Today is World Password Day, and while no security is perfect, that doesn’t mean you have to make it easy for the bad guys. Moreover, a password should only be one part of a person or organization’s overall security plan. Thus, in addition to a “good” password, multifactor authentication (so called “MFA”) should be part of your security plan. Encryption should be part of your security plan, and so on. That said, it is Password Day, so let’s spend some time talking about passwords.
Password “theory” changes over time, as does all security. Like everything, security must evolve. As new systems are rolled out with new weaknesses and strengths, the bad guys gain sophistication and develop new hacking tools and techniques. Initially, using the name of your pet as a password was perfectly acceptable. Then a so-called complex password that changes frequently became the norm. Now, we have entered the era of the longer password, that changes less frequently if at all, coupled with MFA mentioned above.
The tension in password security is the increasing speed of computers and their ability to “guess” combinations of characters that may be your password versus the need to actually remember and use the passwords on multiple sites. The problem is that cracking software can just as well guess a word as it can guess a character; the so-called dictionary attack.
Assume 170,000 modern words in the English language, assume your passive ability to recognize a word is about 40,000 and your ability to actively recall and use a word is about 20,000 words. That said, being honest with ourselves, you are not going to remember all 20,000 words and pick one at random. More likely you will remember “randomly” a much smaller subset.
Regardless, if I am a password cracker, I need only make 20,000 guesses which does not take long at all (I will leave explaining the math to other persons and their technical articles). Assume I add in letters and numbers to my words, such that “that” becomes “th@t”. I can add those to my software as a guess too, which effectively only marginally increases the security of the “word”. The key then would be to add in more words making each attack require more guesses but this at some point hits limits in password length set by software packages.
Gosh! What then is the answer? Candidly, a password manager stored on your phone with a complex master password in which you store all of your complex and random passwords for each of the sites you use. Failing that for some reason, length is life (okay, not really) but it is good for security and—as a practical matter—choosing a long password that you can remember (and changing it a couple of times a year) is better than a complex one you cannot remember.
So, when choosing a password, “1faced1tall1stoodtallandd1d1tmyway” is better than “franks1natra”. In this example, the first password is effectively at least 13 “characters” compared to 2 of the second. But how can I remember all of that for each one of my websites? And now, full circle, we are back at a password manager.
There is even an argument for using written out (yes, on paper!) password management so long as the paper is placed in a relatively secure area and is not in plain language. Thus, a paper tablet with the information written with a hint that only you would know. Thus, “Target.Com is my wedding song.” Of course, this doesn’t solve the issues of buildings fires—but that too is for someone else’s article.
What does it all mean? Use a password manager. Set one complex password of reasonable length, say 10 or 12 characters, on your mobile password manager (which is encrypted) and then store all of your passwords on that. Change the master password once or twice a year. Then, keep paying attention to what the latest recommendation becomes over time.
