Four Steps for Crafting an Effective Password
Your password can ruin your life. It does sound dramatic, but it’s true. If someone figures out the password to your email, you’re in trouble. Social media? Even worse. Once hackers access your online bank account, they can wreck your finances, and you may feel the repercussions of that break-in for years.
Most of us have the wrong idea about passwords. We think they have to be convoluted messes, like F$%Th5l2K!&. This theory reigned for years – that passwords should be nonsensical and hard to remember.
It started in 2003 with guidelines from the National Institute of Standards and Technology (NIST), which insisted on random combinations of numbers, letters, and symbols. The organization’s manager, Bill Burr, spread this gospel for years. But in a recent interview with the Wall Street Journal, he admitted that this wasn’t nearly as effective as he’d thought.
Thanks to a new round of research, cyber-security experts have changed their tune. Yes, you should still avoid guessable passwords like “p@ssword1” or “letmein.” But a secure password also can be logical, fluid and easy to remember.
1. Passwords should withstand 100 guesses. No matter what your password is, it should withstand 100 guesses, which means it shouldn’t be tied to any public information about you or your family.
Hackers often turn to your social media profiles to find information about you, and a little data goes a long way, such as your birthday and the name of your pet. Experts believe that criminals can guess the average person's password nearly 73% of the time, and they can often access other accounts by using slight variations of the same password.
2. Use a phrase. Instead of thinking of your password as a secret code, think of it as a “passphrase.” These are strings of words that are both easy to memorize but hard for anyone else to crack.
Suppose you wanted to be an astronaut when you were a kid, and your favorite color is fuschia. You have never mentioned these facts online, and only your Mom knows such trivia about you. You could compose a passphrase like “ilikefuschiaastronauts.” You’ll never forget it, and the passphrase will confound hackers for (literally) centuries.
3. Choose something memorable. Remember, each password should be unique, but they don’t have to be cumbersome. The NIST calls passwords “memorized secrets.” You want to avoid the temptation to write down passwords, so pick a password that has enough meaning to you to stay in your mind.
Many people are not fans of password managers. I couldn’t exist without my 1Password. Other people I admire love LastPass. It doesn’t matter what software you do decide to use, but you’ll still have to develop one master password that does need to be memorable.
4. Get creative with characters. It may take websites some time to catch up to the latest NIST guidelines, but you can still create a memorable password that meets current restrictions. You might choose something like “ArizonaCardinalsfootballisnumber1!” or “Igivemyjob1000%everyday.” Those meet the requirements of having at least eight characters, a special character, and upper and lowercase letters.