Four Principles for a
Secure Password

Everyone has probably heard about the importance of creating secure passwords, yet as a whole, we still choose awful passwords. This episode discusses four principles for creating a secure password that will protect your accounts.

[0:00] Despite all the advice, people still choose awful passwords

[2:34] The balance required to create a strong–yet memorable–password.

[4:46] Principle Number One:  Make it long

[6:46] Principle Number Two:  Make it unique

[8:16] Principle Number Three:  Avoid patterns

[10:15] Principle Number Four:  Avoid public information

[10:39] Why changing your password regularly is not necessarily a good idea

Have I Been Pwned

If you’re alive today, and if you’re listening to this podcast, I certainly hope you are, you’ve probably heard tons of advice on how to create a secure password. However, despite all the advice that you hear, people as a whole still choose awful passwords. In fact, a 2017 report from Verizon stated, “81% of breaches are caused by weak or reused passwords.” 

Unfortunately, information gathered from data breaches backs this up. While companies shouldn’t store data in a way that can be read, many do fail to secure the login data that they store. As a result, after that sites data has been compromised, we can analyze the complexity of the passwords in their database. Unsurprisingly, the most popular passwords were “123456”, followed by “password”. And even though the seemingly secure “ji32k7au4a83” has also appeared as an often used password, it does have a simple explanation. It’s a transliteration of “mypassword” from Mandarin Chinese. 

More and more data about ourselves and our lives is being moved online every year. Ten years ago, the only way to access my medical records was to contact my doctor’s office. But now, I can access much of my medical information online anytime I want. However, as more data moves online, it is more important than ever to use strong passwords that keep unwanted people from accessing your private information. 

Today on Cybersecurity Made Personal, we are starting a three part series on protecting your online accounts as we discuss four principles for a secure password.

[Introduction]

Welcome back to the Cybersecurity Made Personal podcast, the safest podcast on the internet. 

Over the next three weeks, our topics will focus on keeping your online accounts secure. Today, we’re going to talk about passwords. 

Creating a strong password requires a balance. On one side, it’s important to use passwords that are complex enough to stump computers that can make thousands of guesses per second. But if we’re just concerned with creating something incredibly complex, we could rub our hand back and forth on the keyboard for ten seconds and have an amazingly secure password. 

The problem arises two days later, when you need to sign in again. You now have to rub your hand back and forth on the keyboard in exactly the same way you did two days ago. Obviously, no one is going to be able to do that, so your only option is to use the “Forgot Password” link and do it all over again. 

This problem becomes even greater when we consider the increasing number of online services available. As a result, we find ourselves not only needing to create more complex passwords, but also needing to create more of them than ever before. The problem has grown to the point where it’s almost impossible just to list every online account you have, much less create and remember a secure password for each one of them. In fact, when I entered my email address into Have I Been Pwned, a site that tracks compromised data from breaches, I found that my personal data had been compromised from two places where I didn’t even remember signing up for an account. (If you’d like to check out Have I Been Pwned, a link will be available in the show notes at cybersecuritymadepersonal.com/episode6.) 

There have been new methods developed for proving your identity, with most of them claiming that their system is going to be the great password killer, the service that eliminates the need for passwords all together. And I think many of these have been great ideas, but for one reason or another, none have come anywhere close to dethroning the password. So at least for now, it is critical to be able to create safe passwords for our online accounts. 

So today, I want to give you four principles for creating a secure password. 

Principle number one is probably obvious from the introduction: make it long. At one time, the biggest threat to your password was a friend figuring out that your password was your birthday. The ability to use a computer to make a large number of guesses was restricted to large organizations with virtually unlimited resources, such as national governments. 

But now anyone with internet access can download a password-cracking program and use it to make hundreds or thousands of guesses at your password per second. And that rate can be achieved using a standard computer. Start building a system specifically for the purpose of cracking passwords, and you can achieve an even faster rate. One security researcher built a cluster of computers that could make 350 billion guesses per second. Using that system, it could try every possible six-character password that you could create from a standard English keyboard–including numbers, symbols, and upper or lowercase letters–in under two seconds. And while building a system anywhere near that level costs a lot of money today, it’s only a matter of time before the cost reaches a level that’s affordable for a criminal. 

That’s why it’s important to choose a long password. Since most websites usually have no maximum length for a password, or at least they make it extremely large, you should have plenty of characters available as you create your password. 

However, a long password does not automatically equal a secure password. Password cracking programs do more than just generate every possible six-character password before they move on to trying seven-character ones. Choosing “passwordpasswordpasswordpassword” as your password is not going to make it more secure, unless of course your original password was just one “password”. 

So once you’ve made your passwords longer, principle number two is to make them unique. I know that on hearing this, many of you are rolling your eyes thinking, “How can I possibly remember a different password–especially a long one–for every single site?” 

However, this wasn’t an idea cooked up in the brain of some demented cybersecurity expert who was intent on torturing everyone else in the world. This advice is given for good reason. If you reuse the same password everywhere, a breach on one site gives a person access to your accounts on all sites. Over the last several years, there have been multiple data breaches every year that have exposed the personal information of millions of people. And while companies should take steps that make it difficult to get your password even if they are breached, not all companies take those proper safety measures. 

I get it. It seems crazy to have to create a separate password for every account. And I agree there’s no way you’re going to be able to remember all of them. But all it takes is one mistake or one hack on some obscure site where you didn’t even remember setting up an account, and suddenly, you could wake up to find that someone grabbed your bank account information from your statements online or ran up thousands of dollars worth of charges with the credit card that you saved on your Amazon account. So it’s critical that you use a unique password for every account. 

The third principle for creating a secure password is to avoid patterns. There’s a reason why the most common password used is “123456”. It’s because it’s very easy to remember. It’s a short simple pattern. Other patterns that appear in the top 10 include “12345”, “1234567”, and “qwerty”, which is the letters going across the top row of the keyboard. Any pattern–whether it’s consecutive numbers, letters, or just going across a row of the keyboard–is likely to be compromised very quickly. 

However, it is also important to not use patterns to create multiple passwords. I had one person tell me that all all of his passwords were 28 characters long. And my first thought was, “That’s great!” But then he proudly told me how all of his passwords start with the first letter of the website he’s using and proceed through the alphabet to Z. He then throws in a one and an exclamation point before going back to A and working back up the alphabet, stopping just before the letter that he started with. 

I proceeded to point out that first of all, he just told me how to figure out the passwords for all of his accounts. That’s not a very good idea. But then, I added that if someone saw one of his passwords, they might be able to figure out what he was doing, and if they saw two or three, the pattern would become obvious very quick. He agreed and took my suggestion that he changed his passwords. 

I’ve also heard from others how they use something like a complex base password, and then sneak in elements of the website’s name to create something that seems unique for each site. Once again, all it would take is two or three of your passwords for people to see that only a few characters of your password change each time. And given the large number of data breaches, there’s a pretty good chance that two or three of your passwords have already been exposed. 

Principle number four is to avoid using publicly-available information. Information about you, your hobbies, your pets, or your family are all things that are relatively easy to find out, especially in the age of social media. If you’re posting about it on social media or you can find it through a simple Google search of your name, then never make it a part of your password. 

As a final note, I want to address one topic that likely would have been a fifth principle just a few years ago: changing your password. For years, security experts said that regularly changing your password every 60 to 90 days was a good practice because if someone had access to an old password, they wouldn’t be able to use it forever. However, more recent studies have questioned whether this is actually effective. They note that when people are forced to change their password frequently, they often resort to other unsafe practices, such as writing it on a post it note and leaving it on their monitor. 

Personally, I take a balanced approach to this. Obviously, I changed my password if I hear of a data breach on a particular website that I use, and I also change passwords on sensitive accounts, such as online banking, once or maybe twice a year. But for accounts with less sensitive data, I see no reason to change your password at all unless you hear of a breach.

So when we consider the four principles for creating a secure password that we discussed today, it becomes very clear that you only have a few options for creating and remembering your passwords. First, you could hope to develop an unbelievably incredible memory that allows you to remember 50 to 100 long, unique passwords. 

However, if you conclude that you’re not going to become a savant with a perfectly photographic memory, you’ll have to find a different strategy. You could choose to take your passwords off the grid and keep them written down in a notebook. But if you’re like most people, you’re going to need access to your passwords regularly, and this is not going to be a very good solution. Misplace the notebook or accidentally drop it from your pocket, your purse, or your laptop bag, and whoever finds it could access all of your online accounts. Plus, if you’re out in public and someone sees you checking the notebook for your password, they could target that notebook if they want to steal your information. 

Now, this could be a slightly better option for you if you don’t use any mobile devices and you only access the internet from home. Yes, the notebook itself still provides no security, but at least that person has to get through defenses of your home in order to get to the notebook. 

A second option would be to store your passwords in something like a Google Doc or a file that saved online. And while this keeps your passwords accessible, it leaves them vulnerable if you forget to sign out of an account on a shared computer or if you lose a device that’s still signed into that account. 

Using something like a Google Doc gives you no benefits and worse security than the last option: a password manager. Next week’s episode will explain password managers in more detail, including covering some additional benefits you might not have thought about. So join us back here next week as we continue our series on securing your accounts with a discussion on the benefits of password managers. 

Until then, stay safe!