Barely a day – and certainly never a week – goes by in which digital security is not in the news. Whether ‘fraping’ or cyberwarfare, huge commercial losses of data or lower-level identity theft, the protection we provide to our data is of ever more pressing urgency and relevance.
From the perspective of the individual user, passwords are the most obvious frontline defense against prying eyes: from our email accounts to our online banking, we use
strings of alphanumeric characters to restrict access to some of our most private information.
The thing is, even after nearly twenty years of widespread awareness-raising about the importance of using strong and variable passwords, most people are still pretty bad at
them. We use the name of our partner or our own birthday; we use a simple word with ‘123’ at the end of it, as if that will make any difference at all to a determined hacker.
The automated tools hackers use to harvest passwords and therefore access data can make a thousand guesses a second. Your password has to be really hard to figure out. The good
news is that there are five things to think about that can help.
This is step one. A longer password is better than a shorter one for obvious reasons: the more characters to fill, the longer it will take to guess each one in the correct order. If you
have a password made of only lower case letters, every letter you add increases the strength by a factor of twenty-six.
The complexity of a password is related to the different types of characters you include in it: upper case, lower case, numbers, symbols and so on. There are almost a hundred
possible characters that you can easily access on a keyboard – and adding just one of these to a password would make it one hundred times stronger.
This one, of course, is where the problem lies: you can only add so many characters before the password becomes tricky to recall (and writing it down somewhere
immediately reduces how secure it is).
You can see this trade-off in action in the workplace: a lot of companies have a password policy that they force on their users. They will demand that a password must be at least 8
characters long, must contain at least one upper case, lower case, symbol and number and so on. These rules do the job – the passwords are more secure – but workers just write the
resulting improbably complex password on a post-it note and slap it on their monitor!