As annoying as they can be, passwords will probably be the primary protection mechanism in our digital world for some time, so here is the core takeaway, and more details are below.
Conclusion
Whether you use passwords or passphrases, ensuring these are extended with another authentication layer is crucial; using a physical token, a smartphone app, or even a text-based system is better than none (ordered most - least secure).
Always enable Multi-Factor Authentication.
A strong, random, complex password like “6ipBD@4@kl20y9@D” or a passphrase like “The5un1sBr!ghtAga1nT0day” will be challenging to crack, but one is definitely easier to remember.
Using a password manager like LastPass is preferable but also carries risk (see more below). Password managers also help with password reuse (which is a bad idea) as they can randomly generate and store passwords so you don’t have to remember them.
Key Points - How secure is my password?
What makes a good password/passphrase?
A password or passphrase has two elements: length and complexity.
The shorter the password, the more random and complex it must be to be considered strong.
To increase complexity, use a minimum of 12 (we recommend 16) characters, a mix of uppercase, lowercase, numbers, and special characters.
For example, I’ve entered a basic 12-character lowercase-only password into a “How Secure is Your Password?” website and increased complexity by adding different characters.
As you can see, the difference in estimated crack times is greatly improved.
pfyemvywaksc – 1000 Years
pfyeMvyWakSc – 176,000,000 years
2fYe9v6W3kSC – 419,000,000 years
2fY£9v6W3kS* – 11,000,000,000 years
Password crackers are getting more sophisticated, and using familiar words in shorter passphrases like “CorrectHorseBatteryStaple” are getting easier to crack.
So, aiming for longer passphrases with added complexity is key for your most secure accounts.
For example, something like “!ThisYearIsGoingToBeGreat2024!” is going to be a vast improvement, but you could go to the next level with added complexity like this example, “Th1sYear!sG0ingToB3Great2O24”.
However, requiring a password/passphrase similar to this for every account is a lot to remember:
But as it’s secure, you can reuse it, right?
Reusing Passwords
Password reuse is a bad idea.
The main reason for this is that a data breach at one company could lead to a breach of all your accounts using a technique called credential stuffing. Hackers will attempt to use stolen credentials on many other sites, especially email.
Email is usually the gateway to resetting all your accounts, so NEVER reuse that password anywhere.
Storing Passwords (Password Managers)
The issue today, is that we have multiple accounts across multiple systems, so we need to remember tens, if not hundreds, of passwords, and NO! A password notebook is not the way!
Password managers have come to solve this issue. You remember one password, and the manager remembers all the others. Amazing, right? Well, they are not without their risks.
Let’s look at the pros and cons.
Pros
You can remember one long, complex passphrase to unlock all your other shorter, randomly complex passwords.
A caveat to this is always to use another long, complex passphrase for your main email (you’ll see why in the cons)
Most managers will generate random, complex passwords for you, with complexity and length settings configurable to meet a website’s requirements.
They will analyse your passwords for reuse.
The encryption used is considered more secure than most sites.
Cons
Single point of failure: they are so secure that if you forget your master password, you’ve lost access to your vault.
Enterprise editions can create recovery keys for admins.
This is why you need your email password to reset all the others.
Password vaults are highly targeted as a single password breach gives access to all your passwords.
Advanced features usually have a cost, although most offer a good free version for home use.
In most cases, the benefits outweigh the risks, allowing for better passwords everywhere you log in.
Enhanced Security (Multi-Factor Authentication)
Where available, enable Multi-Factor Authentication.
This is probably the best current mechanism to secure your accounts from compromise. Adding an additional step in the authentication process means that even with a compromised password, an attacker would need access to your token, device, or phone number to gain entry.
Fundamentally, nothing is 100% secure, but following the above will help keep your accounts safe from password attacks.
**
Examples of Bad Passwords
Anything that deviates from the above is not a great password, but below are the 20 most common passwords found in hacked credentials.
Please do not use any of these
123456
admin
12345678
123456789
123
12345
password
Aa123456
1234567890
1234567
123123
111111
Password
root
**note: we are fans of LastPass as a password manager and have been using it for a long time; we are also affiliates, and using one of our links above will give us an affiliate fee.