Weighing Security Against Convenience: What Works And What Doesn’t

Weighing Security Against Convenience: What Works And What Doesn’t

Choosing the right password strategy means weighing security against convenience so you can stay safe without losing your mind. But what’s the best balance? Is it the same for everyone? With the help of a security expert, I decided to find out.

Photos by edel (Shutterstock) andStock Elements (Shutterstock).

Over the years, we’ve posted lots of password security tips, tricks and techniques. Although I’ve always used strong passwords, many of my coworkers went to much greater lengths to enhance their security . I knew my passwords needed an audit, but the security measures suggested by my colleagues seemed so frustrating and inconvenient. I wanted safety but without all the hassle.

To identify the best combination of security and convenience, I decided to audit all the methods we recommend with the help of security and investigations expert Brandon Gregg. To do that, we firstly need to know what makes our passwords vulnerable.


The Three Variables That Contribute To Weak Passwords


Gregg explained that weak passwords have three variables, each of which contributes to their higher degree of vulnerability:

  1. An easily guessed/cracked password: Gregg explains: “With Amazon EC2, GPUs [which can easily handle parallel calculations], and software like Accessdata’s Distributed Network Attack (DNA), guessing half a billion passwords per second is easy. My personal record is 370 million guesses per second — not crazy, but better than most law enforcement agencies. It also appears that some sites, such as Twitter, allow these kinds of brute force attacks against user accounts as long as the ‘password guess’ is from a randomised IP address each attempt.” With so many guesses possible per second, you don’t want an easily crackable password. Later in the post, we’ll discuss which methods produce the most secure and reliable passwords.
  2. An easily forgotten password: Your passwords don’t help you if you can’t remember them. “Always resetting your hard-to-remember password just leads to more mistakes and exposures in the future,” Gregg says.
  3. One password provides access to many sites: Using the same password for everything means that if a hacker cracks one of your accounts, they’ve cracked them all.

Eliminating one or two of these factors doesn’t require much effort, but removing all three causes the higher level of inconvenience which I, and many people, hope to avoid. While no security strategy lacks vulnerabilities, in this post we’ll audit several types of passwords, from weak and strong and methods of managing them to find out what’s the best for convenience and what’s the best for security.


The Four Levels Of Password Security


Least Secure: Simple Alphanumeric Passwords


The weakest type of password involves combinations of numbers and letters, or just one of each. It may be easy to remember a word or your phone number, but these passwords are easy to crack. Existing software has no trouble guessing dictionary words, phone numbers, or even combinations of both, especially when the password is under eight characters.

That said, you won’t forget a simple password. If you use it for every account you own, you won’t have to remember much at all, but this is extremely insecure. If you’re using a simple and short password, especially across many accounts, you’re not far off from using no password at all. For more on why weak passwords are easy to crack, read our recent overview.

Examples: charlie, hotstuff, 8675309, mary212


Somewhat Secure: Complex 8+ Character Passwords


Complex passwords require more effort to type, but they also require far more effort to hack. A complex password consists of at least eight characters. You should include capital and lowercase letters, at least one number, and at least one symbol (such as !, ?, @.). You should also avoid using a single dictionary word. Using a phrase as a starting point is better, but again, not perfect.

This method fails when you use a unique password for every site because you have to remember many, many complex strings of letters, numbers and symbols.

Examples: [email protected]!, [email protected], b3stFr13ndS4eVer?!


Very Secure: A Common Complex Base Password With Unique Identifiers

You can’t easily remember a lengthy, complex password, so utilising different ones for every account just doesn’t work (unless you’re also using a password manager, which we’ll get to later). Remembering a single complex password is easier, but makes your password less secure unless you add a unique identifier. That unique identifier can relate to the site in question so you won’t forget it. For example, if you used [email protected] as your common base password and you wanted to create a password for Gmail, you could use [email protected] Gregg prefers this method over others:

Having a common base password plus the site name actually removes all three variables. Due to length it won’t be cracked by a dictionary or brute force attack. If Linkedin gets compromised your Gmail will remain safe and lastly you aren’t going to forget your password. It’s the best option available.

Examples: [email protected], [email protected], [email protected]

Of course, if a savvy hacker managed to crack one password, they might figure out the others. Gregg suggests:

In my own passwords I mix up the “site” password not with a direct label of GMAIL or LinkedIn, but with email for gmail or resume for linkedin. Something again that is easy to remember, but hard to guess if your account is compromised.

Examples: [email protected], [email protected], [email protected]

With common basename passwords, you have another secure option: using a three word phrase with spaces (e.g. “goats love gmail”). This method may seem less secure because it includes simple dictionary words, but it works because spaces are in play. (You can read more about the three word method here.) Gregg notes that this method sometimes fails because of how sites and applications restrict your password options:

The three word method is a good idea, but limited by many of the websites and applications you use. It solves the hard to crack problem and easily compromised issue, but not the easy to remember. Why, you ask? Most sites don’t allow spaces as a special character, so you are stuck using “[email protected]@gmail.” Some sites even limit the number of special characters you use, so you might have one application that allows password A and another that does not. The next thing you know you have five different password styles and you can’t remember which style belongs to which login.

Examples: goats love gmail, [email protected]@facebook, goats!love!pinterist

As mentioned, neither solution comes without vulnerabilities. If all your sites allow spaces or don’t restrict special characters, the three word method offers greater simplicity. Either way, a common base password and a unique identifier offers both security and convenience.


Extremely Secure: Two-Factor Authentication And Passwords Even You Don’t Know

No password is more secure than a lengthy, complex string of characters that nobody knows. The obvious problem? You can’t enter a password you don’t know. Password managers like LastPass solve this problem by storing all your passwords in a single database, unlocked by one unique password of your choosing. Of course, as Gregg points out, this comes with one major flaw:

Personally, I am fearful of any password manager used to centralise my accounts. As someone who “monitors” many systems I can personally tell you that if I capture your LastPass master password it’s like opening up a nicely wrapped present. I was only going to target your Twitter account, but you just gave me a one stop shop to all your accounts, even the banking accounts I had no idea you had. Thank you LastPass and the lazy user.

Using a password manager suffers from a similar vulnerability to using the same password for every site: you crack one, you crack them all. While LastPass, in particular, takes great efforts to keep your passwords safe, you’re putting yourself at risk by using one password to rule them all. The solution? Two-factor authentication, something you may have heard about recently. Gregg explains how it works:

Two-factor authentication adds a layer of security that is almost impossible to bypass. After using one of the password options above, Google (and other sites) send a text message to your phone. Not only is it hard for hackers to obviously be watching your phone (unless this installed FlexiSPY or other monitoring tools) it gives you a heads up to being attacked. If you suddenly get a text message with an authorisation code at 2:00 AM, it might be a sign your ex-girlfriend is trying to get into your account.

When using a password manager such as LastPass, you should enable two-factor authentication or you are, as Gregg puts it, potentially offering up your passwords as a nicely wrapped present. While we often argue this method secures your accounts better than any method, it also creates the most inconvenience. You’ll need to decide whether that inconvenience matters to you or not.


How Do I Select The Best Password Security?


Securing your accounts means choosing a balance between convenience and protection. If you’re willing to tolerate regular security checks and use randomly-generated passwords you don’t know, you can put your paranoia to rest. Most Lifehacker writers and editors use this level of password security because they don’t want to assume the risk and find little inconvenience in the extra effort. In fact, many adjusted to the new methods and haven’t found two-factor authentication to be inconvenient at all. You may feel the same way.

Personally, I find this method excessive and too much of a burden. As a result, I’ve opted for our third level of security (“Very Secure”) for two reasons. First, using a method that requires a password manager involves trusting someone else with your data. When you give someone else your data you take a risk that they may lose it or share it (whether intentionally or not). If you’ve ever told a friend a secret, you understand the potential risk. The only well-kept secret is the one you keep yourself.

Second, I want reasonably easy access to my data and I’m OK with assuming some risk. As someone who’s had his fair share of hardships, I don’t believe in trying to live life risk-free. Bad things happen. We should take reasonable measures to prevent them, but sometimes they still happen. To me, a tiny bit of added security isn’t worth the inconvenience.

What should you choose? Gregg sums up the decision-making process nicely:

Security is not always about who has the best alarms, tallest fences, or latest technology. There are many variables in security that often times people overlook including cost and convenience. We can lock down our computers, phones, and Internet with full encryption, bio-readers, and multi-level authorization, but if you don’t assess your own realistic risk you can easily weigh yourself down by high costs and slow access. While two-factor authentication is currently one of the best methods of protecting your data, the added time for the second level of authorisation can become a nuisance and maybe overkill. Are you afraid of China snooping in your Gmail? If not, no two-factor authentication is needed. Is there a real concern your savings account can be hacked? Use two-factor authentication on all banking sites that offer it. Better understand your risk to better choose the level of security you need.

The level of risk you want to assume depends on your personal needs and the level of risk you’re willing to take. Just remember — while you can implement extreme security protocols, nothing prevents the possibility of a hack. Everything is vulnerable. Back up your data. Keep a close eye on your accounts. Security involves more than locking everything down with good passwords. You should prepare yourself for the worst. In the meantime, however, lock down your accounts in a way that’s secure enough for you and fits well into your life.

Special thanks to Brandon Gregg for his expert advice. Brandon has worked investigations for numerous Fortune 500 companies over the last 12 years investigating theft, fraud, organised crime, corporate espionage, and many high profile cases as well as being an educator, published author, and featured speaker on surveillance, computer forensics, complex investigations, and ethical hacking. You can find out more about him here.


  • Great article. With all of the recent high-profile security breaches this past year, it is more important now than ever for everyone to be extra careful. Your article offers some great insight.

  • Yes, excellent article – makes you realise how easy a simple alpha-numeric password is to crack with the right tools. I’d like to see more widespread use of 2-factor authentication – the Google version is very easy to use.

  • With Keepass, you don’t trust anyone else with your passwords; it’s all stored locally in an encrypted file. I keep my keepass vault in my dropbox, so passwords are also synched between computers.

    • So which is it… ? are your passwords “all stored locally” or do they live up on Dropbox to be synced between computers… ? If you’re using Dropbox then you’re trusting Dropbox…

      Yes.. I’m being a bit cheeky here… I myself use LastPass and my “stuff” is all stored on LastPass servers… but only ever as encrypted hashes… never plain-text… that only ever exists on my local devices once credentials are provided (password / second-factor). And I realise that KeePass is the same thing essentially just without the infrastructure to automatically sync via the cloud.. hence your need to use Dropbox… But I thought it was worth pointing out to others who might read this thread and think that storing passwords on Dropbox is somehow secure.

      The important thing that everyone can take away is to use a good quality password manager, and change all your passwords so that no two are ever alike.. and all are utterly incomprehensible to humans…

  • Can somebody explain to me how adding spaces in your password makes it so much more secure than a “random word” system with no spaces? I fail to see how something like “toastedbaconsubtletextual” is less secure than “goats love gmail”.

  • In that case it’s not so much that there are spaces…. it’s that spaces are classed as “special characters” as opposed to ABCDEFG or abcdefg or 123456.

    Eg: If you chose a 10 char password and used just numbers (2858457425) then you’ would have 11,111,111,110 possible passwords in that space.

    But if you replace even just ONE number with say a lower-case-letter (285w457424) the number of possible passwords increases hugely to 3,760,620,109,779,060.

    Add an upper case letter (285w457M24) and we now have 853,058,371,866,181,866 possible passwords in that character space.

    So if you want to go even further you can add one of the “special characters” to your 10 character password making it (2#5w457M24) and we now have a possible 60,
    510,648,114,517,017,120 passwords.

    So a password of Hey……………………………..You is much much stronger than something like heydudedonotforgetobringnachoswheninextcu even though both are 41 characters long

    1.29 x 10^79 versus 1.07 x 10^58

    It’s really fun to play with these and see how much changing just ONE thing in a password can MASSIVELY increase it’s strength.


  • These were very nicely written and informative articles. We all need to be more proactive about our personal account security. One thing I am glad you mentioned is Two-Factor Authentication. I use 2FA across a lot of my accounts. I feel a lot more secure when I can telesign into my account. If you have that option available to you use it, it is worth the time and effort to have the confidence that your account won’t get hacked and your personal information isn’t up for grabs. It would be nice to see more of the leading companies in their respective verticals start giving their users the perfect balance between security and user experience. I know some will claim that 2FA makes things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. I’m hoping that more companies start to offer this awesome functionality. To me this should be a prerequisite to any system that wants to promote itself as being secure.

Show more comments

Log in to comment on this story!