What is a good password?

A good password is one that is sufficient to keep others out. Unfortunately what we’ve been doing in the past is no longer sufficient to combat the modern hacker. Our old password habits include:

Short passwords can be hacked in seconds
Passwords that are made up from guessable words like our kids names, etc.
Even seemingly complex passwords made from special characters and numbers can be hacked in seconds or minutes now.

What has changed?

A few things have changed over recent years:

Vast amounts of computing power are now readily available that can enable hackers to try over a 1,000 passwords per second.
Smart hackers now attack big companies to steal entire databases of usernames along with the matching passwords. Breaches in companies like Target, Home Deport, LinkedIn and Dropbox have led to the releases of BILLIONS of usernames and passwords. Check out our other article on how to learn if your information is already out on the Internet.

To learn how long it would take to hack your existing password you might want to check out www.howsecureismypassword.net. This website will tell you how long it could take, and if your password is already on a known password list it will tell you that it would be immediately hackable. For example if I try the password “starwars” it says it would be hacked instantly.

Regardless, the solution is to change your password to something new

What makes a good password?

This is a constantly evolving standard. What is considered sufficient today will be insecure in the future. A few years ago CowBoy9 was a good password, but today that could be hacked in under a minute.

The National Institute for Standards and Technology (NIST) recently updated its Digital Identity guideline on what makes a good password. They recognized that in todays world where computers hack computers, an “s” vs. “S” vs “$” are all about the same, just a character to a computer.

There newly recommended standard suggests that LENGTH is the most important characteristic. At least 12 characters long.
The good news is that we can skip all the crazy characters now and even use dictionary words. They suggest combining 3 or 4 short UNRELEATED dictionary words.
- For example, if we choose dog, wind, hair, and spin we get dogwindhairspin. This is 15 characters long and I can probably come up with a way to remember this in my mind.

But, if we tried to use dogwindhairspin today on a banking website it probably wouldn’t allow it since they are still focused on the older password requirements.

The MME Generation 3 (Gen3) Password Standard

I’d like to suggest a slightly modified approach to the NIST standard that will still work with most other older password requirements. The best of both worlds. I like to call it Simple Complexity.

12 characters or more
Made from 3 or 4 RANDOM small dictionary words
- Do NOT use personal demographics about yourself like the names of your kids, spouse, or pets. Streets you lived on, birth years, months, favorite foods, sports teams, etc. Nothing a hacker could guess about you or learn from social media, etc. RANDOM.
Capitalize the first letter of each word
Add a 2 digit number to the end that represents the year you set the password
- This will allow you to know how old it is, and perhaps motivate you to change it annually
- For example, add 18 to the end if its 2018.

Applying this to the last example DogWindHairSpin18 becomes a formidable password. In fact, plugging this into www.howsecureismypassword.net responds that it will take 2 Trillion years to hack. Safe enough for me.

A Different Password Everywhere

The final point to make is to STOP USING THE SAME PASSWORD EVERYWHERE! We are creatures of habit and passwords are a hassle, so we ‘save time’ by using the same password everywhere. This is just plain dumb (and what got us into trouble in the first place) and hackers COUNT ON IT.

Have a unique password everywhere you have anything of value. Banks, Amazon, Starbucks, email accounts, etc.

I have one password I use at sites that have no ‘value’ behind it. Do I really care if someone hacks my Yelp account and posts fake reviews in my name?

Hopefully this has given you some inspiration to update your passwords to newer, safer ones.