Talking about password security is a guaranteed crowd-snoozer, a surefire way to make people shut down and tune out, but the reality is that passwords are still important. Email or social media, online banking or gaming, educational applications or online services—anything that keeps some kind of user data still depends on passwords to keep miscreants out. Attackers will continue merrily looting bank accounts and taking over online services if users don’t step up and use better passwords.
We all know the basics—don’t use “password” and don’t repeat the same password across different accounts. Turn on two-factor authentication on online accounts wherever possible—one-time passwords via SMS messages is still better than nothing. Use a password manager to track all the passwords. Unfortunately, a lot of password advice sounds reasonable, but needs context to be helpful. Following are some ubiquitous password myths, clarified.
Password myth 1: Your password needs to have mixed case, numbers and special characters
Truth: There’s a limit to how much security complex passwords can give you. Yes, “letmein” is a bad password, but “Password1,” “Abc123”, and “Passw0rd” aren’t any better, despite having mixed case and numbers. It’s always a bad idea to create passwords based on a dictionary word. Substituting some of the letters for numbers or symbols isn’t that clever or unique an idea. Password crackers know to include words like “vuln3rabl3” or “trustno1” in their lookup tables. In fact, the latter password made SplashData’s top 25 worst list of commonly used passwords back in 2014.
To be fair, using mixed case, numbers and special characters makes the password much stronger than just using lowercase. While exact figures will vary by the amount of processing power on hand, a modern computer will take two days to crack an eight-character password that is all lowercase (since there are 26^8, or 208,827,064,576 possible combinations), but a large botnet will take only 1.8 seconds. Mixed case helps slow down the cracking, and throwing in a special symbol or two bumps up the number of combinations.
All the mixed case, numbers and special characters won’t do any good if the string isn’t actually random. Consider that “1qaz2wsx” and “1q2w3e4r” showed up on SplashData’s top 25 list in 2015 and 2016, respectively. Users are trying to follow the rules, but using sequential key variations or common patterns undermines the good this rule is supposed to accomplish. Password crackers know about sequential key patterns and can look at the keyboard to find potential patterns, too.
Password myth 2: A good password must be extremely long
Truth: Longer is definitely better, but eight to twelve characters can be adequate. This myth isn’t wrong, since shorter passwords take far less time to crack, or brute-force, than longer one. The attacker trying to guess a password that’s only six-characters long is going to have far easier time than one that is eight-characters, or even ten-characters long. On a modern computer, an eight-character password that uses mixed case and numbers will take 5.88 years to crack, but just 31 minutes on a strong botnet. Increasing the password to 10 characters will take that same botnet 83 days. A 10-character password "%ZBGbv]8g?" using letters, numbers, and symbols could take 289,217 years on a computer and three years on a botnet.