Happy World Password Day! As one of the leading password managers in the industry, the Dashlane team is excited to participate in the global celebration to remind consumers and businesses to change and protect their passwords.
I’m sure you’re going to read countless blog posts, news articles, infographics, security roundups, and other materials on how to generate strong passwords today, but even if you follow every single rule in the book, is your “strong” password strong enough?
The Problem With “Strong” Passwords
Take a look at these four passwords randomly generated passwords by StateOfTheNet.net author Jeff Fox:
These look like strong passwords, wouldn’t you say? They’re longer than 8 characters, all contain at least one lowercase letter, three contain at least one uppercase letter, and all have included at least one number. Fox argues that while these passwords may satisfy the minimum requirements of a strong password, they all have one thing in common: they’re using common patterns that almost all of us use to create a strong password, which ends up making them easier to guess.
Weak Password Policies = Weaker Passwords
One major reason why your “strong” passwords remain predictable is because of a website or company’s password policy. In our recent blog article on memorizing passwords, we referenced a study that supports the argument that companies requiring frequent password changes actually weaken their employee’s passwords. The study concluded that as a result, people “tended to create passwords that followed predictable patterns, called ‘transformations.’” These “transformations” often result in one of the following:
–Incrementing a number, letter, or character (For example, CocoPuffs1 to CocoPuffs2, or CocoPuffsRock! to CocoPuffsRock!!)
–Changing a letter to similar-looking symbol (For example, CocoPuffs1 to CocoPuff$1)
–Adding or deleting a special character (For example, CocoPuffs1 to CocoPuffs1!)
–Switching the order of digits or special characters (For example, CocoPuffs1! to 1CocoPuffs!).”
Complicated password policies also force you to create passwords with numbers, letters, and special characters placed in predictable ways as well. Think about or write down your “strong” password. Let me guess! Does it have…
–A capitalized letter at the beginning of a word, followed by three to six lowercase letters. (For example, Cocopuffsrock1)
–Two to four numbers at the end of the password; it’ll most likely be a year, your favorite number, and/or include the number “1”. (For example, CocoPuffs2016)
–A special character at the end. I bet it’s a “!” symbol.
–Two of the same special characters in the same password. (For example, ImTheBo$$)
–An extra letter or two added to the base word to make the password longer. (For example, CocoPuffsssRock14)
Did I guess part of your password right? I’m not a mind reader, but I do know that weak password policies from employers and from websites can often force you to create password patterns so predictable, that even I have a good chance of getting it right. Now, imagine what a hacker could do with this same knowledge and a computer with a ton of processing power.
The Best Way to Make Strong Passwords
So your password may not be as strong as you originally thought, but that doesn’t mean you can’t change them! Here are five tips on how to create a stronger password right now:
–While many sites and applications only require you to create a passwords with a minimum of 8 characters, try to make your passwords 12 – 15 characters long.
-Avoid using dictionary words, slang, curse words, email addresses, names, places, etc. Instead, use password mnemonics to create a complex, but memorable password. Start with a meaningful phrase, sentence, song lyric, etc. and add numbers, capital letters, and symbols for password complexity, like so: “I love watermelon because it just turns to water in your belly!” = “iLwmbcijtth2OiyB!”
-Use different letters, numbers, and special symbols that you’ve never used before. While you think you could get away with replacing an “S” with a “$” or changing an “A” to “@” hackers are already one step ahead of you and can easily pick up on these patterns. Instead, try using a different set of symbols, including (_-)+=^*&%#~:;”‘><,./?
–Can’t remember your new password? Write down a password hint, and keep it in a safe place. While we encourage you to never, ever write down your password, if you need help remembering it, write down a hint that will trigger your memory, but be meaningless to anyone else. For example, you can write down “Fruit juice” as your hint to remember “I love watermelon because it just turns to water in your belly!” = “iLwmbcijtth2OiyB!” Then, store that hint in a safe place, like your wallet.
-Let a password manager randomly generate a password for you. Dashlane’s Password Generator tools automatically creates and auto-fills unique passwords for you, so you won’t have to overthink password patterns or reuse the same password. You can specify the password’s length and choose to include numbers, letters, and symbols. Password Generator will also indicate the strength of the password, so you can rest assured that your password is virtually unhackable.
Changing every single one of your passwords is a daunting task, but I challenge you to change at least one password–preferably the password that you use most often–at some point today. When you’re ready to begin cleaning up the rest of your passwords, follow this downloadable World Password Day Checklist I’ve created to help you make sure that all of your changed passwords are long, strong, and memorable!