Our tips for the perfect password
1. Variety is key
A secure password should on no accounts consist only of letters. You must also use numbers, special characters and caps to make a brute force attack significantly more difficult. However, make sure you don’t use any words out of the dictionary, or close analogues of those words. For example, the password “armadillo” will only take 16 minutes to crack using an unthrottled, online brute force attack, while '@rm@dill0' will take about an hour – which makes both passwords far too simple for practical use.
Instead, use a string of words, of upper and lowercase letters, numbers, symbols and non-dictionary words. This may mean using complex abbreviations, writing nonsense phrases, or using a random string of numbers, letters, and symbols.
2. Length matters
It’s easy: the longer the password, the harder it is to crack. The length of the code can be decisive, especially for brute force attacks. So if you use a seven-digit password consisting of caps, letters and numbers (62 characters), the possible number of combinations is 3,521,614,606,208 (over 3.5 trillion). The number rises to 218 trillion cycles needed to crack the code, merely by adding another digit. This means that if your password is comprised of more than 10 digits and additional special characters, a simple brute force attack would take several years to complete.
3. Don’t reuse passwords
Imagine if you used the same key for your house, car, office, mailbox, and storage. Losing one key would give someone the power to take almost everything valuable from you. Despite this, 13 percent of users report using the same password on all online accounts, with 52 percent of all internet users admitting they use the same password across many (but not all) accounts.
If a malicious actor purchases a list of passwords, they won’t just try to access the breached accounts. They’ll try to access your PayPal, work accounts, emails, social media, or any other channel that has something of value on it. All of your passwords must be unique – or else one breach can compromise your entire approach to online security.
4. The easy way to create a password
This trick shows you how to create a complex password that only you can remember. Think of a sentence and place the first letters of each word in a row. So the sentence, “My Name is Joe Bloggs and I was born on 1 January 1900!” would produce the following password: 'MNjJBaIwbo1J1900!' It’s long, contains numbers, special characters, caps and letters, and it’s definitely not found in any dictionary. Perfect!
The internet can also come to your assistance if you don’t want to think up your own password. There are plenty of password generators on the Internet that use random strings to produce a password. But be careful! It’s very difficult to remember these combinations.
5. Use a password manager
If you don’t think you’d remember your password is 'MNjJBaIwbo1J1900!' using the aforementioned mnemonic device, a secure password manager can help. Today, there are many password managers available with a variety of security and encryption options. Instead of needing to remember 10, 20, or 30 unique, difficult passwords, you only need to remember the password for your password manager. Using these applications will ensure you don’t get locked out of your accounts and encourage the use of more unique, secure passwords.
6. Reset your password
The trickiest question among security managers: is it important to reset passwords regularly? And if so, in which intervals? It may appear sensible to change passwords regularly to ward off cyber-attacks, at least at first glance. But experts take a nuanced view. Many users only make minor changes to their password, turning 'password1' into 'password2'. These patterns are easy to predict. What’s more, people tend to choose easy passwords if they know that they have to be changed soon anyway.
To reset or not to reset? We recommend changing your password based upon how long it is. So for example, a 12-character password should be changed every six months. But an 8-character password should be changed on a quarterly basis. That’s also the general advice given by the Federal Office for Information Security (BSI). Most systems send an automatic reminder every 2 to 3 months to restore the password and it is wise not to ignore this advice. You need to reset your password immediately following a successful hack of a portal you use and the theft of data. The most important aspect is to use a secure password. Password generators are handy tools in this regard.
7. Use two factor authentication
Two factor authentication (2FA) is quickly becoming the standard for password security, as it can provide a solid line of protection even if your password is cracked. With two factor authentication, users verify their identity on two separate owned devices – for example, after they input the correct password on their laptop, they need to confirm their login on their mobile phone. This protects against the vast majority of cyber attacks as a hacker will rarely have access to both of your authorized devices.
Keep in mind 2FA isn’t foolproof and a great password is still an effective first line of defense. For instance, determined and sophisticated hackers can use creative methods like SIM swapping to temporarily gain access to mobile phones, allowing them to work around 2FA. To protect your most sensitive information, avoid using SMS to authorize your account and instead use a dedicated program like Google Authenticator.
8. Use biometric authentication
It’s possible that a hacker will be able to gain access to your devices and thwart 2FA, but it’s a lot more difficult for a malicious actor to steal your face or fingerprint. Years ago, biometrics were prohibitively expensive, or extremely easy to work around – but with advances in technology, anyone can use high-quality biometrics at an affordable cost.
Biometrics can take on a variety of forms – such as tracking your keystroke dynamics, scanning your fingerprint or retina, recognizing your face, or analyzing a signature. However, keep in mind that biometrics shouldn’t be your only form of authentication. An employee with a recent eye injury might fail the facial recognition test due to an eyepatch, or an employee with damp hands might not be able to use a fingerprint scanner. For this reason, a well-crafted password will always be an important facet of biometric authentication.
9. Top secret!
Some may believe that this tip is blatantly obvious, but it is still the most important one: never give anyone your password. Not even a friend, colleague or spouse. Also refrain from keeping notes of your passwords. While they make it easier to remember the codes, the implications can be disastrous if they fall into the wrong hands.