Stronger Password Habits

Jason HeathCampus Tech Resources


Yahoo. Chase Bank. Target. Data breaches are becoming more and more common. As the frequency of attacks increases, so does the likelihood that you will be a victim. If you can’t avoid it, here are 3 ways that you can make it more difficult for attackers to steal your information, or at least limit the damage when they do.

1. Use Strong Passwords

We usually think that a secure password is one that contains uppercase letters, lowercase letters, numbers, and special characters. For example,


If you run this through a simple tool for checking password complexity (I like to test with, it would only take a computer about 9 hours to crack this password using a brute force attack.

In the last few years, most experts have pointed out that it’s really the length of the password that helps to make it secure. For instance, using that same tool, the password


would take a computer about 17 quadrillion years to crack this password. XKCD, an online technology and mathematical comic strip site, has a comic strip that explains the math for why this is correct. It’s still a good idea to mix uppercase and lowercase letters, and to add numbers and special characters. This still increases the complexity, but a complex 8-character password is still no match for a password with a good length.

If you already have trouble remembering your 8-character password, remembering a 16-character password may sound impossible. There are techniques for making this easier. For instance, famed MySpace hacker Samy Kamkar uses song lyrics to make it easier to remember his passwords. The password


would take about 6 trillion years to crack. You can also use an algorithm, or pattern, to make it easy to remember passwords too.

2. Change Your Passwords On a Regular Basis

If you have been using the same password for the last 4 years, then you are long overdue to change your password. With good security practices, there is always a tension between how secure your habits are and how difficult it is to maintain those habits. Changing your password every hour is super secure, but you would spend a significant amount of time changing your password. Find a frequency that you can maintain, such as every time you change the oil in your car or go to the dentist (assuming that you have decent automotive and dental habits, about every 3 or 6 months respectively). At a minimum, I would suggest updating your main account passwords (email, banking, social networks) at least once a year.

3. Don’t Use the Same Password Everywhere

Once a person has a good, secure password, they tend to use that password everywhere. Unfortunately, once an attacker compromises one account, they may have access to every other account where that person used the same email+password combination. Even worse, if that password was also used for an email account, then an attacker can often use the email account to execute Forgot Password resets for the other accounts.

The best defense is to use as many different passwords across your accounts as possible. To make this easier, one technique might be to attach a keyword like @email or $bank to the passwords for those respective accounts. Definitely make sure that your email password is distinct from your other account passwords. This will reduce the chance of an attacker resetting your password through your email account.