In the post-Equifax hack world, it would be easy to give up the ghost and just assume you’re going to get hacked at some point Easy, but of course not prudent. Thankfully, there are a few things you can do to make stealing your information harder – at least via your password-ing skills – without making your life harder too. Here are a few we’ve found in our readings on the topic.
First, let’s start with the misguided notion that passwords must be ultra-complicated in order to be hack proof. Not so say the experts. While T!sK8%gB$x@ may be effective, its complexity is not necessarily… necessary. The idea that passwords must be convoluted started with some 2003 guidelines from the National Institute of Standards and Technology that insisted you need a random combination of letters numbers and symbols. Turns out, that wasn’t as effective as they thought it would be.
While you should still avoid easily guessed passwords, a strong password can in fact be logical and easy to remember. Start with this bit of advice, courtesy of blogger and Internet radio host Kim Komando: A password should simply be able to withstand 100 guesses. According to Komando, experts tell us that the bad guys can “guess” a password correctly about 73% of the time. Worse, they can access other accounts of that user thereafter with mostly just slight variations on the original password. (Come on, admit it… you do it too.)
Note too that dedicated hackers turn to your media feeds (Facebook, Twitter and Instagram) to scour info about you that may be useful. That should rule out using numbers from your birthday, or pet names or other special favorites that could be easily deduced.
Today’s experts suggest that instead of complex, difficult to remember combinations, try using a phrase (or a “passphrase” in the parlance) that is easy to memorize but hard for others to crack. Maybe your favorite cookie is a macaroon and your grandmother was a stenographer in Buffalo. Ilovemymacaroonstenographerinbuffalo would be mighty difficult to guess, wouldn’t it? Or you might use a phrase in which you take the first character of each word, and perhaps pump it up with just a couple numbers (or symbols), like: 18fsasyaofbfutcann63. That’s the first words of the Gettysburg address (Four score and seven years ago our fathers brought forth upon this continent a new nation, framed by the year of the address, 1863.) You may not like our phrase, but surely you can find one of your own.
All that said, the newest NIST guidelines now suggest passwords of as many as 64 characters, and even allow spaces. Most of us still use the minimum required, usually about 8 characters, including numbers and special characters. That’s not the most hack-proof approach, and it’s true that stretching it out will increase the safety of your password but, really… 64 characters? Here again, stringing together a chain of words that only you could logically know and construct with a couple special characters thrown in, is about the only way to get there.
One final tip: If it ain’t broke, don’t fix it. You don’t need to change your passwords that often. When a password expires, explains NIST’s Paul Grassi, “it isn’t a motivator to create a brand new password, it’s a motivation to shift one character so you can remember the password” — thereby, of course, defeating the purpose of the change in the first place.
If you’ve created a truly strong password, set it and forget it – well, not literally, but you know what we mean – stick with it unless you’ve been notified of a breach of security. And when in doubt, use two-factor authentication, whereby the site pings you back with a text message or email, and you can receive notifications on changes.
The solutions really aren’t all that difficult or complex. The weak link here is that we are all, after all, such creatures of habit. And we all know it.