Password security is becoming increasingly important as individuals move more and more of their personal data into online services. In her Microsoft Small Business center article 5 tips for top-notch password security, Kim Komando offers some password best practices:
- Don’t be complacent: Attacks can and do happen.
- Know what makes for a bad password.
- Get proficient at creating good passwords.
- By all means, safeguard your password(s).
- Change your password(s) often-as in several times a year.
Of these, it seems many people struggle with number two, knowing what makes for a bad password. Ashlee Vance of the New York Times wrote in January 2010 about the popularity of simple passwords:
According to analysis by security firm Imperva, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data.
The weakest passwords are those that are short, use only letters and numbers, and are easily memorable or associated with a person’s identity. What goes into a strong password? Some tips include avoiding words found in the dictionary, replacing letters with numbers (think zero instead of the letter “o”), utilizing special characters like “!”, “$”, and “*”, and making passwords longer in order to provide protection from brute force attacks. How long is long enough? In another NYT article this past June, Randall Stross wrote:
Here’s a little quiz: Which is the stronger password? “PrXyc.N54” or “D0g!!!!!!!”?
The first one, with nine characters, is a beaut. Steve Gibson’s page says that it would take a hacker 2.43 months to go through every nine-character combination offline, at the rate of a hundred billion guesses a second. The second one, however, is 10 characters. That one extra character makes it much, much stronger: it would take 19.24 years at the hundred-billion-guesses-a-second rate. (Security researchers have established the feasibility of achieving these speeds with fairly inexpensive hardware.)
Another important consideration is how often passwords should be changed. Ms. Komando recommends changing passwords as often as every 30 days. Also, users should consider using different passwords for different services. Many times hackers are able to access a single user’s entire digital presence because they use the same username and password for all their services. Lastly, none of these measures matter if the password is known by another person!
2 Comments
Thanks, Spencer – that is a great article! The tiered strategy is more or less what I do, though I don’t think I am as careful about where I use the lowest-level one as I should be – and as I think through my passwords, I’m pretty sure I should make my gmail one more secure.
Oof, all the brain cells I’m using for passwords now that could be used for more interesting things…!
Another good article at http://www.technologyreview.com/blog/mimssbits/26131/ discusses the concept of tiered passwords–if you must re-use passwords, do so wisely! –Spencer