Coming up with a complex random password is one the many pains of our digital life. It turns out that passwords with special characters, numbers and CAPITAL letters are not harder to crack. Starting with a dataset of common passwords, hackers then use brute force attacks to guess your password one character at a time. It does not matter if they are special or numbers.
Your password is the key to your bank, your utility bills and your information stored on government servers. Data breaches are on the rise and despite more money spent on IT defenses, you are still at risk of having your information hacked. Take a look and see if your password has been owned. Kinda scary!
The guy at NIST (National Institute of Standards and Technology) who came up with these recommendations has taken it all back . Almost every sign up/login form uses these recommendations as a basis for their password fields. And all for nothing. This mis-understanding can lead to companies and apps forcing us to use less than safe passwords due to strict password rules based on out of date password science. This comic illustrates it perfectly .
Users typically just add a number or special character at the beginning or ending of their commonly used password. This does not magically make it stronger, it can easily be cracked. It only creates a false sense of security.
Here is a 2012 study on American password usage with a quick summary:
- 61% of consumers reuse passwords among multiple websites
- 54% of consumers have only five passwords or less
- 21% of consumers have had an online account compromised
- 76% of respondents in the 18 to 24-year-old age group reuse passwords among multiple sites — the highest percentage of any age group
Passphrase in, Password out
In 2017, NIST came out with an updated set of password rules. It is surprising simple, straightforward and prefers user friendliness over complexity. Edward Snowden agrees!
- Use a passphrase
The longer the passphrase, the better
Drops the recommendation to frequently change your password
Don't use password hints, they reveal more info about you for potential hackers
- Passphrase Generator
- EFF Passphrase Generator
- Diceware Password Generator
- More Diceware Generators
- Diceware Video
- Password Strength Meter Comparison
In addition, use 2 Factor Authentication whenever possible. SMS codes sent to your phone can be intercepted. Install a 2 Factor Auth app on your device! NIST sets forth guidelines for government agencies, but corporations and others follow look to their guidelines as a starting point. So it behooves us to pay attention to these new password updates.
Avoid these bad practices
Don't re-use passwords across accounts!
Storing passwords in a textfile
Storing passwords in your browser
Do not use common phrases like 'password' or 'qwerty' unless you don't care or the account has not important information on you!
Password hints or questions is now prohibited by NIST. Hackers can now view your social media accounts to guess what street you grew up on or which animal your high school mascot was.