Creating a strong password may seem like a chore, but sometimes it can literally be the only thing standing between a cybercriminal and your own personal and financial information or access to your office’s network and PHI. Here are some tips for creating a strong password (that you can actually remember):
- The most important factor in creating a secure password is length. Hackers often use software that essentially makes millions of guesses per second to crack a given password (this is called a “brute force” attack). A longer sequence of characters (letters, numbers and possibly punctuation marks) means more possible combinations to help thwart an attacker. The absolute minimum should be twelve characters, though the longer the better. If a password has eight characters, for example, modern password cracking software will break it in a matter of hours. A difference of four characters in a password may not seem like much, but there is a huge increase in the number of possible combinations it will yield (and hence attempts that the cracking software will have to make before it can break the password in question). Even if only letters and numbers are allowed, there are 14 million times as many combinations with a twelve character password vs. an eight character one. And if punctuation marks are included, the figure goes 81 million. Simply put, longer passwords are always better.
- Use a nonsensical (or completely personal) passphrase. That way, you can pick a password that is both easier for you to remember and harder for an attacker to figure out. If you really want to, you can mix in random characters like $, @, etc., though hackers are well aware people try this trick. Truth be told, it’s really the length that makes a passphrase difficult to crack, so it will essentially make the password more difficult for you to remember while not making it any harder for an attacker to break.
When creating your phrase, make sure it’s really unique to you (or genuinely random). Avoid famous literary quotes and song lyrics – hackers can check for those. A good nonsensical passphrase might be something like: CyanStapleWashingtonBanana44 (don’t use this exact one – or any other password/passphrase suggestion you see online – yourself. Hackers can find those, too). A personal phrase can be effective because it relates to something that’s memorable to you. Just make sure it isn’t a widely known event. Perhaps that time you were surprised at the aquarium: “BlueLobstersAreReal!!!” It’s long enough that a machine won’t break it anytime soon, no one is going to guess it and you will remember it.
- Don’t use the same password for multiple sites. This is known as “daisy-chaining.” If one account gets compromised, it will instantly expose others with the same (or a similar) password to attacks.
- Don’t have a file or email called “passwords” anywhere on your computer (or saved in an email). These are easy for a hacker to find if he or she searches for “password” on either one.
- Change passwords regularly – perhaps every few months. If a database storing a site’s passwords has been compromised (which is often not discovered right away), changing a given password makes it effectively useless to an attacker even if it’s stolen and eventually cracked.
- Use “two-factor authentication” (2FA) whenever it’s available. Additional “authentication factors” are just ways to ensure you are who you say you are. This can mean something like a fingerprint scanner or a code sent to your phone via text message that is then entered in addition to your password. If an attacker only has your password, he or she still won’t be able to get access. Two-factor authentication is especially helpful in safeguarding administrator accounts and remote logins to your network.
- Avoid using security questions, if you can. Frequently these questions are used as a way around the dreaded “I forgot my password” problem. This may sound helpful, but they almost always focus on information that can be found elsewhere online (where you went to school, pet’s name, favorite color, etc.). Any hacker will know to look for this information and can use it to get into your account – and potentially lock you out. Unfortunately, some sites require you to use the questions. If possible, try to select questions that don’t have just a few or even a single answer that a hacker can find (your mother’s maiden name, for example).
- Use a password manager. Password management software helps you create nearly unbreakable super complicated passwords. The passwords are encrypted and locked behind a single master password only you know. The software securely saves your login information, and you can automatically login to your accounts either directly through the software or via a browser button add-on. A portable version of the software can also be installed on a USB drive and used to view and login to your accounts on other computers. There are excellent paid versions, including RoboForm Everywhere, Sticky Password, Dashlane Premium and LastPass, as well as good free versions including KeePass (best for techies) and LastPass Free.14,15