Much of what we know about creating passwords comes from a document created in 2003 by the National Institute of Standards and Technology (NIST). This document taught us the now-familiar rules about passwords: they should be 6-8 characters in length and should contain a mix of uppercase and lowercase letters, numbers, and symbols. But 14 years later, in 2017, NIST decided that many of these guidelines were outdated, and published a new standard on password security. Is your password still safe to use?
Don't worry, I'm not going to urge you to change your passwords more often. In fact, NIST's new guidelines say that being forced to change your password frequently causes more harm than good because you're more likely to forget your own password than deter a hacker. But, here are a few new password security tips to keep your accounts safe.
Isn't it frustrating when websites ask you to add a symbol to your password? There's a good reason they do it. A password that's six characters long in lowercase letters has about 300 million possible combinations. That may sound like a lot, but it's not difficult for a hacker to try every single one of those possibilities in a short amount of time.
When you add uppercase letters to your password, there are almost 20 billion possible combinations. Add numbers and symbols, and the total number of password possibilities a hacker would have to try is almost 700 billion — more than 2,000 times as many possibilities as lowercase letters alone.
We talked about how adding numbers and symbols to your password does wonders for its complexity. Making a longer password has the same effect. As we mentioned earlier, a 6 character password with uppercase letters, lowercase letters, numbers, and symbols has almost 700 billion possible combinations. If you apply those same guidelines to an 8 character password, there are over 6 quadrillion possible password combinations. The longer the password, the harder it is to crack.
In fact, NIST's new guidelines recommend longer passwords over all other complexity measures. A password that's more than 8 characters in length is more secure, even if it's just lowercase letters, and is probably easier to remember than a password littered with numbers and special characters.
Remember in 2013 when every single Yahoo password was hacked? Every single one.
And when hackers got their hands on those passwords, guess what they did first? Try them in other places. If you use the same password for your email, Facebook, bank accounts, or anything else, it just takes one security breach for all of your accounts to be compromised.
Use different passwords for each of your accounts. The differences don't have to be extreme. If a hacker gets access to 1,000 passwords, they're probably not going to single you out personally. They'll probably try each of their stolen passwords once and then move on. Try to vary your passwords slightly for each site you log in to.
Two-factor authentication refers to when a website asks for your password, then sends you a text or an email with an authentication code. Yes, checking your phone for a login code is an extra step, but even if a hacker gets your password, they won't be able to log in to your account unless they also have your cell phone.
Two-factor authentication has been extremely successful in preventing security breaches and identity theft, and you should be using it.
It may be tempting to choose your parent’s, husband’s, child’s, or pet’s name or key dates like your loved one’s birthday or your anniversary as your password. However, it’s best to avoid that and any word found in the dictionary. Even substituting characters that look like letters or numbers isn’t sufficient anymore. Instead, your password should be a series of random characters.
For example, choose your favorite song lyric. Maybe you can’t get enough of Journey’s “Don’t Stop Believin.’” So, take the lyric, “Just a small town girl,” and turn it into a password by using the first letter of each word (i.e. jastg). To strengthen it, add some uppercase letters. (i.e. jaSTg). Now, add some numbers and symbols (i.e. jaS+g81!). You can replace the “T” with a “+,” add “81” for the year the song was released, and include a random “!” at the end. That’s a far stronger password than “Anderson123!”
It's difficult to remember a different password for each account. After all, you likely have several — email, bank, credit cards, medical, and other various computer programs. We don't recommend writing them on a notepad and taping it to your fridge or keeping it at your desk on a post-it note.
Fortunately, there are software products on the market to securely store your passwords. These products can create truly random, very long, and unique passwords for each site, and you never have to worry about remembering your password because the software does it for you. Your password manager will store and encrypt the passwords and log you in, automatically. The only password you’ll need to remember is the one for your password manager.
A strong password is your first line of defense in protecting your identity, your bank account, and your personal information. Don't take it lightly. Yes, it's hard to remember every password requirement, and yes, it's frustrating to remember a different password for every single site you use. But, it's not nearly as stressful as putting your life back together after someone gets into your accounts. Make sure you have a strong, unique password, and stay safe.