4 common password security myths

Yes, password length and complexity matter, but only if you apply those qualities to the proper security context.

security password lock biometric fingerprint
Thinkstock

Talking about password security is a guaranteed crowd-snoozer, a surefire way to make people shut down and tune out, but the reality is that passwords are still important. Email or social media, online banking or gaming, educational applications or online services—anything that keeps some kind of user data still depends on passwords to keep miscreants out. Attackers will continue merrily looting bank accounts and taking over online services if users don’t step up and use better passwords.

We all know the basics—don’t use “password” and don’t repeat the same password across different accounts. Turn on two-factor authentication on online accounts wherever possible—one-time passwords via SMS messages is still better than nothing. Use a password manager to track all the passwords. Unfortunately, a lot of password advice sounds reasonable, but needs context to be helpful. Following are some ubiquitous password myths, clarified.

Password myth 1: Your password needs to have mixed case, numbers and special characters

Truth: There’s a limit to how much security complex passwords can give you. Yes, “letmein” is a bad password, but “Password1,” “Abc123”, and “Passw0rd” aren’t any better, despite having mixed case and numbers. It’s always a bad idea to create passwords based on a dictionary word. Substituting some of the letters for numbers or symbols isn’t that clever or unique an idea. Password crackers know to include words like “vuln3rabl3” or “trustno1” in their lookup tables. In fact, the latter password made SplashData’s top 25 worst list of commonly used passwords back in 2014.

To be fair, using mixed case, numbers and special characters makes the password much stronger than just using lowercase. While exact figures will vary by the amount of processing power on hand, a modern computer will take two days to crack an eight-character password that is all lowercase (since there are 26^8, or 208,827,064,576 possible combinations), but a large botnet will take only 1.8 seconds. Mixed case helps slow down the cracking, and throwing in a special symbol or two bumps up the number of combinations.

To continue reading this article register now

Microsoft's very bad year for security: A timeline