Sometimes, when I login to my computer, my friends notice that it takes me a (relatively) lengthy amount of time to input my password. They are quite surprised when I inform them that my password is over 20 characters long. They want to know why I have such a long password and how I remember it. It’s actually an easy password to remember, but is significantly more secure than any 10 random character password.
Nowadays, everyone has accounts on various websites. And each of these accounts calls for a password, to ensure that your data stays private. Many people use the same password for multiple sites, but that means that if that password is stolen, your safety has been compromised across all those websites. My father enjoys the method of using six or seven random characters, but always has to write them down, which is not very safe. So how do you ensure that your passwords are strong, but not so complicated that you’ll forget them?
First, it’s important to realize is that, unless you have made powerful enemies, hackers aren’t looking for your password specifically. Rather, they use standard techniques in an attempt to get many peoples’ passwords at once.
What most people think of when they think of hacking is using a backdoor or an exploit to get at your information. These are weaknesses in the website’s security that allow hackers to access its data. This data could be anything from the website’s programming to your personal information. The Heartbleed bug that affected many websites a few years ago is an example of this. In this case, the strength of your password means nothing, because the hacker will have already gotten it. However, we usually don’t need to worry about this because most websites are security-conscious, and will frequently run security checks and update their internal security protocols. You just need to pay attention to the news, and if a website you use gets hacked, change your login information as soon as possible.
Perhaps the most common technique hackers use is called phishing. This is when hackers attempt to get your login information by mimicking real sites, like Facebook or Gmail. They send you a message with a link that takes you to a login page that looks just like the real thing. However, when you sign in, they get your information. In addition, phishing messages will often attempt to convey a sense of urgency, telling you that your account will be deactivated unless you click the link, or that you will face a fine. The best defense against phishing is being very careful about any messages you get. Before you open the message, check the sender’s address. Is it the correct email address that a person or website uses? Does the message try to make you click a link? Check the link’s address; oftentimes, these links will be very close to the actual link, but they can’t be a duplicate. So make sure the link says ‘gmail.com’ and not ‘gmails.com’ before you click it. When in doubt, contact the website to see if they did indeed send that message.
The main area having a strong password helps you out is when someone tries to brute-force guess your password. By entering many different possible passwords, they attempt to find out what is the correct one. This tactic is almost never done manually, but is done by a computer program. And, while computers can run through many different possibilities very quickly, this still takes time. If you have a one character password, there are about different possibilities. But every new character you add increases the number of possibilities exponentially. With two characters, there are or different possibilities. Three characters makes it or possibilities. If a computer can run through one million possibilities a second, a password of 20 characters would take it over a quintillion years to go through all of them. This means that a longer password is almost always better. The length of time it takes to guess a password can be decreased, however, if the program begins by guessing common words and phrases. Therefore, it is important to avoid using everyday words or personal information.
In order to create a strong password, some people turn to a system called Diceware. You can create a password by rolling five 6-sided dice (d6). They take the resulting number and consult a list of words. By doing this 5 times, you can easily create a 25-character password out of random words. Lists are also available in languages other than English, adding to the strength of your password. Alternatively, you can just come up with a phrase or set of uncommon words to use. By putting a couple of numbers and special characters in there, you create an incredibly strong, yet easy to remember password.
As xkcd put it, “We’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.” So beef up your passwords with this technique, and keep your data safe!
[Edit 2017-10-24] To learn more about how websites actually use passwords, check out this video.