In 2003, Bill Burr (no, not that one) sat down and wrote a document that defines your life. He wasn’t a novelist, he was an engineer, and his opus was NIST Special Publication 800-63. Appendix A. You’ve never read it, unless you’re an arcane technician. But you know its plot summary by heart: Passwords should have irregular capitalization, numerals, and at least one special character. All Burr wanted to do was keep us safe. Instead, as he himself acknowledges, he kinda screwed up.
To be fair, though, Bill has nothing on our own stupidity. We choose passwords so terrible Microsoft was forced to ban them. We create passwords so obvious our grandmother can figure them out. Our entire lives lean on these little strings of characters, and they suck. So how do we fix them?
- First, no password is bulletproof. In terms of beating your password, all that really matters, in the end, is how long it is and how many characters you can use. Your typical QWERTY keyboard has roughly 96 characters, total, it can produce. So, in theory, all it takes is a computer going through however many possibilities your software allows. Or just go around it entirely.
- So why have a password, let alone a strong one? The vast majority of us will not become the target of professional computer criminals who spend months figuring out how to crack our savings account. Much like the real world, most digital criminals go for the low-hanging fruit. In this case, it’s people with bad passwords.
- What’s a bad password? A bad password is either something generic everybody uses, like any variant of “guest”, “123456” or “password,” or something somebody can easily guess from doing some basic research about you, i.e. looking at your Facebook page. So, the name of a family member or a pet, your birthday, your hobbies, basically anything you’d talk about with somebody you don’t know at a party to make conversation? That’s a terrible password.
- So what’s a good password? First of all, the longer the better. Remember when we said there are 96 characters on a QWERTY keyboard? Let’s say your password is one character long. So you’d need 96 guesses to crack it. But if it were two characters long, you’d need 9,216 guesses. Three? 884,736 guesses. Each character you add makes it exponentially harder to guess, so the longer the better.
- Avoid “dictionary” words. Password cracking software comes with a full dictionary to toss in random words just to see if they crack your password. It’s OK to use words, just break them up with a number or a special character.
- Consider using a master password service. A program like Roboform will collect and store all your passwords and only require you to use one master password to get in. That might be an easier option for you than remembering several different passwords.
- Weigh strength against what you need to protect. It’s unlikely, in the extreme, that you need a complex, strong password for your Netflix account. The worst that can happen there is that hackers mess up your queue, or out your love of Korean sitcoms to the world. Save the strong hard-to-remember passwords for banking, email, and other private data you need to keep deeply under wraps. Also, it helps to let browsers remember “unimportant” passwords while keeping those more serious ones to yourself.
- Have a suite of passwords. Your email shouldn’t have the same password as your bank account, which shouldn’t have the same password as your Amazon account, which shouldn’t have the same password as your chat client.
- Don’t write down your password. We get it, it’s hard to remember, but a password’s security is compromised if more than one person knows it. So no sticky notes, no notes on your phone, and no notes on a whiteboard.
- Watch out for breaches. Unfortunately, data breaches are more and more common, and these can compromise even the best password. So if there’s a breach on a service you use, change your password.
- Consider keeping certain sensitive matters off the internet altogether. For example, if you’ve got the credit score, use only one credit card for online transactions, and use others for real-world purchases. Keep your savings accounts and other accounts in a separate bank that you don’t access via the internet or an app. Sure, you’ll sacrifice some convenience for security, but if you’re worried, you may gain some peace of mind.
As we said, there’s no “golden” password. But, with a little work, you can ensure you’re a bit safer on the internet.