5. Don't just go strong. Go long. A strong eight-character password is easier to crack than a longer, weak password, according to a Carnegie Mellon study. Siegrist agrees. You can test this yourself at Passfault.com. For example, randomly generated 8-character passphrase "Lr2ZvyaE" can be broken in 1 month, 4 days using software designed to crack passwords, while "thisismypasswordforgmail" would take more than a billion centuries. How much longer would it really take a hacker to crack a 12- or 24-character string versus the typical eight characters? That depends in part on how the password was hashed and how many rounds of hashing were used. "You don't know how sites are storing your password, so you have to assume the worst," Siegrist says. But there is a law of diminishing returns at work here. Extending passwords from 8 to 12 characters should suffice in most cases, he says. (The randomly generated 12-digit password "jO7SlY5zerHT" would take 1565 centuries to break, according to Passfault.com).
But hacker techniques are always improving, and with a password manager you don't have to remember or type in passwords, so why not go longer? "I'm hesitant to tell people they should be going insanely long everywhere," Seigrist says. "So long as you're not reusing passwords you're relatively safe with a 12-character string," he says. But, he adds, "If the answer is that no matter what, no one should ever be able to break into an account then by all means make it nice and long." Just remember, he warns: If you reuse that password on even one other site you've done more harm than using a different, shorter one for each.
Unfortunately, there's a rather discouraging problem you're bound to run across when implementing a go-long strategy: Many sites still don't allow more than eight characters. While my bank and LastPass do not place a limit on password length, other accounts are limited to as few as eight characters. That's a common problem, Siegrist says. And many sites don't allow the use of special characters such as # or $ or & either.
There's nothing you can do about this, except maybe take your business elsewhere. When a database doesn't allow longer passwords or special characters that's a huge red flag, Siegrist says, because it means that the site is probably storing passwords incorrectly. Decades ago, when the database was created, the password field may have been designed to have a short short maximum length and limit characters to letters and numbers. Changing the database requires a lot of work, he says, so many institutions simply don't do it.
6. Create strong user account names as well as passwords. Your user name is 50% of the information a criminal needs to crack your account. You wouldn't create a password that's easy to guess. Why do that with your login ID?
Sign up for Computerworld eNewsletters.