Don’t miss: This is why you should have a password manager – and here are the best options
Old advice can do that
For many years we have been taught that a secure password consists of randomly selected characters – not only from the alphabet but also numbers and symbols – and is “at least 8 characters long”. Even the passwords for wireless routers have a well-known minimum length of 8 characters, which has led to coffee shops having funny passwords like the bean123.
These were never very good guidelines, but long ago when the capabilities of computers were many times lower, it was not noticed. A password like 4#weM7[Lissignificantlymoresecurethanpasswordor12345678andwitheightcharactersitwasalmostimpossibletocrack[Lärbetydligtsäkrareänpasswordeller12345678ochmedåttateckenvardetidetnärmasteomöjligtattcracka
Don’t miss: Skip the password on the mobile with the simple trick
But that was then. Today, a regular PC with a powerful graphics card can crack it in anywhere between a couple of days and a few weeks.
Today, passwords made up of random characters should be at least 12 characters long, and preferably even longer. If you found it difficult to remember 4#weM7[LyoucantryeFxNvANveD6=z2*P[Lså kandujutestaeFxNvANveD6=z2*P
Correct horse battery staple – the Xkcd technique
The well-known internet series Xkcd has published one of the most apt critiques of the prevailing view of how secure passwords are created for many years. “Through 20 years of effort, we have managed to teach everyone to use passwords that are difficult for humans to remember but easy for computers to guess.”
The answer to the dilemma is not to think so much about signs. The difficulty for a computer to crack a password depends on two factors: whether it is actually randomly chosen, and how many different guesses a computer needs to make on average to find it.
The first involves not choosing passwords from the list of the 1,000 or 10,000 most common passwords (lists that password cracker programs have access to and use first, because they are so common). Also, don’t use your name or anything else that can be linked to you.
The second is about how many different characters you choose from and how many characters you have. With the alphabet, numbers and special characters, there are about 96 different characters to choose from, and if you have 8 characters in the password, there will be a total of 7×10^15 combinations.
If you choose four random words from SAOL instead, you get about 2.5×10^20 combinations with this year’s list (four words chosen from about 126,000). But at the same time it is almost as easy to remember as four random letters.
Today, several password managers, including 1Password, have built-in support for creating passwords from word lists in this way. You can also use that to create passwords that you want to remember. If you want words in Swedish, you can simply translate the random words in English.
If you don’t invent but choose yourself, the randomness is of course less, but for a naive attack by someone who doesn’t know you, the difference is minimal. Just be sure not to choose a quote, title, or anything else that has actually already been written.
This is what you do if the site requires capital letters, numbers and special characters
Three or four common randomly chosen words go a long way, but there’s a catch. On the Internet, the vast majority of services require that your password not only have a certain length, but also contain both lower and uppercase letters, numbers and also special characters.
A modified version of the “correct horse battery staple” is to choose two or three random words and then choose a way to combine them that only you know and that meets the sites requirements. For example, you can have a couple of special characters you always place between words, while the first letter is uppercase and t is always replaced by 7.
Of course, those kinds of fixed conversions and additions don’t make it any harder to guess a computer’s password, but they don’t need to – they’re just there to satisfy the sites’ really unnecessary requirements.
Different length for different accounts
Since these are passwords that you actually want to remember, both tomorrow and six months from now, it’s important that they’re actually easy enough to remember. That’s the whole point of choosing random words. But sometimes ease of typing can also be important. On the mobile, for example, where you probably don’t feel like sitting down and typing in 20-character passwords.
Therefore, choose a password based on how important it is to secure the account, but also how likely it is that someone could try to crack it. The mobile’s password is not an account on an online service and whoever wants to crack it must get hold of the phone itself. If you have an iPhone, Apple has also helped you – the passwords must be tested directly on the phone, otherwise the encrypted data must be decrypted with the actual encryption key, which is so long that the world’s combined computing capacity cannot crack it for a hundred years.
If you use a password manager, it is actually its password that should be really long. Facebook, Google and other large services have limits on how often someone can test passwords, so super-secure passwords are not needed there either.
How often should you change your password?
Here’s a little secret: Password Change Day is not needed for those who already have secure passwords.
Today’s function is to make people think about their passwords and hopefully change insecure passwords to safer ones. But if you have a password like “super filling tomato” that you’ve committed to memory and don’t forget in the first place, it’s just unnecessary to change it. Several well-known security experts, including Gene Spafford at Purdue University and Bruce Schneier, have written about this. Microsoft has also investigated the matter.
The exception is if the service the account belongs to has been hacked or if you have other reason to believe that the database with your account information may have been leaked. Then you should change immediately. The same applies if you have been affected by malware on your computer – these may have keyboard logging that can read your passwords.
Use two-step verification
Our final piece of advice is to use two-step verification or two-factor authentication whenever that option is offered. This means that your password does not have to be as bombproof because it is not enough to access the account, and that you get some protection if and when the service in question is hacked.