Did you see the recent Forbes article on the 2015 worst passwords list? It is not hugely better news over last year’s list, but it is always a good read – both from an entertainment and an educational standpoint. While the list still contains some pretty shockingly lame passwords (123456, password, abc123), it was interesting to see some of the more creative ones that made the list, but are still incredibly weak.
What makes a good password?
It should be unique and sufficiently complex. Experts still recommend creating complex phrases and using a different, unique password for each of your accounts. I know, it seems like the easy thing to just have one phrase to remember, but you risk having all your accounts accessible if one is hacked.
The longer the better!
Remember Nick Helm’s Disney joke that we shared in a previous blog on this subject? “I needed a password eight characters long so I picked Snow White and the Seven Dwarves.” Funny. But also weirdly effective, as it has an incredible number of possible combinations. As we’ve mentioned before, the NIST Guide to Password Management states that the best way to increase password complexity is to increase the number of possible combinations.
The best way to increase password complexity without having to write it down is by increasing password length. It gets a little heady when you begin reading about it, but it really comes down to being sufficiently complex, not crazily complex. So when you see those requirements that you have an uppercase, lowercase, number and symbol in your password, just remember that if you have to write it down to remember it then you have just made it less secure.
Remember to follow these general guidelines:
* Use a secure password manager. The Forbes article mentions KeePass (which I use) or 1Password.
* Use your toughest, most secure passwords for credit cards, banking, healthcare records and email (remember your personal email is often used for password resets so must be just as secure).
* Use the next level for social media and communication tools.
* Save the least secure for generic stuff like your news sites where you don’t store sensitive data.
Not sure where to start? The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.