Everyone and their mother has a password security strategy, some better than others. Choosing the right one means weighing security against convenience so you can stay safe without losing your mind. But what's the best balance? Is it the same for everyone? With the help of a security expert, I decided to find out.
Over the years, we've posted several password security tips, tricks and techniques ranging from the simply memorable to the perfectly paranoid. Although I've always used strong passwords, many of my coworkers went through great lengths to heighten their security far beyond mine. I knew my passwords needed an audit, but the security measures put forth by my colleagues seemed so frustrating and inconvenient. I wanted safety but without all the hassle. To find out the best combination of security and convenience, I decided to audit all the methods we recommend with the help of security and investigations expert Brandon Gregg. Before we can get started, however, we need to know what makes our passwords vulnerable.
The Three Variables That Contribute to Weak Passwords
Brandon explained that weak passwords have three variables, and each makes them more vulnerable:
- An easily guessed/cracked password: Brandon says, "With Amazon EC2, GPUs*, and software like Accessdata's Distributed Network Attack (DNA), guessing half a billion passwords per second is easy. My personal record is 370 million guesses per second—not crazy, but better than most Law enforcement agencies. It also appears that some sites, such as Twitter, allows these kinds of brute force attacks against user accounts as long as the 'password guess' is from randomized IP address each attempt." With so many guesses possible per second, you don't want an easily crackable password. Later in the post, we'll discuss which methods produce the most secure and reliable passwords.
- An easily forgotten password: Your passwords don't help you if you can't remember them. Brandon says, "Always resetting your hard-to-remember password just leads to more mistakes and exposures in the future."
- One password provides access to many sites: Using the same password for everything means that if a hacker cracks one of your accounts, they've cracked them all.
*GPUs or graphics cards are used to brute force passwords due to how they tackle parallel calculations. One GPU or clusters of GPUs can be made fairly cheaply and are multiple times faster at guessing passwords than their CPU brothers.
Eliminating one or two of the three variables doesn't require much effort, but removing all three causes the higher level of inconvenience I, and many people, hope to avoid. While no security strategy lacks vulnerabilities, in this post we'll audit several types of passwords, from weak and strong and methods of managing them to find out what's the best for convenience and what's the best for security.
The Four Levels of Password Security
Least Secure: Simple Alphanumeric Passwords
The weakest type of password involves combinations of numbers and letters, or just one of each. It may be easy to remember a word, your phone number, or both, but these passwords are easy to crack. Existing software has no trouble guessing dictionary words, phone numbers, or even combinations of both—especially when the password is under eight characters.
That said, you won't forget a simple password. If you use it for every account you own, you won't have to remember much at all. Of course, this is extremely insecure. If using a simple and short password, especially across many accounts, you're not far off from using no password at all. For more on why weak passwords are easy to crack, read this.
Examples: charlie, hotstuff, 8675309, mary212
Somewhat Secure: Complex 8+ Character Passwords
Complex passwords require more effort to type, but they also require far more effort to hack. A complex password consists of at least eight characters. You should include capital and lowercase letters, at least one number, and at least one symbol (e.g. !, ?, @, etc.). You should also avoid a single dictionary word (e.g. pantomime → p@nt0m!me). Using a phrase as a starting point is better, but again, not perfect (e.g. "I love goats → iLuVg0@ts).
This method fails when you use a unique password for every site because you have to remember many, many complex strings of letters, numbers, and symbols.
Examples: t@lk4Ev3r!, iLuVg0@ts, b3stFr13ndS4eVer?!
Very Secure: A Common Complex Base Password with Unique Identifiers
You can't easily remember a lengthy, complex password, so utilizing different ones for every account just doesn't work (unless you're also using a password manager, but we'll get to that later). Remembering just one, however, makes things much easier. It also makes your password less secure unless you add a unique identifier. That unique identifier can relate to the site so you won't forget it. For example, if you used iLuVg0@ts as your common base password and you wanted to create a password for Gmail, you could use iLuVg0@ts-gmail. Brandon prefers this method over others:
Having a common base password plus the site name actually removes all three variables. Due to length it won't be cracked by a dictionary or brute force attack. If Linkedin gets compromised your Gmail will remain safe and lastly you aren't going to forget your password. It's the best option available.
Examples: iLuVg0@ts-gmail, iLuVg0@ts-linkedin, iLuVg0@ts-facebook
Of course, if a savvy hacker managed to crack one password they might figure out the others. Brandon suggests:
In my own passwords I mix up the "site" password not with a direct label of GMAIL or LinkedIn, but with email for gmail or resume for linkedin. Something again that is easy to remember, but hard to guess if your account is compromised.
Examples: iLuVg0@ts-email, iLuVg0@ts-resume, iLuVg0@ts-friends
With common basename passwords, you have another secure option: using a three word phrase with spaces (e.g. "goats love gmail"). This method may seem less secure because it includes simple dictionary words, but it works because spaces are in play. (You can read more about the three word method here.) Brandon notes that this method sometimes fails because of how sites and applications restrict your password options:
The three word method is a good idea, but limited by many of the websites and applications you use. It solves the hard to crack problem and easily compromised issue, but not the easy to remember. Why, you ask? Most sites don't allow spaces as a special character, so you are stuck using "goats@love@gmail." Some sites even prevent the number of special characters you use, so you might have one application that allows password A and another that does not. The next thing you know you have five different password styles and you can't remember which style belongs to which login.
Examples: goats love gmail, goats@love@facebook, goats!love!pinterist
As mentioned, neither solution comes without vulnerabilities. If all your sites allow spaces or don't restrict special characters, the three word method offers greater simplicity. Either way, a common base password and a unique identifier offers both security and convenience.
Extremely Secure: Two-Factor Authentication and Passwords Even You Don't Know
No password is more secure than a lengthy, complex string of characters that nobody knows. The obvious problem? You can't enter a password you don't know. Password managers like LastPass solve this problem by storing all your passwords in a single database, unlocked by one unique password of your choosing. Of course, as Brandon points out, this comes with one major flaw:
Personally, I am fearful of any password manager used to centralize my accounts. As someone who "monitors" many systems I can personally tell you that if I capture your LastPass master password it's like opening up a nicely wrapped present. I was only going to target your Twitter account, but you just gave me a one stop shop to all your accounts, even the banking accounts I had no idea you had. Thank you LastPass and the lazy user.
Using a password manager suffers from a similar vulnerability to using the same password for every site: you crack one, you crack them all. While LastPass, in particular, makes great efforts to keep your passwords safe, you're putting yourself at risk by using one password to rule them all. The solution? Two-factor authentication, something you may have heard about recently. Brandon explains how it works:
Two-factor authentication adds a layer of security that is almost impossible to bypass. After using one of the password options above, Google (and other sites) send a text message to your phone. Not only is it hard for hackers to obviously be watching your phone (unless this installed FlexiSPY or other cell monitoring tools) it gives you a heads up to being attacked. If you suddenly get a text message with an authorization code at 2:00 AM, it might be a sign your ex-girlfriend is trying to get into your account.
When using a password manager like LastPass, you should enable two-factor authentication or you are, as Brandon puts it, potentially offering up your passwords as a nicely wrapped present. While we often argue this method secures your accounts better than any method, it also creates the most inconvenience. You'll need to decided whether that inconvenience matters to you or not.
How Do I Choose the Best Password Security for Me?
Securing your accounts means choosing a balance between convenience and protection. If you're willing to tolerate regular security checks and use randomly-generated passwords you don't know, you can put your paranoia to rest. Most Lifehacker writers and editors use this level of password security because they don't want to assume the risk and find little inconvenience in the extra effort. In fact, many adjusted to the new methods and haven't found two-factor authentication to be inconvenient at all. You may feel the same way.
Personally, I find this method excessive and too much of a burden. As a result, I've opted for our third level of security ("Very Secure") described above for two reasons. First, using a method that requires a password manager involves trusting someone else with your data. When you give someone else your data you take a risk that they may lose it or share it (whether intentionally or not). If you've ever told a friend a secret, you understand the potential risk. The only well-kept secret is the one you keep yourself. While you can't avoid sharing your information entirely, as that would lead to a horribly insulated life, I believe in keeping how much you share that information to a minimum. Second, I want reasonably easy access to my data and I'm okay with assuming some risk. As someone who's had his fair share of hardships, I don't believe in trying to live life risk-free. Bad things happen. We should take reasonable measures to prevent them, but sometimes they still happen. To me, a tiny bit of added security isn't worth the inconvenience.
What should you choose? Brandon sums up the decision-making process nicely:
Security is not always about who has the best alarms, tallest fences, or latest technology. There are many variables in security that often times people overlook including cost and convenience. We can lock down our computers, phones, and Internet with full encryption, bio-readers, and multi-level authorization, but if you don't assess your own realistic risk you can easily weigh yourself down by high costs and slow access. While two-factor authentication is currently one of the best methods of protecting your data, the added time for the second level of authorization can become a nuisance and maybe overkill. Are you afraid of China snooping in your Gmail? If not, no two-factor authentication is needed. Is there a real concern your savings account can be hacked? Use two-factor authentication on all banking sites that offer it. Better understand your risk to better choose the level of security you need.
The level of risk you want to take depends on your personal needs and the level of risk you're willing to take. Just remember—while you can implement extreme security protocols, nothing prevents the possibility of a hack. Everything is vulnerable. Back up your data. Keep a close eye on your accounts. Security involves more than locking everything down with good passwords. You should prepare yourself for the worst. In the meantime, however, lock down your accounts in a way that's secure enough for you and fits well into your life.
Special thanks to Brandon Gregg for his expert advice. Brandon has worked investigations for numerous Fortune 500 companies over the last 12 years investigating theft, fraud, organized crime, corporate espionage, and many high profile cases as well as being an educator, published author, and featured speaker on surveillance, computer forensics, complex investigations, and ethical hacking. You can find out more about him here.
Photos by edel (Shutterstock) andStock Elements (Shutterstock).
Oh hey, here's a picture of Jennifer Aniston rocking a zillion-carat engagement ring that her fiance, Justin Theroux, "gave" her. Though I assume Aniston bought the ring herself six years ago and stashed it in a safety deposit box until the day she finally found a man who could properly pull off being dressed like a 1930s fighter pilot. This is a big rock. A huge rock. A very expensive, obnoxious, stupid fucking rock. 
