by Dave Moore, CISSP, 05/02/2021
Wow, if there’s one thing that makes some people upset about using the Internet, it’s passwords. The need to use strong, unique passwords just drives some people crazy.
Most people are merely annoyed at having to hassle around with passwords, because passwords can be annoying and somewhat of a hassle, especially if not handled correctly. Having to use keys to lock our houses can be annoying, too. Who has time for such annoyance? It’s a hassle having to retrieve a key to unlock the door to your house, just so you can go inside.
Not as much of a hassle, however, and going inside your house and discovering burglars have stolen everything you have because you’re too important to be bothered with using good door locks to protect your house.
Online passwords are like keys that unlock our Internet accounts, just like physical locks on homes and businesses. There are good locks, and there are crummy locks. Surely, nobody thinks it’s OK to use a cheap, screen door hook and eye latch to lock the front door of their house, thinking it will protect them and their belongings. Why, then, would anyone think it’s OK to use a weak, eight-character dictionary word to protect their bank account, their shopping accounts, or any account, for that matter?
Maybe it’s because we don’t actually see the passwords, or the online locks they open, when we use them. They aren’t tangible pieces of metal we can hold in our hands and see with our eyes, so maybe some people don’t actually consider them to be real. Maybe that’s why some people don’t believe they should be taken seriously.
Maybe; maybe not. What, am I a psychiatrist, now? No, I am not, but I am a Certified Information Systems Security Professional (CISSP), and I can tell you for a fact that using strong, unique passwords is critically important to your online survival, just like the expert at the tire shop can tell you to use real tires on your car, instead of those balloons you’ve been getting at the five-and-dime store and wrapping around the wheels.
So, what makes for a strong password? First off, we need to forget old password advice from twenty years ago, such as: (1) passwords only need to be eight characters. Not true; has not been true for a very long time. (2) “My password should be something I can remember.” No, it should not; we do not need to memorize our passwords. We have computer programs, like password managers and browsers, to memorize them for us. Even a well-hidden piece of paper can be a viable password repository. (3) It’s OK to use the same password for all my accounts, as long as it’s complicated with upper case, lower case, numbers and symbols. Not true, never has been true. If a bad guy knows your password, and it’s the same for all your accounts, he has access to all your accounts, no matter how complicated you made it.
I don’t make the rules for Internet safety and password security, I just tell people what they are. Here are the top two rules for strong passwords.
Strong passwords are long. They contain many characters. This is the rule that trips people up the most, because they think they can’t memorize a long password, when they don’t have to be memorized, in the first place. Refer to number 2, above. Also, you need unique passwords for every account you have, whether you think it’s an important account, or not. Refer to number 3, above.
Our nation’s premier spy agency, the National Security Agency (NSA), in its publication titled, “Information Assurance Capabilities, Version 4.0 January 2018,” states user-generated passwords should be “…a minimum of 16 characters. User generated passphrases… a minimum of 5 words.”
There you have it; 16 characters, minimum, and more is better. Upper-case, lower-case, numbers and special characters are fine, but it’s length that makes a password stronger, not complexity. If you are going to use a passphrase, made up of actual words, it should be a minimum of five words, and, again, the longer, the better. Do you want minimum security, or maximum security?
Passphrases also should not be a phrase that makes sense, like “Mary had a little lamb,” or, “Sooner football is number one.” It should be more like, “bucketTrainantennapaperjack.” You could memorize that if you had to, and it’s a whopping 27 characters long, but fortunately, we have password management programs and browsers to memorize them for us.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or internetsafetygroup.org