Passwords are not going anyplace, but they are getting bolt-on improvements. Things like two factor tokens and text message codes. But passwords still need to be strong enough to match the application they are used for.
You don’t need to change them every 30 or 90 days. Let’s get that out of the way. If you need to change a password that often, either you’re a spy, and there’s better options, or your system is broken and needs a good consultant makeover (call us).
Passwords do need to be long and complicated. The password complexity needs to match the security requirements of your system, which is found through risk analysis. That’s a topic for another day. For now, just think in terms of how much you value what it is tied to. Money, privacy, family photos, your job. If it’s valuable to you, make a good password.
A good password is long, complex, and memorable. It contains numbers, letters, and symbols. People think symbols make it too difficult, but call it punctuation instead, and it’s much easier to work with. That last sentence contains 4 symbols. It’s also how we generally want to make passwords, out of words strung together that we can remember, with numbers and symbols.
This is 1 SUPER-STRONG Password!
That’s an example, but please don’t use it, it is now in every attack dictionary the bad guys have. And don’t use phrases from movies or songs! All the lines and all the lyrics are in all the bad guys dictionaries. You can’t even change it and use it, for example, saying “2 be or NOT 2 be? That is the ?” It’s in the dictionary. Seriously. Use random words.
But how long should it be?
Depends on how long it will take you to find out if someone is trying to break in. Some companies alert you to failed attempts, others don’t. If you don’t get alerts and it doesn’t have a two factor security setting, you should think twice about using it for valuable things.
If it does alert you, or there is a two factor piece, you can use a relatively short password. 20 characters or so, three words or more.
If it doesn’t alert you and you value the service, pick a long password. Six words.
Use a different password on every site, app, and account. Wait! It’s not hard! Because you’re also going to use Lastpass.
You can do it. You kind of have to.
Now you don’t have to change your password from Sportsteam3 to Sportsteam4 next month, and the bad guys won’t steal your money.