What Makes a Strong Password?

Between personal accounts and work accounts, the sheer number of credentials and passwords we have to manage can be overwhelming and inconvenient – especially if we forget them. While managing passwords may be a pain, it’s necessary if we want to protect our personal information. After all, cybersecurity is everyone’s responsibility.

With nearly everything going digital, including our personal and sensitive information (think credit cards, social security numbers, and confidential company information), now is the time to be diligent with managing our passwords, especially as credential theft remains a primary target for cybercriminals.

What do I mean by all of this? In short, even if it’s inconvenient, passwords must be strong and paired with two-factor authentication enabled on all our accounts. Let’s explore what makes a password strong.

1. Use complex passwords, or …

One way we can make passwords more secure is by making them complex. For example, when we sign up for a new account, companies often require a password to be a certain length and contain characters like uppercase and lowercase letters, numbers, and special characters. A complex password has multiple character types (such as Xyz23!) but having a complex password does not automatically make it strong.

To be considered strong, the password also needs to be sufficiently long. Password complexity requirements are often set by your company and usually require a certain length depending on the type of account you are trying to create. For example, your personal banking account password requirements will probably be stricter than your free Spotify account.

2. ... better yet, take it a step further by using passphrases.

Passwords should always be complex, but don’t make them so complex that you will never remember them. When a user sets a difficult-to-remember password and doesn’t use a password manager, they tend to write it down on paper or store it in a document on their computer, therefore, making that password less secure.

Another great option is to use a passphrase – a memorable string of words, including different characters and special characters – to increase the security of your complex passwords. According to the FBI, who recommends passphrases over password complexity, passphrases should combine multiple words into a long string of at least 15 characters. Passphrases are harder to crack even if they are simple words and don’t contain special characters, simply because the hacker requires more computational resources to crack it.

The XKCD graphic below illustrates the benefit of using a passphrase over a traditional password.

3. Don’t Reuse Passwords

When creating passwords, avoid using common and generic passwords like Winter2020 because hackers can easily guess it. Don’t use a company email address or passwords for your own personal accounts, and vice versa. Never use the same password for multiple accounts where protected and/or sensitive information is exchanged.

To be extra cautious, if you have administrative access to a device or a network, even if it’s your home device, you should always use two separate login accounts. One that you use for your day-to-day activities that does not have administrative rights and another account that you use when you need to perform your administrative tasks.

One reason for not using the same passwords across multiple sites is because when hackers are able to obtain a password list from a breached site, they will try those same passwords on other sites. So regardless of the complexity and length of your password, if that same password is used on other sites, you are vulnerable to breaches.

Finally, it’s always wise to use a password manager. There are many to choose from. One great feature is they can randomly generate your security question answers, passwords, and usernames. When using a password manager, don’t forget your master password, always do backups, and store critical passwords in a secure, air-gapped location.

How often should you change your password? Believe it or not, the FBI recommends that passwords should be changed only when you suspect your account has been compromised. The reason for this is because forcing users to frequently change passwords can lead to poor password hygiene. For example, changing Winter2020 to Spring2020. (Can you guess what the next password is going to be? So can the hacker!)

4. Always Use Two-Factor Authentication

Whether you choose to use a password or a passphrase, having two-factor authentication on your accounts adds a critical level of protections to your accounts. According to an article found in Tech Crunch, two-factor authentication uses two factors of authentication and “combines something you know – your username and password, with something you have – such as a phone or physical security key, or even something you are – like your fingerprint or other biometric measures, as a way of confirming that a person is authorized to log in.”

Two-factor authentication adds another step to your log-in process. After submitting your username and password, you will be directed to enter things like a code sent in a text message, a PIN, answer to a security question, or a biometric measure such as your fingerprint.

Evaluate your Cybersecurity Readiness | Online Questionnaire

Maturing your cybersecurity program takes time and it’s difficult to know where to start. Our online tool will help you identify gaps in your current cybersecurity practices and provide recommendations for maturing your program. Get started now!

One highly effective two-factor authentication method is a physical security key – a secure USB stick that you plug into your computer. When you log into your account, you will be triggered to enter the cryptographically unique key into your computer. Even if someone steals your password, they won’t be able to access your computer without the key. Two popular types are the Google Titan key and YubiKey, both of which are supported by most major websites where you may have accounts.

Implement These Four Helpful Tips Whenever Possible

While using two-factor authentication (like something you know, something you have, or a security key) on your accounts whenever possible is preferable, not all websites or companies may support it.

First, start by checking if your accounts support two-factor authentication. (Visit https://twofactorauth.org/ for a comprehensive list). If they do, enable it. If they don’t, make sure you are using complex passwords or passphrases. And if you buy a security key for use on major websites, start using it as soon as you get it.

The time you take to ensure strong passwords today could stop an attacker in their tracks, so don’t wait on it!

Other Resources

The Federal Trade Commission provides a wealth of information on Online Security, including passwords. For more information, visit Online Security.