What is a good password?

What is a good password? Before responding, think about it for a second...

What a good password means to you? How would you choose a “good password”?

Let’s try a simple password quiz. Out of those passwords, which ones do you think are good?

  1. e718f7599a7b1990e474b5d03a3c709d
  2. test123
  3. ^UR$FJ##__!#O#Kytu
  4. I love my green house!!

Based on common knowledge and what we hear online, most people would say that the passwords #1 and #3 are very good and the others are not. Would you agree?

Really good passwords

But is that really true? Most people only think about a password in terms of length and complexity, but that’s only a part of what makes a good password. On my experience, I rate a password based on these characteristics:

  1. How often is it used? Do you use this password on only one site? Or is it shared across multiple accounts? The more often it is used, the LESS secure it is (no matter how complex or long).
  2. Where is it used? Is it your bank password? Your email password? Your password for an online forum that you don’t care about? Even “test123” is a good password if you don’t care about where it is being used.
  3. How is it used? Is the password transmitted via HTTPS? Used in a bank terminal? Forwarded in clear-text (like FTP, HTTP, etc)?
  4. How easy it is to remember. You don’t have to have an easy to remember password if you use a password manager. But it is important if you don’t use one.
  5. How long and how complex it is.

Did you see our list? The last think I worry is about the size and complexity of the password. Why is that? First, because the password is only as secure as the location it is being used, how it is stored, how it is shared and transmitted.

You could use the password “^UR$FJ##__!#O#Kytu” (theorically secure) in your Gmail account and in an online forum. If that online forum is compromised (which is not uncommon), your Gmail account can easily be compromised as well.

Perfect password solution?

There is no perfect solution, but a good one is to have just a couple of good passwords remembered in your head (yes, long, complex and only used in high security locations). All the other passwords should be stored in a password manager for easy access and use.

For example, you could have only 3 high security passwords, one for your Email account, one for your Password manager account (where you store all the other passwords) and one for your bank site (for example).

If you can’t (or won’t) use a password manager, we recommend that you create password groups. Still remember 3 high security password (email, bank and some other site you care about). For the other sites, classify them in terms of importance (important, medium, don’t care about, don’t trust, etc) and reuse the passwords among those.

But never share a password between different importance levels.

Posted in   passwords     by Daniel Cid (dcid)

Coding for fun and profit. Often fun and little profit.