The Importance of Strong Passwords

If you use the Internet and/or store valuable or personal information on your computer; you must defend against a multitude of threats in today’s computing environment. We are constantly bombarded with viruses, bots, and worms that want to access our computers or on-line accounts and obtain information that can be used to make money for the cyber criminals who create them.

In many cases having a good, strong password is the first line of defense against these thieves. The stronger the password, the harder it is to crack and the longer it will take. Like most thieves, hackers want to get in, get the goods, and get out as quickly as possible to avoid detection. Therefore, just like a burglar will move on to the next house if he sees a dog or an alarm system, so will a hacker seek an account with a weak password rather than waste time cracking a difficult one.

Essentially what determines a password’s strength are its length, and combination of letters, numbers and symbols. Let’s look at these characteristics one at a time:

  1. First, longer is stronger. A password should be a minimum of 8 characters in length and ideally at least fourteen characters or more;
  2. It should not contain a word found in any dictionary (English or otherwise). For maximum effectiveness your password should be composed of a completely random string of characters. If you absolutely feel the need to use dictionary words, then misspell them in a non-obvious way, maybe by swapping certain letters (e.g. “bzrthday”). No matter what, you want to ensure that your password has no chance of appearing in even the most complex dictionaries used by hackers; 
  3. Use at least one lowercase and uppercase letter and one number. Most people swap obvious letters for digits that look the most similar (e.g., e=3). It’s better to do this than not use any digits at all, but if possible use a completely random digit and just avoid putting it at the end (lots of people choose Password18) to conform to password policies – bad;
  4. At least one symbol (e.g., any character above the numbers at the top of your keyboard);
  5. Memorable! If you need to write your password down, then it’s not a good password. 

I know…right about now you’re saying, “I have a hard time remembering my cell phone number; how am I going to remember a password with all these characters”?  

One good technique is to think of a phrase that you can remember; such as the first line of your favorite song or poem and use the first letter of each word. For example, “O! say can you see by the dawn’s early light,” looks like “oscysbtdel” (a weak password, by the way, according to Microsoft’s Password Strength Checker). Now let’s make it stronger by using capitalization, a number and special characters. Now it looks like “O!scysbtd’3l,” and viola it is transformed into a strong password.

Lastly, it’s not good enough to have one secure password and use it for EVERYTHING. In an ideal world you’d have one password for each program or password – but not very realistic for most people.

My recommendation is to have a few secure passwords you use for different levels of ‘sensitivity’:

  • One password for logging in to your computer;
  • One password for your email account;
  • One password for ‘insecure’ and non-critical websites (eg. random forums or websites that force you to register);
  • One password for medium-level websites (eg. Facebook, LinkedIn, etc – where aspects of your privacy/identity are in play);
  • One password for critical sites (eg. Online Banking, PayPal) and change these at least once every six months. The use of strong passwords may not completely safeguard you from a cyber-attack but is an integral part of an overall strategy to protect yourself (and your data) in an increasingly on-line world.

This article was originally published in the Technically Speaking column of the July 2012 issue of I’On Life magazine.

About Chris Hughes