A Lesson in Password Security

Think about your online passwords, even for this site. You might think your passwords are secure, but a recent publication analyzing leaked passwords from the attacks on SONY Computer Entertainment says otherwise. 

Most passwords are six to 10 characters long, half of most people's passwords are strictly upper or lower case, and 64 percent of all passwords can be found in a "password dictionary." The most startling statistic though, is that 92 percent of people reuse their password with other accounts. 

You might be thinking "I reuse my password with other accounts, but I'm sure that it's secure." Think again!

Eight-two percent of passwords would easily fall victim to a basic "rainbow table crack" in which your password is decrypted from its hash form i.e. "******". Which, in the end, means that if someone cracks your password, they have access to all of your accounts.

You're probably re-thinking your password right now, but before you change it, lets analyze some simple ways to secure your password. We'll start with the password "Patch." We'll be using GRC's Interactive Brute Force Password “Search Space” Calculator to compare the time it would take to crack the passwords.

According to the calculator, "Patch" would fall within 4.49 days, a result that should be no surprise. The simplest way to strengthen a password is to add numbers. With that in mind, it would take a little longer than a century to crack the password "Patch01". Numbers aren't the only remedy though, adding symbols such as an exclamation point would take "Patch01!" more than 2,000 centuries to crack. Alternating between upper and lowercase is another way to strengthen your password, bringing "PaTcH01!?" up to more than 200,000 centuries.

Here is where I change the the formula. Out of these two passwords, which one do you think is the strongest? 

• P1a2t3c4h5!?  

           or  

• SanJuanCapistranoPatch 

Naturally from what you've read, you would go with "P1a2t3c4h5!?" right? Wrong. "P1a2t3c4h5!?" would take 16.50 trillion centuries to crack while "SanJuanCapistranoPatch" would take 18.32 trillion trillion centuries to crack. You see, the instrumental piece of the equation is the length of the password. "a1b2c3!?%" is not necessarily a stronger password than "TheInternetUser." The best password length is 10 characters, if you can go higher, be my guest.

The final way to increase your password security is to change your passwords periodically. Since changing your password every nano-second is impossible, I recommend changing your most important account's passwords, such as your online bank account, every three months. For your other accounts, every six months should be fine.

If you can't remember your passwords, write them down, and then make sure that you place them along with your important documents i.e. passports, birth certificates. If you feel that an online service can best protect your passwords, it's your choice. I don't recommend them, however, because they too can be hacked and your passwords could be compromised and posted to torrent sites where everyone can get your information. Such as the recent hack of LastPass.

To recap: 

1. Don't reuse your passwords with all of your accounts. 
2. Add at least two numbers. 
3. Add symbols such as an exclamation point.
4. Alternate between upper and lower case. 
5. Password length is key, try going for 10 characters. 
6. Finally, periodically change your passwords, preferably every three months for your most vital accounts.