The password lecture.

A 6-character password can be cracked in a fraction of a second.

Your mother and I want to talk with you. We saw your password and it’s really not safe.

I joke about this because we’re all guilty of it and I get it. Changing your passwords, then remembering them – it’s a hassle. I even get writers block trying to think up a new password! But this is something you want to address sooner rather than later.

Unless you’re a member of the InfoSec community, security is an invisible issue that is so easy ignore until it’s too late. Even when people are notified of vulnerabilities (think Equifax), they still hesitate to act. Why is that?

How easy is it to break a password?

Keep in mind that we’re not just talking about a single person trying to guess your password, we’re talking about automated bots that tirelessly comb the internet for vulnerabilities and scripts written to employ brute force algorithms that crack passwords through simple trial and error.

People often have 6 or 8 character passwords. An 8 character password would be broken by a bot (with no prior knowledge of the account holder) in less than one minute. Someone on an average home computer employing brute force algorithms could break that same password in less than 42 minutes. In either case, it is not sufficiently secure.

In addition to these methods, there are entire password dictionaries on the internet. When Yahoo was hacked in 2013, all 3 billion accounts were compromised. There are aggregate databases with billions of usernames and passwords. One such list is comprised of information from 252 previous data breaches and credential lists. Hackers (good and bad) use these lists to determine the most common usernames and passwords. Someone trying to hack into your account will always begin with the weakest link, including common password habits.

What makes a good password?

So many of today’s password guidelines (uppercase, lowercase, number, symbol) are slightly off the mark. Using different types of characters is helpful, but the most important factor is length. Simply put, a longer password is harder to crack! Remember the 8-character password above that could be broken in under a minute? Watch what happens when you lengthen your password, even if you only used the letter A!

14 a’s would take 51 years to brute force.
15 a’s would take 1000 years.
16 a’s would take 35,000 years.
17 a’s would take 900,000 years.

The Passphrase

The best password you can make is a passphrase – a long string of random words or characters that you can easily remember. An example of an excellent passphrase could be:

ourMice!wantTapshoes

Notice that I’ve also included a few uppercase characters and a symbol to make it even more secure. With current technology, this password would take 3 quintillion years to crack.

An Automated Solution: Password Managers

There are options available that will securely manage your passwords for you. Password managers assist in generating complex passwords for all of your online accounts, then store them for you in an encrypted database. The encrypted data can only decrypted on your device – meaning your password information is not being stored in the company’s database where it could be breached. If you are interested in trying a password manager, I recommend LastPass and 1Password.