Have experts been giving us bad advice for creating passwords?

For all the complexities of information security, the biggest vulnerability is an issue that seems easy to fix: poor passwords. The 2018 Verizon Data Breach Investigations Report found that password-cracking played a part in 81% of data breaches. 

That’s not a surprise when so many of us exercise dire password practices. Criminal hackers won’t go to more effort than they need, and cracking passwords is invariably the easiest route to success. Doing so means crooks can infiltrate accounts undetected and access vast networks of sensitive data – particularly if they snag a senior employee’s credentials or the organisation doesn’t have access controls. 

The only reason criminal hackers would look for an alternative is if they can’t get through your login process. However, thanks to the millions of people use who use passwords like ‘123456’ and ‘password’, they often don’t face that problem. 

The solution isn’t, as you might have feared, for us all to resort to convoluted combinations of special characters and numerals. Despite what experts have been advising for years, a glut of ampersands, dashes and numerals in your password isn’t that effective. At least not compared to the much simpler solution of making your password longer. 

Length vs special characters 

Experts often recommend including special characters and numerals for two reasons. One, it forces people to stop their passwords simply being words, meaning the phrase has to be unique to them. Or at least that’s the idea. 

In reality, many people simply take their bad passwords and stick a ‘1’ at the end. This doubles the number of combinations that crooks have to guess (for every ‘starwars’ there’s a ‘starwars1’), but given that password-cracking machines can go through billions of combinations a second, it won’t do you much good. 

Nonetheless, special characters and numerals also help by increasing the pool of characters to choose from when creating a password. If you use letters alone, you only have 26 possible options, so in a six-letter password, there are only 308 million possible combinations. 

However, if you also have 10 numerals and 33 special characters to pick from, any place in the password could be filled by one of 69 possible characters, giving you 107 billion possible combinations. 

True though that is, you can get the same effect by increasing the password’s length as opposed to the number of characters at your disposal. 

For example, a ten-letter password using a series of words has 141 trillion combinations. 

This way, you’ll have a password that’s both strong and easy to remember. 

Want to keep your employees safe from cyber security threats?

Strong passwords are just one skill that you need to learn to keep your information secure. With our Information Security & ISO27001 Staff Awareness E-Learning Course, your employees can discover how to protect themselves from a broad range of threats. 

Drawing on our substantial consulting and training experience, this course is designed to help your organisation meet the requirements of ISO 27001, the international standard for information security. 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.