Strong Passwords Are the Ones You Don't Remember

For better or for worse, passwords play an integral role in authenticating us in almost every conceivable application we use. Whether it’s logging onto your computer, checking your email, or using a CRM, chances are you need to enter a combination of a username/email address and a password - often referred to as credentials.

The combination of a username and a password is important – a username alone is incomplete without a password and vice versa. The username is generally regarded as public information. A password, on the other hand, is secret.

Since we interact with so many different applications on a daily basis, we need to remember different passwords for a wide range of different applications. The temptation is usually to create one password and re-use it across all our accounts – that is a big mistake.

Imagine you have an account with websites A, B, and C, for all of which you conveniently re-use the same credentials. If website A suffers a data breach, or you fall victim to a phishing attack and enter your password, the attacker will not only gain access to A‘s account but also to B and C‘s.

Of course, in addition to reusing passwords, many people also tend to pick predictable or non-random passwords. Attackers use what is called a dictionary attack, which uses long lists of common passwords and words in dictionaries to try to guess common passwords. Books, song lyrics, and anything that’s public knowledge about you, such as your social media profiles, could also be valuable to the attacker trying to guess your password. This means that passwords based on nicknames, birthdays, pets, quotations, and favorite books are bound to be easy for the attacker to guess. The more random a password is, the stronger it is deemed to be.

Unfortunately, a short password, even if sufficiently random may, under the right circumstances, only take a couple of hours for an attacker to crack. With short passwords, attackers can attempt all possible password combinations using a password-cracking method called brute-forcing.

The good news is that brute-forcing is very inefficient for the attacker, and the addition of each character increases the time and resources it would take to crack it exponentially, making an attack infeasible.

The characteristics of a strong password are:

• Sufficient length to prevent brute-force attacks;

• Sufficient randomness to prevent dictionary attacks and guesses through social engineering and phishing attacks;

• Unique to each account to prevent password reuse attacks;

• Private, known only to the account holder.

Harder, better, random, longer

This begs the question though – is the above practical? In reality, most people can only remember a handful of strong passwords. This is where password managers can help.

A password manager is a piece of software that can generate highly random and long passwords for you. Password managers require you to use a master password to access them. Of course, this means that your master password should be long (ideally 12 or more characters), random, and unique to that password manager.

Some popular password managers include KeePass (open-source, runs on Windows with ports for other platforms) and 1Password (commercial, runs on macOS, Windows, iOS and Android).

A password manager will safely store all your passwords using strong encryption, so even if someone gains access to your computer unless they can guess the master password, they will not be able to do much.

While the use of strong and unique passwords may not necessarily protect you against data breaches and phishing attacks, they certainly will help limit the damage weak, non-unique passwords could cause. In summary, when it comes to passwords, don’t rely on memory and make them long, random, unique; and above all keep them private.