If you’ve used the internet, you’ve probably created a password. There’s a lot of advice out there about creating passwords: use uppercase! use lowercase! Use numbers! Symbols! Don’t use a dictionary word! Use many dictionary words in a passphrase! Don’t write it down! Store it in a password manager! There is so much advice, and so much of it is conflicting, and often it comes without any explanation. In this blog post, I’ll detail what a good password is (and why), give you some tools to help remember your password, and give a few other simple ways to help protect your account.
What is a “good” password?
A good password is one that is unique and hard to guess. A password should be unique because if someone hacks one website, you don’t want them to have access to all your other accounts. It must be hard to guess because computers work much faster than humans – for example a modern computer can guess every word in the English language in under a minute.
Ideally, you want your “keyspace” – the total number of possible password combinations – to be as large as possible, so that trying to guess your password will take a lot of work. The formula for computing how many possible passwords there are is n to the power of r (n^r), n meaning the number of possibilities for each symbol, in the password, and r being the length of the password.
So for example, a ten character password that is only numbers would be 10^8 or one hundred million possible passwords. Conversely, and 8 character password with letters, numbers, symbols, uppercase, and lowercase letters would be 96^10, or approximately sixty seven quadrillion (66,483,263,599,150,104,576 to be precise). Thus, a good password must be at least either long, or complex. (And ideally both!)
But how do I remember my passwords?!
As Miller pointed out in the 60s, there are limits to human memory – we can only remember about 7 “chunks” of information.
One easy way to remember your passwords is to use a password manager like 1password, Keepass, Lastpass, Dashlane or one of the many other password managers on the market. However, while such software reduces your need to remember multiple passwords, you still need to make a password for your password manager. This password must be very complex.
Luckily, there are two techniques you can use to help generate easy to remember, hard to guess passwords.
The first is to use a passphrase. The concept is simple – make a sentence that’s 5 or 6 words long. Make that sentence (including the spaces) your password. Try to avoid quotes from movies, song lyrics, or other publicly available sources. If you want help generating a phrase, you can use Diceware. (It’s important – to eliminate guessing – that you don’t say this phrase out loud and that it’s not something that you regularly say.)
The second option is a mnemonic phrase. A mnemonic is a pattern we use to remember something, and we can use a unique phrase about the website to remember a password.
To generate a mnemonic password, you simply take a memorable sentence and make an acronym out of the sentence, by taking the first letter of each word. For example, you could take the phrase “I am using a mnemonic to create a better password”, the resulting password would be “Iauamtcabp”.
What steps can I take to secure my account?
There are two easy ways to increase the security of your account.
The first is to take a hard look at your supposedly secret questions. Many of these questions – mother’s maiden name, the name of your high school, or where you met your spouse – are all available in public databases. The much publicized hack of Sarah Palin’s email in 2008 was enabled due to the attacker being able to find the answer to Palin’s secret question (Where did you meet your spouse?) in a previous press interview. Answers to secret questions should not be known to anyone but you – if you’re forced to pick a secret question that is publicly available, use your password manager to generate a random answer , or if you don’t have a password manager type in gibberish. For some accounts (bank accounts, email accounts, etc) it’s better to get locked out of your account and have to call customer service to be let back in, than it is to have it taken over.
The second is to use two factor authentication. (also known as two-step login), which we’ve talked about here on the CDT blog before. When using two factor authentication, users enter a one time code in addition to their password. You may be most familiar with this when your bank or a similar website requires you to enter a code sent by text message (SMS) to your phone. In fact, there are a lot of options for two-step: the codes can be delivered via a standalone device, text message, or in an mobile app like Google’s Authenticator. Most major websites, including Facebook, Google, and Twitter all allow users to enable two factor authentication.