We’ve all been there… you create a new account and the password requirements seem to be different for every site. You must have a capital letter. You must have a symbol. It must be at least 8 characters. This is all to ensure that your passwords are strong and secure. But these rules might be making you less secure.
It’s true, a password such as ehRBSm'~,E]*9w is, in fact, very secure. But will you remember that password? Very unlikely. A password like that will most certainly either be written on a sticky note and stuck to your monitor, or saved in a text file named passwords.txt. By recording your password in plain text, you’ve removed one of the highest layers of security for your password.
In most cases, when users are presented with the password requirements, they will choose an easy password (or a previously used password) and tweak it to meet the requirements. So, instead of password, something like P@ssw0rd! is chosen. Again, this may seem secure as it fits the requirements, but hackers are already replacing letters with common symbol replacements when trying to compromise your account. Check out haveibeenpwned and search for P@ssw0rd! and you will see that it has been compromised over 631 times at the time of this post. Check out your own passwords while you are there!
The safest solution is to use a password manager such as 1Password or LastPass. However, if you choose not to use one, the next best option is to use a passphrase. A passphrase is a much longer password, but using a phrase you are likely to remember. Use a line from your wedding song, or a favorite movie quote. Unfortunately, you will still be constrained by the site’s password requirements, but it shouldn’t be too difficult to work within the requirements. So, instead of St@rw@rs for your password (seen 5 times on haveibeenpwned.com), you could use something like Luke, I am your father72. That password satisfies the capital letter, symbol, over 8 characters and numbers.
The issue with the guidelines websites implement is that it only hurts the user, and actually helps the attacker. The user won’t remember a complicated password, and they are essentially telling the attackers just what they need to formulate their password cracker. Most users are going to aim for the minimum requirements for the password, so the attacker will also aim for the minimum. Users will also tend to use common replacement symbols for letters: @ for a, 0 for o, $ for s, ! for i, etc. Again, this information only helps the attackers narrow down their search. The key is length. Yes, size matters. The password St@rw@rs would take about 3 hours to crack. Luke, I am your father72 would take 5,000,000,000,000,000,000,000,000,000 years (according to https://howsecureismypassword.net/).
This is just one of the many password guidelines you can follow to help yourself stay secure without making yourself go crazy. I will be writing more about password managers, rotating passwords, and choosing safe security answers to those annoying questions such as “What was your high school mascot?” Spoiler alert: NEVER use your high school mascot. Just ask Sarah Palin.