Simple Password Rules to Live By

Microsoft, Google, and many other web-based companies are recommending that you use 2-factor authentication to secure your online accounts. While I strongly recommend this as well (and will likely write a post about that topic another day), there are some easy ways to make your password super strong. If you use a strong password on an account without 2-factor authentication, you'll greatly reduce (or even eliminate) the possibility of that account being brute-force hacked by a nefarious ne'er do well.

Overcoming the Opposition

It is not at all difficult to create a super strong password, and there are some very good reasons for doing so. For example, have a look at the password complexity chart below (courtesy of Komando.com ). This chart clearly shows how quickly the hacker-proof quality of passwords ramps up

Rules to Live By

The following are rules that Microsoft lays down for standard password creation practice:

• At least 12 characters long but 14 or more is better.

• A combination of uppercase letters, lowercase letters, numbers, and symbols.

• Not a word that can be found in a dictionary or the name of a person, character, product, or organization.

• Significantly different from your previous passwords.

• Easy for you to remember but difficult for others to guess. Consider using a memorable phrase like "6MonkeysRLooking^".

The first thing most people say when thinking of a 12 character password is, "I'll never remember that!". However, structuring a password, and using password hints should you actually forget it, is not as difficult as you may think.

If you were to follow the above rules and made a password using words you are familiar with but words which aren't "normal English", you'd end up with a very strong password very quickly. Incorporate nicknames, nonsense words, abbreviations, etc.

For example, if I were to use the password H0nda@ccord1980 hacking this would take approximately 15 billion years at current technology levels, assuming the chart above is an accurate measure. The beauty of this password is that it is extremely memorable to me -- I simply constructed that password (which I certainly do not use) based on the make, model, and date of my first car. It would be utterly impossible for a brute-force attack to crack it, unless the person running the app was immortal and had a LOT of time on their hands...

Another good way to construct a strong password is to use lines from favourite songs or poetry, intermixed with symbols and numbers. Even 14 characters with ONLY upper-case & lower-case letters would take an estimated 800,000 years to hack. Using the first line of a song would easily achieve some pretty solid results, and throwing in punctuation or a number would only serve to add thousands of years of hacking time to the mix.

For example, "WillTheCircleBeUnbroken?" creates a password with a brute-force hacking time over 7 quadrillion years.

Is This Realistic?

Undoubtedly some smart folks are going to contest the realism of these estimates -- and they are right, mostly. If you have a password hacking tool, you would never even bother attempting a hack on a password you knew was over 10 characters long (and probably not even then).

So what do hackers do? They hack people. People are much easier to hack than passwords. To hack a person, the scammer sends an email that looks legitimate, such as an email from "Microsoft" requesting that you change your password. It loads a page that looks totally legitimate, and YOU literally give your password to the hacker. This is because most of us are working so fast these days that we don't take the time to see if we're being scammed, tricked, or hornswoggled.

I'll make another post in the future about how to protect yourself from those sorts of scams, but for now, if you receive a password request that you aren't expecting, or an email about your account status (for any account) that you didn't request personally, my suggestion is this:

1. Slow down and read EVERYTHING carefully -- the "from" address in the email, the web address on the link, etc.

2. Slow down and READ everything carefully...

3. Slow down and read everything CAREFULLY...

Until next time -- stay safe, smart, and secure!