What you don't know about passwords

Here are some key points to bear in mind as you create new passwords.

Password Reuse is a Major Danger

You know how it is – every time you turn around, another website or online service wants you to create a new password. Because that’s so tedious to do, you may be tempted to rely on shortcuts. But those shortcuts can get you in trouble. As a case in point, consider the common practice of using the same password for multiple sites.

Suppose you signed up for a LinkedIn account, and you used the same password that you previously chose for your Gmail account. Then, in June, you were one of the unlucky people whose LinkedIn password was leaked. An enterprising hacker who knew your LinkedIn password could have easily tried it with other popular services, so gaining access to your Gmail account would suddenly be child’s play. That’s a problem not just because someone could read or delete your email, but because you might use your Gmail address to access or reset other passwords. After clicking the Forgot Password link on other sites, the hacker could check your email to get access to accounts that use those other passwords. Even reusing a single password in two places could, in this way, cause cascading problems.

The best way to overcome a password reuse habit is to use a password manager, such as 1Password (£34.99) or LastPass (free; premium service, $12 (£8) per year). These tools autogenerate passwords, store them securely, and let you fill them in on websites with a single click or keystroke.

Hackers Know Your Password Tricks

When people are faced with the need to come up with a new password, their next-biggest crutch after reusing passwords is to pick something that’s extremely easy to remember and type. As the lists of stolen passwords and other security research show, a lot of people still use 123456, password and other simple strings. Naturally these and the next several thousand most common passwords will be the first ones a hacker tries when attempting to break into an account. Likewise, you should avoid names, dates and common dictionary words.

Appending a number to a common word (password1, say) is an often-used method for complying with “Must contain a digit” rules. And so are substituting numbers or symbols for letters – things like p@ssw0rd – and using patterns of keyboard keys such as edcrfvtgb. The problem is, hackers are well aware of such techniques. As soon as you invent a new method for creating better passwords (such as padding a shorter password with repeated punctuation), they adapt accordingly. So don’t count on cleverness to protect your password. It might take a few milliseconds longer to guess 1d0ntkn0w than Idontknow, but you’re up against machines that can make any substitution in the blink of an eye.

You want to make your passwords unguessable, even by someone who is smarter than you. The best way to do this is to construct them from random strings of characters, including upper and lowercase letters, numbers and punctuation. Though it’s hard for a human to create a truly random password, it’s easy for a computer to do. So, it’s better to rely on a password manager than on your brain.

1Password creates secure passwords in a couple of ways – in this case, by autogenerating a random collection of numbers, letters, and symbols based on criteria that you specify. 

14 is the New 8

Let’s imagine that an attacker is determined to get into your account, and the quick-and-easy hacks (such as checking dictionary words, along with common mutations) have failed. What then? The next step for the hacker is to use brute force, trying every possible password one by one. Unfortunately, it’s getting easier and easier to find a match with this technique. A few years ago, a reasonably powerful system might have been expected to check a million potential passwords per second. Today, a single off-the-shelf PC can check several billion passwords per second, and a network of computers can check many times that number. 

As a result, the advice you’ve read in the past about what constitutes a secure password may no longer be valid. For example, a password with eight or nine random characters is no longer sufficient to protect against a brute-force attack. Experts today recommend that you use longer passwords, often 12 to 14 characters. And that’s for passwords randomly generated by a computer. Passwords you create by hand must be even longer to have the equivalent strength.

All password managers let you select the password length you want; and our advice is for any password that can be entered for you by an app (or copied and pasted), you might as well use the longest password the target service will accept. After all, the same keystroke that fills in a nine-character password can fill in one with 14 characters.

Of course, you must still commit certain passwords to memory or, for one reason or another, enter them manually. For such passwords, you can use a longer but less-complex character string to achieve comparable security.

What you don't know about passwords

How to remember passwords

Managing passwords with keychain access

How to make security questions more secure