Here’s what a strong password looks like—and it’s not what you think
We’re all familiar with those irritating password rules: Use special characters (but not ^ or $)! Use two capital letters! Use at least six letters and numbers (but not in these sequences)!
Given the threats, it’s understandable that sites try to force you to use more complicated passwords. Unfortunately, what many of us do in response is create “systems” that obey the rules while being easy to remember.
Those systems often involve personal information—name of dog, year of birth, exclamation mark at the end: Fido2011! The problem is that hackers can find your dog’s name on Instagram and try every variation you can imagine (Odif2011!) very quickly using software.
The key takeaway for stronger passwords in 2018 is that length and unpredictability are more important than wacky characters and other rules. Here are four tips for creating safer passwords:
- An unexpected four-word phrase—“SampleReductionEastPronounce”—is actually tougher to crack than any random 8-character password. Just don’t use “ILiveinMadison” or “MyDogsNameIsLulu.”
- Add special characters and capital letters, but don’t put them at the beginning or end.1 And avoid !, by far the most common special character. If you use a four-word phrase, put special characters between words instead of spaces:
- Check your password’s strength at the Carnegie Mellon password meter2, 3, which analyzes your password against millions of known passwords and offers suggestions for making yours better4.
- Lie on security questions. Those personal details—mother’s maiden name, etc.—are frequently required when you reset a lost password. But the answers are often easy for anyone with access to your social media accounts to figure out. Make up fake answers you can remember or store somewhere secure.
Is your password secure?
Please note that any information you input is not stored or shared. A username is not required to check a password’s strength.
1 “Choose better passwords with the help of science,” The Conversation, Lorrie Cranor, 8/30/2017.
2 Carnegie Mellon Password Meter. Lorrie Cranor.
3 Please note that any information you input is not stored or shared. A username is not required to check a password’s strength.
4 Password and Authentication Research, Lorrie Cranor.