Why Your Passwords Aren't Strong Enough—And What to do About it

By David Nield on at

Passwords are your way into almost all of your online accounts, from social networks to email platforms, but how do you know whether the ones you’re using are strong enough to stand up to repeated hacking attempts? If you want to know how to do a self-audit on password security, and the best combinations to use to keep your data safe, we’ve asked the experts to explain.

You might already be familiar with the usual advice, which often flashes up whenever you create a new account somewhere: Keep your passwords long, complicated, and hard to guess. What you might not know is why those rules make for a stronger password, and how even the best password policies can cause problems for users.

Password cracking 101

There are a ton of ways your password can be exposed, explains Bruce Marshall, security consultant and founder of PasswordResearch.com: They include someone simply guessing it, using a phishing attack to make you enter it into a compromised site, or using a brute-force attack to try a huge number of combinations in rapid succession (which many apps and sites will now stop from happening).

Add to that invisible malware that can ‘watch’ you enter your password once its taken root on your system, plus the very real possibility of password database breaches on services with inadequate security measures, and you can see your personal collection of numbers, digits, and special characters is under threat from all sides.

As a result, you need to keep your computer secure, make sure you only do business with online services that have strong security, and come up with passwords that aren’t predictable, guessable, or easily cracked, says Marshall—that’s where the oft-quoted advice about a long, complicated password usually comes from, because a 4-character password offers far fewer combinations than a 14-character one.

Sites will often advise you about the strength of your passwords.

Don’t use your name, don’t use your birthday (especially if it’s proudly displayed on Facebook), and don’t use your pet’s name (especially if it’s all over your public Instagram). Length is important (14 characters is a good minimum to aim for), but keeping your passwords hard to guess is even more important.

“Attackers don’t go and blindly try all eight letter passwords and all nine letter passwords,” Jeffrey Goldberg, security guru for the 1Password password manager, told Gizmodo. “They guess the more likely ones first. These attackers know more about how people create passwords than anyone else.”

In other words, password hackers know that everyone is being told to add uppercase letters, and lowercase letters, and symbols, and they know the patterns of characters that users are likely to default to: “LetMe1n!” isn’t much stronger than “LetMeIn”, while “Passw0rd!” is only a minor upgrade on the frankly awful “password”. You might think you’re being smart, but a whole load of users are following the same route you are.

The Carnegie Mellon University password tester.

As research from the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon University has shown, it’s hard to judge the effectiveness of any password policy when humans are such predictable types. Tell everyone to use a number, and they’ll tend to gravitate to using the same one in the same place; tell everyone to add capitalizations, and they’ll probably put these in the same places too.

That’s not to say there aren’t ways to make your password more secure—longer, more difficult to guess, more unique passwords are safest, and the faculty at Carnegie Mellon have put a password strength tester online that you can make use of. Tap out an example password and you’ll get warned if you’re putting your uppercase letters or your symbols in the same place everyone else does, or using dictionary words (too easy to guess).

The online tester will give you detailed feedback on your password based on a neural network of millions of samples. However, even the strongest passwords just aren’t enough any more, and that’s something all our security experts agreed on. If you’re only using passwords you’ve come up with yourself, you’re low-hanging fruit for the hackers.

The problem with passwords

The problem with the strongest passwords is they’re very long and very hard to remember—that makes them difficult to crack, but it also makes us more likely to write them down on a piece of paper (freely visible to anyone who sees it) or reuse them across several of our accounts (which means breaking into the most weakly protected account enables access to all the rest).

“Memorising complex, unique passwords for every online account isn’t natural and can result in users cutting corners at the expense of their own security: Reusing passwords, using variations of the same, or using identifiable information in their password,” Steve Schult, Senior Director of Product Management at LastPass developer LogMeIn, told us.

In other words, the rules that govern the creation of strong passwords aren’t rules that we human beings can easily stick to—at least not without compromising our security in another way, or forgetting our passwords on a daily basis.

Don’t use the same password everywhere you sign in.

Changing passwords regularly is another example of this. In theory, it’s a good idea to keep the hackers guessing and to ensure data breaches on old accounts don’t affect new ones; in practice, it compounds the problem of having so many passwords to handle and leads to people choosing weaker and weaker options. As research shows, even the way you change your passwords is predictable, as we change 1s to 2s and so on.

Remember too that the same computer processing power that’s being used to recognize our voices and serve up useful Netflix recommendations is also being used to generate passwords for hacking attacks.

Several of our security experts named the passphrase as the strongest possible option: a random collection of words, sprinkled with capitalizations and symbols that don’t follow typical patterns (like having the first letter capitalized and the last character as a symbol, if you hadn’t guessed). But you really need to have such a passphrase for all your accounts—every single one.

Have I Been Pwned? warns you if your password might have been exposed.

“Any password that is used for multiple sites and services is only as strong as the weakest of those sites and services,” says Goldberg. “A reused password is a weak password.”

“You could have a seemingly great password that you use for your online banking and also use on MyKittyPics.net among a dozen other sites and services. If MyKittyPics.net doesn’t use secure connections, then your password goes flying over the network for anyone in the coffee shop you are in to read. Or if they don’t store the passwords in a secure form, then that password can easily be stolen.”

“[Passphrases] can be great if they’re several random words, even though they may be all lowercase and not contain numbers or symbols,” adds Troy Hunt, web security author and the man behind Have I Been Pwned?. “But now we need uniqueness too because we can’t use the same passphrase everywhere... we also have dozens or even hundreds of accounts these days so your brain alone won’t work.”

Beyond the password

As the more security-conscious among you might already know, the only real answer to the problem is a password manager, if you want to get serious about staying secure—that was the advice of every single one of the security experts we spoke to, though it should also be noted that at least two of those experts work on password managers themselves.

It’s not quite the only tool you’ve got at your disposal though—as we’ve mentioned many times, setting up two-factor authentication on your accounts is an absolute must as far as personal security goes. It’s not infallible, but it means attackers need something else (usually access to an app on your personal phone) besides your username and password to break into an account.

Beyond that, a password manager of repute will not only remember a multitude of complex, lengthy passwords for you, it’ll create new ones when needed, and keep everything secure through one master password known only to you—though be sure to apply the principles we’ve talked about above when choosing one.

Password managers will look after all your accounts.

“Password managers are the only way out of this and once you go down that path, you can start generating actual random passwords, 40 characters worth, and stop worrying about strength and uniqueness because now it’s already taken care of for you,” says Hunt.

Hackers are leveraging the power of the algorithm to try and crack your passwords, so why not use the same computer science techniques to make sure your passphrases are as randomised and unguessable as possible? That’s not to say you can suddenly forget about your online security, but these apps make password management much easier.

“The safest approach to creating good passwords is not to create them yourself,” adds Marshall. “Use a password manager to randomly generate and store your passwords... Most people aren’t able to distinguish a strong password from a weak password, so it’s safer not to rely solely on your own judgment to choose them.”

These tools also generate hard-to-crack passwords for you.

What’s more, the computer scientists at Carnegie Mellon describe a password manager as “a crucial aid” to keeping yourself safe on the web, gladly taking care of remembering all those long and complex passwords for you so you don’t have to rely on notes stuck to your computer monitor or your wedding anniversary followed by the name of your pet.

We’ve previously looked at some of the best password managers in the business: In no particular order, 1Password, Dashlane, Keeper, LastPass, and the open source KeePass. They will all do very good jobs of managing your online identities. Pricing varies, but with the exception of KeePass, you’ll typically have to hand over a few dollars a month to manage passwords across multiple devices and services. Apps for mobile and desktop are available, and two-factor authentication is handled automatically.

In the end, according to the people who work in this field and study it as a job, we all need a little password help. “A strong password needs to be randomly generated, and people are terrible at being random,” says Goldberg.


More Security Posts: