Choosing the right password strategy means weighing security against convenience so you can stay safe without losing your mind. But what's the best balance? Is it the same for everyone? With the help of a security expert, I decided to find out.
Over the years, we've posted lots of password security tips, tricks and techniques. Although I've always used strong passwords, many of my coworkers went to much greater lengths to enhance their security . I knew my passwords needed an audit, but the security measures suggested by my colleagues seemed so frustrating and inconvenient. I wanted safety but without all the hassle.
To identify the best combination of security and convenience, I decided to audit all the methods we recommend with the help of security and investigations expert Brandon Gregg. To do that, we firstly need to know what makes our passwords vulnerable.
The Three Variables That Contribute To Weak Passwords
Gregg explained that weak passwords have three variables, each of which contributes to their higher degree of vulnerability:
- An easily guessed/cracked password: Gregg explains: "With Amazon EC2, GPUs [which can easily handle parallel calculations], and software like Accessdata's Distributed Network Attack (DNA), guessing half a billion passwords per second is easy. My personal record is 370 million guesses per second — not crazy, but better than most law enforcement agencies. It also appears that some sites, such as Twitter, allow these kinds of brute force attacks against user accounts as long as the 'password guess' is from a randomised IP address each attempt." With so many guesses possible per second, you don't want an easily crackable password. Later in the post, we'll discuss which methods produce the most secure and reliable passwords.
- An easily forgotten password: Your passwords don't help you if you can't remember them. "Always resetting your hard-to-remember password just leads to more mistakes and exposures in the future," Gregg says.
- One password provides access to many sites: Using the same password for everything means that if a hacker cracks one of your accounts, they've cracked them all.
Eliminating one or two of these factors doesn't require much effort, but removing all three causes the higher level of inconvenience which I, and many people, hope to avoid. While no security strategy lacks vulnerabilities, in this post we'll audit several types of passwords, from weak and strong and methods of managing them to find out what's the best for convenience and what's the best for security.
The Four Levels Of Password Security
Least Secure: Simple Alphanumeric Passwords
The weakest type of password involves combinations of numbers and letters, or just one of each. It may be easy to remember a word or your phone number, but these passwords are easy to crack. Existing software has no trouble guessing dictionary words, phone numbers, or even combinations of both, especially when the password is under eight characters.
That said, you won't forget a simple password. If you use it for every account you own, you won't have to remember much at all, but this is extremely insecure. If you're using a simple and short password, especially across many accounts, you're not far off from using no password at all. For more on why weak passwords are easy to crack, read our recent overview.
Examples: charlie, hotstuff, 8675309, mary212
Somewhat Secure: Complex 8+ Character Passwords
Complex passwords require more effort to type, but they also require far more effort to hack. A complex password consists of at least eight characters. You should include capital and lowercase letters, at least one number, and at least one symbol (such as !, ?, @.). You should also avoid using a single dictionary word. Using a phrase as a starting point is better, but again, not perfect.
This method fails when you use a unique password for every site because you have to remember many, many complex strings of letters, numbers and symbols.
Very Secure: A Common Complex Base Password With Unique Identifiers
You can't easily remember a lengthy, complex password, so utilising different ones for every account just doesn't work (unless you're also using a password manager, which we'll get to later). Remembering a single complex password is easier, but makes your password less secure unless you add a unique identifier. That unique identifier can relate to the site in question so you won't forget it. For example, if you used [email protected] as your common base password and you wanted to create a password for Gmail, you could use [email protected] Gregg prefers this method over others:
Having a common base password plus the site name actually removes all three variables. Due to length it won't be cracked by a dictionary or brute force attack. If Linkedin gets compromised your Gmail will remain safe and lastly you aren't going to forget your password. It's the best option available.
Of course, if a savvy hacker managed to crack one password, they might figure out the others. Gregg suggests:
In my own passwords I mix up the "site" password not with a direct label of GMAIL or LinkedIn, but with email for gmail or resume for linkedin. Something again that is easy to remember, but hard to guess if your account is compromised.
With common basename passwords, you have another secure option: using a three word phrase with spaces (e.g. "goats love gmail"). This method may seem less secure because it includes simple dictionary words, but it works because spaces are in play. (You can read more about the three word method here.) Gregg notes that this method sometimes fails because of how sites and applications restrict your password options:
The three word method is a good idea, but limited by many of the websites and applications you use. It solves the hard to crack problem and easily compromised issue, but not the easy to remember. Why, you ask? Most sites don't allow spaces as a special character, so you are stuck using "[email protected]@gmail." Some sites even limit the number of special characters you use, so you might have one application that allows password A and another that does not. The next thing you know you have five different password styles and you can't remember which style belongs to which login.
Examples: goats love gmail, [email protected]@facebook, goats!love!pinterist
As mentioned, neither solution comes without vulnerabilities. If all your sites allow spaces or don't restrict special characters, the three word method offers greater simplicity. Either way, a common base password and a unique identifier offers both security and convenience.
Extremely Secure: Two-Factor Authentication And Passwords Even You Don't Know
No password is more secure than a lengthy, complex string of characters that nobody knows. The obvious problem? You can't enter a password you don't know. Password managers like LastPass solve this problem by storing all your passwords in a single database, unlocked by one unique password of your choosing. Of course, as Gregg points out, this comes with one major flaw:
Personally, I am fearful of any password manager used to centralise my accounts. As someone who "monitors" many systems I can personally tell you that if I capture your LastPass master password it's like opening up a nicely wrapped present. I was only going to target your Twitter account, but you just gave me a one stop shop to all your accounts, even the banking accounts I had no idea you had. Thank you LastPass and the lazy user.
Using a password manager suffers from a similar vulnerability to using the same password for every site: you crack one, you crack them all. While LastPass, in particular, takes great efforts to keep your passwords safe, you're putting yourself at risk by using one password to rule them all. The solution? Two-factor authentication, something you may have heard about recently. Gregg explains how it works:
Two-factor authentication adds a layer of security that is almost impossible to bypass. After using one of the password options above, Google (and other sites) send a text message to your phone. Not only is it hard for hackers to obviously be watching your phone (unless this installed FlexiSPY or other monitoring tools) it gives you a heads up to being attacked. If you suddenly get a text message with an authorisation code at 2:00 AM, it might be a sign your ex-girlfriend is trying to get into your account.
When using a password manager such as LastPass, you should enable two-factor authentication or you are, as Gregg puts it, potentially offering up your passwords as a nicely wrapped present. While we often argue this method secures your accounts better than any method, it also creates the most inconvenience. You'll need to decide whether that inconvenience matters to you or not.
How Do I Select The Best Password Security?
Securing your accounts means choosing a balance between convenience and protection. If you're willing to tolerate regular security checks and use randomly-generated passwords you don't know, you can put your paranoia to rest. Most Lifehacker writers and editors use this level of password security because they don't want to assume the risk and find little inconvenience in the extra effort. In fact, many adjusted to the new methods and haven't found two-factor authentication to be inconvenient at all. You may feel the same way.
Personally, I find this method excessive and too much of a burden. As a result, I've opted for our third level of security ("Very Secure") for two reasons. First, using a method that requires a password manager involves trusting someone else with your data. When you give someone else your data you take a risk that they may lose it or share it (whether intentionally or not). If you've ever told a friend a secret, you understand the potential risk. The only well-kept secret is the one you keep yourself.
Second, I want reasonably easy access to my data and I'm OK with assuming some risk. As someone who's had his fair share of hardships, I don't believe in trying to live life risk-free. Bad things happen. We should take reasonable measures to prevent them, but sometimes they still happen. To me, a tiny bit of added security isn't worth the inconvenience.
What should you choose? Gregg sums up the decision-making process nicely:
Security is not always about who has the best alarms, tallest fences, or latest technology. There are many variables in security that often times people overlook including cost and convenience. We can lock down our computers, phones, and Internet with full encryption, bio-readers, and multi-level authorization, but if you don't assess your own realistic risk you can easily weigh yourself down by high costs and slow access. While two-factor authentication is currently one of the best methods of protecting your data, the added time for the second level of authorisation can become a nuisance and maybe overkill. Are you afraid of China snooping in your Gmail? If not, no two-factor authentication is needed. Is there a real concern your savings account can be hacked? Use two-factor authentication on all banking sites that offer it. Better understand your risk to better choose the level of security you need.
The level of risk you want to assume depends on your personal needs and the level of risk you're willing to take. Just remember — while you can implement extreme security protocols, nothing prevents the possibility of a hack. Everything is vulnerable. Back up your data. Keep a close eye on your accounts. Security involves more than locking everything down with good passwords. You should prepare yourself for the worst. In the meantime, however, lock down your accounts in a way that's secure enough for you and fits well into your life.
Special thanks to Brandon Gregg for his expert advice. Brandon has worked investigations for numerous Fortune 500 companies over the last 12 years investigating theft, fraud, organised crime, corporate espionage, and many high profile cases as well as being an educator, published author, and featured speaker on surveillance, computer forensics, complex investigations, and ethical hacking. You can find out more about him here.