What's in a password?

It seems data breaches are continually in the news. How can you protect yourself? Often, when attackers breach one website, they are able to move laterally to other, more secure sites because users re-use their password.

Common advice is to use a strong, unique password for every service you use. Is this possible, what constitutes a strong password?

The Importance of Unique Passwords

Even though your bank's website is very secure and unlikely to be hacked, if you use the same password elsewhere, you could be in trouble. Attackers often cross-reference usernames, emails and passwords to try at various sites. Even gleaning some information about your security questions could be helpful to an attacker trying to reset your password to gain access to your account.

By picking a unique password and security questions for each site, you reduce the chances of one data breach leaving you open to further compromise.

What Constitutes a Strong Password?

Unfortunately, for a long time, users have been led to believe that a "random" password is strongest. They've been told that the most important thing is to include a certain number of symbols, uppercase letters, lowercase letters, numbers, etc.

However "random" passwords are difficult to remember and lead to user frustration and password reuse. In fact, the attribute of a password that has the biggest impact on its strength is length. A long password exponentially increases the difficulty of guessing it.

How can you remember a long password? Surprisingly, it may be easier than remembering a short, random one: Just make your password a passphrase. Pick a sentence, a phrase from a song or book or a memorable quote (include some punctuation and spaces for good measure!). You'll find this is much easier for you to remember, while giving you a much stronger password due to it's length.

The web comic XKCD illustrates this perfectly.

Keeping Track of it All

Even with memorable passphrases, keeping track of many unique passwords can be difficult. Many users opt to use a Password Manager to store their passwords.

Password Managers allow you to record your passwords in an encrypted, secure way, behind a master password. Obviously this master password should be strong and unique! This enables you to remember one very strong password, and maintain unique, complex passwords for all your sites and services.

A common objection is: "What if an attacker gets my password manager?" This is a valid concern which is partially addressed by the fact that Password Managers have systems in place to make it difficult to extract information even if the file is stolen.

Ultimately, the decision to use a Password Manager needs to be based on a risk assessment made on the user's part. In my view, given that a person can only remember so many passwords, re-use is bound to happen. The greater risk lies in trusting re-used passwords to sites with unknown security implementations than in an attacker gaining access to a Password Manager.