There is a science behind creating solid passwords. You want them to withstand attacks, but you also want them easy to remember. With these three steps, no cybercriminal will be able to crack your passwords. And you will never forget them.
Password complexity
User credentials are leaked on a regular basis, and it’s often only the tip of the iceberg that gets disclosed, sometimes months after the actual breach occurred. Although passwords are often stored as a hashed algorithm, these can be easily brute forced if your password isn’t complex enough. A complex password consists of a long string of characters including capital letters and special characters, this increases the difficulty of brute forcing a password tremendously as illustrated below.
Another interesting point that I would like to bring forward is that a longer password is way more secure than a short password (6-8 characters) using special characters.
Password variety
Of course passwords can be disclosed in a variety of other ways, such as social engineering, a keylogger or even human error. To prevent hackers from accessing other possible accounts you should never use the same password for more than one account, otherwise your ultra complex password is useless.
When following the policy of using a variety of complex passwords, it can be hard for a human to remember all their passwords. A simple trick can be the use of passphrases which are easier to remember, or using a password manager which only requires a master password that needs to be remembered.
Examples of a good passphrase:
INeverHaveBadHairdays
Even better:
1N3v3rHav3BadHa1rdays
Excellent:
1N3v3rH@v3B@dH@1rd@y$
Multi-factor authentication
More vendors are implementing and enforcing the use of multi-factor authentication, so why should you choose to stay behind? Multi-factor authentication combines the use of a password with something else, most frequently something you have such as a hardware token or cellphone that could receive a one-time password per sms, or generate a code using an authenticator application (i.e. google authenticator). Even the device from where you are authenticating can be used as an authentication factor, in gmail for example a device needs to be listed as trusted.
So is your password policy up-to-date?
