Many people including technologists do not know how to think about passwords….
The most important feature of a good password is the length – here is why:
Assume passwords are composed of the numbers 0-9. If numbers only, then for each additional number it scales to the power of 10 or logarithmic progression. Therefore, if you use numbers, lowercase and uppercase letters only – that is 62 characters. So, 62x62x62 combinations for 3 characters. For every character added there are 62 times more combinations. In general, I do not use special characters because many sites do not support them. Further, just add 2 characters to the password length and you will have more combinations than adding all of the special characters.
Now for some fun: What if you had an infinitely long password of 1’s only? Think about it, you could never login because you could not get the password length right.
So password length wins !!!
Therefore, the most important factor for a secure password is the length.
I recommend a password length of 15 to 27 characters. For important financial information use the high-end – even as much as 27 to 32 characters.
Randomness
Next issue is randomness. For practical purposes, I suggest that all character strings are pseudorandom. This is because – believe it or not, there are no programs or math to prove randomness. Only approximations. That being said, there are different degrees of randomness. In order to create the maximum randomness you must extract all meaning and patterns. Therefore, do not include any words or patterns. The best way to achieve this is to use a free random character generator.
Take aways
1. Use a program to generate and save passwords 15 plus characters –
(don’t worry about special characters unless it is required)
2. Use unique login names and passwords for all accounts – no patterns
Again, do not use the same or a variant of a password for each account.
Test: If you can remember your password, it is to short ! – unless you have an eidetic memory.
Bonus Points
In the year 2013, a hacker demonstrated an off-the-shelf password cracking computer system. At the time, it could execute 350 billion guesses per second. Today, it would be relatively easy to execute 1 trillion guesses per second. However, before using brute force methods hackers use “dictionary lookups” consisting of over 500 million words. They then test these words – one through five. This is why I do not recommend using any words.
Password Testing
Below is an example of a 27 character password targeted for a financial account.
6-u4f9K5Ct7m0RbNzO8LkXp+Y2r
Of course, don’t use the above password – just an example, so that you can see what an extremely secure password looks like.
If you wish to test your passwords one of the better online tools is:
Password Meter
http://www.passwordmeter.com/
