With passwords currently top-of-mind for many in extended detection and response (XDR) security, now might be a good time to talk about password choices. Despite some recent headlines, password managers are still a great idea and the strongest passwords are still the ones randomly generated by a password manager. At last word, LastPass vaults are still quite safe if a strong primary password was chosen.
So what makes a good password?
The length of your passwords are the single most important factor when it comes to security. You can see this play out in the graph below.
Even if you use all lowercase, if you make it fifteen characters long it would take a hundred years to break. Complex or not, if they are sufficiently long they are still hard to crack. The longer the better.
So sure, it looks like a long, all-lowercase password could be okay, but let’s be real. We’re not aiming for okay, we’re aiming for great.
So yes, you should still make your passwords both long and complex. We’ll get to some helpful tips in a bit for how to do that without breaking your brain.
I should note here that, while complexity is good, it’s not as key as we once thought.
In fact, the person who invented the complexity requirements has not only said it’s less important than password length, but he’s apologized for all those long nonsense passwords we’ve all been trying to remember for years now.
This is perhaps the reason why so many accounts actually get hacked all the time. People use the same password across many sites. Hackers compile databases of breaches—passwords, emails, and websites you have an account on.
Troy Hunt runs a service, Have I Been Pwned?, where you can easily see if your email has been part of a breach. If one of these databases has your email along with a password in it, the first thing a hacker is going to do is look at their other databases to see if you have accounts on other services.
Then they will attempt to use your password to log into everything else you have. You MUST use unique passwords for every single login you have. It’s not optional anymore. I know what you’re thinking. “But it's so hard to remember a long, complex password and to actually use a unique one for every single website I visit!”Don’t worry, I got you, fam.
First off, did you know that you can use spaces in passwords these days? For some of us older folks, this might be new information because for decades you couldn’t. There are some ancient services out there that still don’t allow them, such as old banking systems, but for 99 percent of the web, you can use spaces.
Why is that important and helpful? One, spaces usually count as a symbol in complexity requirements. Moreover, they can open up the world of easy-to-type password choices for you.
No longer do you have to choose stupid, hard-to-type passwords like MyLongPassword12! or DoctorWhoRulez2012! Instead of choosing passwords, you can now choose passphrases.
What's a passphrase? It’s just a regular old sentence or combination of words you can remember.
My voice is my Passport is a twenty-three character password. It meets the requirement for upper and lowercase. Plus, it's easy to remember and type without typos.
How about we get some complexity in there? Since we’re using sentences, complexity can be achieved with simple punctuation (I’d, I’ll, we’d, it’s, they’re, etc.).
23 lions had a picnic on New Year’s Day
This is a forty character password which is complex, easy to type, and memorable.
Season 8 of GoT was the worst ever and D&D should feel bad for making it
Seventy-two characters, easy to type without typos, unique, complex and memorable.
My first car cost $4500 USD and was a cherry red Chevelle
Fifty-seven characters, complex, easy to type, and memorable.
This is a good moment to talk about our fourth requirement. Passphrases can help you create strong passwords that you can actually remember, but there’s a caveat.
While “To be or not to be” might be easy to remember, it’s also easier to guess. Your passphrase shouldn’t contain common or well-known phrases like quotes or lyrics.
Some people like to use the “diceware” method—choosing 4 or 5 random words like correct horse battery staple and this can work as well, but inserting complexity into them and remembering the random words can turn some people off.
It’s a valid method though and so far, there are no dictionary attacks on super long passwords that are complex and unique. As long as it’s of sufficient length, we are still safe at the moment.
Now, we still have a problem of having to remember dozens of passwords for websites, and this is where a good password manager comes in.
In this case, all you need to do is create ONE really, really good password and you let the password manager pick all your other passwords for websites in a randomly generated manner.
So My first car cost $4500 USD and was a cherry red Chevelle protects all your other passwords and those passwords are all nonsense like ouphahth9Rciem3phu0eeJee4iengah.
You don’t have to remember all those—only the one really long, really complex password.
So there you have it. Password managers and their extremely long, randomly generated passwords remain the best choice for passwords in 2023. For those times when you absolutely need to use a memorable, personal password, you now have a few tips on how to craft them.
Make them long—a minimum of 20 characters these days. Introduce complexity in natural ways such as with quotes, apostrophes, etc. Make them unique for each service you use and don't use common phrases such as Winter is coming.