We all use passwords online. So do passwords. A password is no different than a key. Locks and keys vary in quality. A poor-quality lock is like no lock at all. The same is true for bad passwords. Everyone will generally agree that their personal banking password is paramount. There can be no doubt about that. So how good is your banking password? Do you have any idea? People typically try and create passwords that only they understand. For example, a dog owner might say, "I love my puppy in 2022", expressed as "ilmp2022". Can anyone tell me how good that password is? Folks try to choose passwords that other people will find hard to guess. I could never guess "ilmp2022" if I tried. On the other hand, a computer could guess it quite quickly, in less than 5 minutes. Any 8-character password can be guessed in less than five minutes by a computer, regardless of how many punctuations, letters, numbers, and symbols are in it! Yes, this means that any password of 8 or fewer characters is garbage. Passwords consisting of all numbers are useless, regardless of their length! Look at the chart below and figure out which box your password fits into. Hopefully, yours is in a green or light yellow box. If your password falls into a red or purple zone, you effectively don't have a password. So, how do you create a million or billion-year password? First, there is no reason to make it difficult! Most browsers and computers now will offer to choose a strong password for you. It usually looks awful and is impossible to memorize. My computer's Chrome browser created "d6nw5v1X2pc7st9!" as a suggested password. According to the chart, this could take as long as 5 billion years to guess! Note that in the chart above, all values represent the average time it would take to guess an unknown value. The password d6nw5v1X2pc7st9! is classified as "Sixteen Characters, with numbers, upper and lower case letters, and symbols (it's in the last column on the right). It could take five billion years to guess this! I don't use "computer gibberish" passwords, however. Consider the password "Funny4GasolinePickle.Bat". Twenty-four characters, Upper and Lower case, Numbers, and Symbols. It's off-the-chart secure and challenging to guess. It would take (statistically) trillions of years to guess using a fast computer! Next, I'll ask you to memorize both d6nw5v1X2pc7st9! and Funny4GasolinePickle.Bat Then, in five minutes, I'll ask you to write each one on a piece of paper from memory. Which one do you think you can correctly memorize in 2 minutes? How about an hour later from now? Password Strategies I've just shown you how to create a super strong yet easy-to-remember password. Some may love this idea and start using this new, super-strong password for all their accounts. That, however, is a terrible thing. When you use the same password on multiple websites, you open yourself up to serious fraud. Suppose that you have a very strong password and you use it everywhere. You use it on your banking site, you use it at work, and you use it on the gaming sites and on Craigslist. Everything is fine until one day; your bank account has been drained. What happened? What happened is that your super-secure password was compromised at a less-than-stellar website, and even though the website had no particular value, your password was the prize. They win this round, and you lose. For this reason, It is absolutely essential that you have a different password for every website you frequent. Yes, creating an easy-to-remember password was easy, but how do you create one for every website in a manner in which you will remember them without using a cheat sheet? I can create 20 easy-to-remember passwords quickly, but I can't keep 20 such passwords in my head. It's just too difficult. What you need is a password strategy. Here's a strategy that I use. I have a standard phrase that I use, along with a modifier that is unique to each website. Suppose the standard part of my password was "Taco2Tortilla." All I have to do is add something to this standard part that is based on the place where I'm using it. I like to use something from the address bar. Here's an example: Suppose that I'm at ebay.com. My "Taco2Tortilla." password will be bravoTaco2Tortilla. Here's how that works. In my strategy, I've decided to use the second letter of the site name as a key. The second letter of eBay is 'B', so I use that to generate the key. B is Bravo in the phonetic alphabet, so that's my password: BravoTaco2Tortilla. I could also decide to do it another way, such as Taco2Tortilla.Bravo, or even Taco2BravoTortilla. The positioning of the standard key and the site key in your password only needs to be consistent so that you'll remember it. If you put the moderator (Bravo) at the end of the word, then always put it at the end. The strategy is a method that you use in your mind, and so you must commit to it. Once you have the strategy memorized, you will already know what password to use, even before you visit. You will seldom have to write anything down because it's memorized. Your goal is to create a password strategy that you will remember every time, yet outsiders will have an extraordinarily difficult time guessing it. This strategy accomplishes that. Some may ask, "What if two websites have the same second letter?" You can use the same rule and password as you do on another site without much risk but don't use the same password on ALL sites! You can also make up your own rule for that, as long as you can remember it. You're in charge because you're the user of the information. We see extraordinarily bad passwords all the time. No call sign makes a good password. You need to be more creative than that. Protecting your online identity begins with taking steps like these. 73 -fred Thanks to XKCD and HIVE Systems for inspiring this article. See also https://xkcd.com/936/
Great article, Fred, but now what should I do? I'm AK5Bravo already! Seriously, though, I like what you suggest and posting that chart is most enlightening. Fortunately, I started making up words out of thin air about twenty years ago that I use around the house (most are swear words or exclamations of a sort)---and your strategy should work well with most of them since I and my wife (and cats) are the only ones that ever hear them. Thank you for enlightening us---none of us can be too careful in this day and age, can we? 73, Jeff, AK5B
According to the chart, the system I use for passwords is at the 15,000 year mark. That's pretty good - and it's still an easy system to remember, and still have a different password for each site yet be 13 characters long Dave W7UUU
Excellent article, Fred. With the certainty of AI technology at our doorstep am wondering if the now secure 14 character column will soon be the equivalent of today's 4 character column. At any rate you have motivated me to redo all of my passwords. UGH. Seriously, though thanks for the great information! All the best to you and all QRZ members. RC
We use one at home and at work (LastPass.) It works well. What I like about LastPass is that its Security screen will display the integrity and duplication of your passwords...though I don't think it'll be happy with !BiteMe1, !BiteMe2, !BiteMe3, etc.
After LastPass latest security breeches you may want to reconsider it. I switched to Bitwarden myself after years of faithful LastPass usage. I use 20+ character randomly generated passwords with upper & lowercase, numbers and symbols, except in cases where the site won't accept the symbols or only accepts a lower number of characters in length. Each site gets a different unique password.
Works fine until it gets hacked.... again. They've been breached several times - just a month ago the most recent. Dave W7UUU
Yep, they got hacked because of bad opsec by one of four employees that actually had access to their corporate password vault so the hackers were able to get in deep. I switched to Bitwarden and I've found besides being cheaper than LastPass works just as well without all the breeches
How does two factor authentication improve security compared to using a password only? I can't remember most passwords for more than a few months for sites I don't visit frequently so I end up resetting them often. So I don't need a password to be secure for more than a few months anyway
MFA is an additional layer of protection... With MFA enabled, even if they have your username & password they still can't get in without the MFA. I enabled MFA on any account that provides it. I do however not recommend SMS as a MFA option as cloning can provide a hacker with the means of getting through all that. I use Yubikey 5 tokens myself for both work professionally as a DevOps Engineer and personally.