Making Your Passwords Secure

I got a little scare this morning. Checking the strength of my passwords, I found my American Express password could be broken by a desktop PC in about 3 hours! Now in defense of myself, at one time American Express forced passwords to be shorter than 9 character. That's not very secure.

Do you wonder how secure your passwords are? There is no reason not to know. Check out http://howsecureismypassword.net. There, passwords can be entered and relative strengths of passwords can be determined. Don't worry, this page runs as a javascript app and there is no communication between the webpage and their server once the webpage is loaded.

Want some ideas how to make a stronger, yet more memorable password?

Consider a passphrase instead of a password. Consider "Peter Piper picked a peck" compared to "bfhewbbjkk". Which is easier to crack? The Peter Piper pass phase can be cracked in, oh about 2 nonillion years, where the "bfhewbbjkk" can be cracked in about 6 days. Now tell me, which is easier to remember? Which one is more secure?

Make passwords/passcodes at least 16 characters long especially for any financial accounts.

Consider special characters. While there isn't much difference between "bfhewbbjkk" and "bfhewbbjk!", they are the same length. The relative security on the second password shots up to a year. From 6 days to crack to a year just by making one letter a special character. That is a relatively big change.

Consider a password vault program. I use 1Password. This stores all your passwords in a secure file. The passwords can easily be recalled from just about any web browser for easy use. By the way, make that password super secure. My passcode for my password vault can be broken in oh, about 1 trillion years.

Some sites have bad password policies. 8 character passwords are pretty much useless. Some limit special characters. Some sites would not allow the Peter Piper pass phase but by removing the spaces "PeterPiperpickedapeck", the passcode still is secure for about 137 quintillion years. If they have overly restrictive passcode policies, consider how valuable is the information you enter on that site. I would never use a financial institution that did not allow for 16 character passwords.

Use different passwords. If someone gets one of your bank account pass codes somehow would they be able to access all of your accounts? Even worse. If they got your Facebook password, would they be able to get into bank accounts? Even large corporations like Sony get caught with their pants down. Their servers got cracked and passwords were stored unencrypted. If a user had the same password in their Sony account as their bank account, it would be just a matter of finding the right institution and their account could be drained.

You may be saying, "Those are some pretty big numbers", Stephen, "My password doesn't need to be that secure." Consider this, if someone is trying to steal your password, they are not going to be using one computer but thousands of computers. That makes for much shorter work. Here is variation on my mantra,


"Only securely protect the information that is valuable to you."


By the way, My new American Express password can now be broken in oh, about 47 trillion years. It would have been even longer, but American Express limits passwords to 20 characters.