After looking back through my blog posts I realised that I've not written anything about how to choose a good password and that is the most crucial element in the fight to keep your online accounts safe. So now seems like the perfect time to remedy that and explain the current best practice for passwords.
I specifically say "current" best practice because like most things - the advice can change from time to time and actually has changed over recent years.
The old advice for creating a secure password was to have a random string of upper and lower case letters interspersed with numbers and symbols. Something that didn't look anything like a word you would find in a dictionary and that was at least 12 characters long (and preferably more like 16 characters). Something like this :-
UY8&beY!6alPQ:3s
Although that is a 16 character password, there are a couple of problems it - the biggest of which is that it's incredibly horrible to remember and most people couldn't.
At this point I need to explain that there are ways to measure how good a password is and the best way is something called "entropy" which is basically a measure of the randomness of the characters in a password. You really don't need to understand how that works but we can use that as a comparison for how strong some example passwords are. The 16 character password above has an entropy of 77.7 bits.
Being able to remember a password is obviously a major requirement of passwords - otherwise people will write them down and that means someone else could find out what they are easily.
So instead of the older password advice, there is now some much better password advice which is to select 4 completely random words that are not related to each other and string them together. So for example :-
correcthorsebatterystaple
I've highlighted the individual words so that you can better distinguish them. I don't think anyone would dispute that this password is much easier to remember than the previous example and it is actually more secure as it has 93.6 bits of entropy.
Even so, that's not the best we can do with this password and a couple of very simple tweaks will make it much better. Those tweaks would simply be to capitalise the first letter of each word and to include a bit of punctuation like this :-
Correct!Horse&BatteryStaple?
This password is now still fairly simple to remember but has 140.2 bits of entropy which is approaching twice as secure as the first password I showed.
So, now you know how to create a really secure password and keep your online accounts and data safe but we're not quite finished. The final things we need to consider is that passwords do get lost and not just by you - as the recent eBay hack has proved, even the biggest players on the internet have security problems from time to time and there have been many of these attacks which have revealed passwords.
For that reason, it's REALLY important that you have a different password for each account on the internet. I know that's much easier said than done but there are tools like 1Password.com or LastPass.com which will help deal with that.
The MOST important piece of advice I can give though is no matter what else you do - make sure you have a completely different and secure password for your email account because most websites will allow a password to be reset with an email so if someone can login to your email they can probably login to most of your accounts.
No comments:
Post a Comment