1. Think Length, Not Complexity
A longer password is usually better than a more random password, as long as the password is at least 12-15 characters long.
In fact, a long password that comprises only lower-case letters can be more beneficial than crafting just the right combination of alphanumeric gibberish. Usually all it takes is a password just two characters longer to make up for a lack of other types of characters such as upper-case, numbers, or symbols.
In other words, the time spent making your password look like Popeye cursing would be better applied toward typing two easier to remember letters.
2. Keep It Weird
That’s not to say you should be content with 111111111111111. Longer is always better, but that length yields diminishing returns if you’re not still mixing it up.
We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers.
Avoid common sports and pop culture terms regardless of length. The more common a password is, the less secure it will be, so go with something no one else would (ideally, a random string).
3. Don’t Bunch Up Your Special Characters
Many password input fields now require you to use a combination of upper case and lower case letters, numbers, and symbols. That’s fine! Just keep them separated.
Put your digits, symbols, and capital letters spread throughout the middle of your password, not at the beginning or end. Most people put capital letters at the beginning and digits and symbols at the end. If you do that, you get very little benefit from adding these special characters.”
It’s that “most people” part that gets you in trouble. It’s about predictability based on how many people do it. Avoiding front- or backloading your passwords with special characters also gives you a lot more real estate to work with, which creates a bigger bottleneck for anyone trying to break in.
4. Never Double Dip
You’ve followed every password recommendation, down to the last &$@. It would take years for someone to crack. Your password is so good, in fact, and took so long to memorize, that you’ve decided to use it on a couple of accounts.
This is bad!
Even if you have an ‘unimportant’ password and an ‘important’ password tier, it’s very unsafe. It makes it way too easy for a hacker to attack one site and get your password to all the others.”
The main point here, really, is that your passwords are only as secure as the sites to which you entrust them. If you don’t want to pay dearly for someone else’s mistake, limit the potential fallout by using a unique password everywhere. Or, you know, skip the whole thing and use a password manager.
5. Don’t Change Them So Often
Don’t change passwords every month.
Passwords are hard. They should be! But it’s better to go through the trouble of making one good one, and sticking with it, than to expect to be able to turn over that many special characters more often than you do the pages on a wall calendar.
Frequent password changes are largely a waste of time. There’s no evidence that password changes improve outcomes.
6. Take the Panic Down a Notch
You’re right to do everything you can to make your password as safe as possible. But it might also help to remember that most people don’t need a digital Fort Knox. A digital combination lock should do just fine.
Ignore the stories about attackers doing billions of guesses and saying that the average password can be guessed in under a second: your bank is not going to allow an attacker to try 100 billion guesses. For web passwords you mostly have to worry about withstanding a few thousand guesses.
Yes, that’s still a lot of guesses. But if anything, it’s a reminder that if you do commit to password best practices, the bad guys are probably going to move right along.
7. Layer Up
When deployed properly, passwords are pretty good. They’re much better, though, as part of an overall plan of attack. This goes double for those on the admin side of the aisle.
Don’t rely on passwords alone! Passwords should not be considered sufficient for anything other than the lowest-risk applications.
Instead, adding a layer of more robust authentication, like cryptographic credentials, or a biometric identifier i.e a fingerprint scanner.
Adding a layer of protection makes sense, but it also has potential ancillary benefits that aren’t quite so obvious.
By adding [extra authentication], a company could have a less strict password policy, like less characters or requiring password changes less frequently.
Which, hey! As great as an airtight password is, anything that makes them a little easier to achieve is more than welcome.