What’s the difference between a terrible password and a great password?
It’s safe to say that most of us already know that passwords like ‘password’, ‘letmein’, or ‘qwerty’ are not the most secure passwords. But, do we all know how to create solid passwords that aren’t easily guessed or hacked?
For years, the National Institute of Standards and Technology (NIST) has been recommending that organizations require very complex passwords with numeric digits, special characters, and a mixture of upper and lower-case letters. They also require their users to change their passwords regularly. That makes sense, right? Not really…
NIST recently changed their recommendations
Requiring special characters and numbers in passwords turns out to add much less security than it would seem. It’s a trivial exercise to replace o’s, i’s, and e’s with 0’s, 1’s, and 3’s when brute-forcing passwords. And special characters, unfortunately, do not significantly increase the challenge to a hacker who runs any decent hacking software. Make no mistake, a quick Google search for ‘free hacking tools’ will come up with a lot of results.
Periodic password changes seem like a good idea and are commonly enforced. But, in practice, that requirement makes things harder for employees and system administrators who may have to reset new forgotten passwords. In the long run, password changes don’t actually help increase security by very much, if at all.
What helps make a password hard to crack?
It’s simple – length. Adding one character to the length of a password makes it exponentially harder to crack. Of course, ‘fourscoreandtwentyyearsago’ or ‘gameofthrones’ as passwords would be susceptible to other kinds of hacking. For example, dictionary attacks– where the hacker uses an established list of words and phrases commonly used. But, a few randomly-selected words strung together in a way that the user can easily remember is virtually unbreakable if it is 12+ characters.
For example, I present ‘verbosedolphinsinthewoods’ – no special characters and all lower-case. This password is deemed absolutely unbreakable by one password security evaluation site. Although, a different site that I found said that it would only take 30 quintillion years to break. A shorter password can be made more secure by adding numbers and/or special characters, but the bottom line is that the longer the better.
In short, the answer to a strong password is password length. Good luck, and remember, it’s a jungle out there.
Back to blog