By Sheldon Greaves
It’s been conventional wisdom for a long time that a strong password must be a complex affair. Consisting of longish strings in which capital letters turn up in unlikely places, along with numbers and special characters to make passwords harder to guess, but also hard to remember. But it turns out that strong passwords are easy to create and still be easy to remember. Two great tools can help you improve the security of your email and other passwords-protecting accounts.
If you follow the news regarding the latest data breach or compromised system, you have probably heard of something called the Collection 1 breach in which a database of 1,160,253,228 email addresses and passwords belonging to over 700 million people.
Implications of the Collection 1 Breach
Here is why this is bad news for a lot of people: a common way to hack a system is by guessing passwords. One way to do this is to have a large file containing lots of words, say from a dictionary, and then keep entering words from that list until one of them turns out to be the password. This is why changing a password from “walnut” to “w@LnuT” seems like a good idea. It does make that password stronger, but not enough to make a difference. The reason the Collection 1 database is such a big deal is because it is a list of passwords that people actually use. The chances of scoring a “hit” are much higher. Many people use the same password for multiple accounts, which is a bad idea in case that password is compromised.
What To Do?
Two tools can help. The first lets you see how much trouble you’re in. The second gives you a “sandbox” for testing new passwords.
Note: this is for general advice only; I make no claims or guarantees on any of this.
Have I Been Pwned provides a secure window where you can type in your email address, and see whether it appears among the many compromised email addresses. Let’s say you go there, type in your address, and discover that it’s been “pwned“. The next step is to change your email password.
How Secure Is My Password? lets you enter possible passwords, and receive an estimate of how hard they are to break. This is usually expressed in terms of how long it would take the computer to guess them. This is also where you can test some of the newer thinking about creating passwords. First, what matters most, is length. The longer, the better. But the good news is that you don’t need all those gonzo characters that make other passwords so hard for you to remember. Use three or more words, unrelated, strung together. Here are some examples that I tried:
swordfishhorsebrick according to the computer, would take 607 million years to crack. mightybullwinkle comes out at 35 thousand years. Now, a word of warning: the smart money says to stay away from movie quotes or Bible verses. Even though the site gives 410 billion years to crack forgodsolovedtheworld, resist that temptation. But then again, length is what really matters here, much more than variety of characters. That said, several words, even if they are nonsensical when combined, are much, much easier to remember than “P@55woRd.”
Another word of warning: How Secure Is My Password? can turn into a real time sink as you play around with different password ideas and see how long the computer thinks they’ll resist. Check your passwords, make up some new ones, and have some fun doing so.