue as to the password. I never change it

2-I add two exclamation marks at the end for sites I use often but not really in need of ultra strong security like forums (18) or email

3-I add to #2 the year of birth of my daughter for sites like Paypal or a web page

4-I have a separate 16 letter/number password phrase for my router and 35 letter/number/WPA2 for my router sign in to laptop etc They are written down in three places as I immediately forget them and might need them


Posted by:

Gary
22 Jan 2013

Steve Gibson has said that the hardest password to crack is D0g. Takes a hacker longer to crack this than any other. Years??? Less than a second for even the strongest password. My bank uses two layers of questions before I even get to my password. So far so good.


Posted by:

Unitary
22 Jan 2013

I respectfully diasgree.

The first two sample passwords are strong only if you consider simple "brute force" attack. These sample passwords are actually quite WEAK because there is much text and context redundancy.

The third sample password is VERY STRONG because it is a sequence of INDEPENDENT characters.

Size matters LESS than randomness!


Posted by:

David Bohlke
22 Jan 2013

Hello Bob,
I would like to understand how these brute-force password crackers can work. Whenever I see them mentioned, they talk about how many attempts they can make per second, which seems contradictory to what my experience is with almost every website or program that I use. In almost all cases, there is a delay between entering a userid/password combo and the acceptance or denial. Plus most of them only allow a few attempts before shutting a person out.

EDITOR'S NOTE: Excellent question, and one I should have addressed in the article. You are correct that with most login systems there is a delay built in, and a lockout when a certain number of incorrect password attempts have been made. The "cracker" programs mentioned are used directly against a username/password database on a server. If a website's server is breached, the attackers can use their tools against the encrypted password database at high velocity. A similar attack can be used against a Windows password file.


Posted by:

Mike Collins
22 Jan 2013

As a teenager I knew a poet and remember a lot of his poetry.
He is now dead and none of his poems are on line.
The first letter of any line of his poetry are very secure passwords according to the site you gave.


Posted by:

Lucy
22 Jan 2013

I read somewhere to always "test" the lost password function on any site.

If they email the actual password and not a link to reset, using further security checks, then I'd seriously consider how safe that website and password actually are.


Posted by:

Joe26
23 Jan 2013

I shave the belly of my cat (he's a mean cat)and use a Magic Marker to write the passwords on his belly. After the hair grows back, you have to look closely to read the passwords. Anyone else trying to read them will end up with a LOT of scars!


Posted by:

Allie
23 Jan 2013

I use 26 varied nonsensical characters for each of my passwords. I keep them stored in a unusual file location on my computer. When I need to use a particular password, I copy and paste it in. I never type in any passwords and all of my answers to the security questions are never truthful. I change passwords often.


Posted by:

Don Lewis
23 Jan 2013

C'mon now. How mean can that cat be if he will let you shave his belly!?


Posted by:

Leisure Suit Larry
03 Feb 2013

There are some good suggestions here, however even the best password can't protect you from someone cracking a database and downloading user passwords.

Which is what just happened to Twitter when someone stole 250,000 passwords.
http://www.prohackingtricks.com/2013/02/hackers-compromises-250000-twitter-accounts.html


Posted by:

spasha
20 Jul 2013

I tried the secure password thing it said excelent but if i put same password on my yahoo it still says weak


Posted by:

Ron Amat
14 Nov 2013

I use the exellent program and app B-Folders 256Bit encrypted database on PC - Laptop - and Phones with one strong password to remember. Additionally the database is destroyed after 10 attempts to crack it.Syncronising between the units is a breeze.


Posted by:

JCN9801
18 Jan 2014


Why is everyone obsessed with random, etc passwords when MANY sites won't even use ONE-WAY encryption of what you send in for login credentials!

And if you forget your password, MANY of these will send it back to you in a PLAIN TEXT email.

SHEESH! Check out --> https://defuse.ca/password-policy-hall-of-shame.htm


Posted by:

WByrne
20 Jan 2014

I often will use the first letters of each word in a long quote. I also use http://www.passwordchart.com which offers two layers of protection--the initial phrase which creates the matrix, and a unique word for the site you're accessing.


Posted by:

Phyllis
09 Apr 2014

I use the first line of a poem by my favorite poet, and then add his initials and add an exclamation point.


Posted by:

headscratcher
05 Sep 2015

My bank does not allow the use of characters above the numbers (ie @#*&$^). All I can use is letters and numbers. So although they encourage good passwords, they restrict your ability to create them, even restricting the length to something short.

Good article.


Posted by:

JimK
02 Apr 2019

I was amazed when the breach at Equifax revealed my password. Here is a company, supposedly assisting me with security of my financial accounts, who somehow leaked my password. Do they not encrypt such information in a manner that would protect that information? From then on, I use a password generator that creates totally random unguessable sequences, and change them frequently. It's a pain, but better then the fear of potential consequences of a bad actor exploiting the next breach. I have lost trust in the watchdogs.


There's more reader feedback... See all 28 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.


Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy     RSS/XML


Article information: AskBobRankin -- Is Your Password Strong Enough? (Posted: 22 Jan 2013)
Source: https://askbobrankin.com/is_your_password_strong_enough.html
Copyright © 2005 - Bob Rankin - All Rights Reserved