A question that we get asked regularly is “how secure is my password” and there unfortunately is no simple answer, however it is possible to figure out roughly how vulnerable you might be. There are some simple rules that we should follow when it comes to password creation and I’ve listed these below:

  1. make sure your passwords are at least 16 characters long
  2. use a different password for each service you use
  3. ensure that your password is not based on a dictionary word (in any language) or indeed any word that might be easy to guess
  4. ensure that your password contains a variety of uppercase and lowercase letters, numbers and also special characters such as $ % and * for example
  5. change your passwords every 3 months

Thats actually quite a daunting list but according to tools online such as http://random-ize.com/how-long-to-hack-pass/ my newly created password that fits all the above criteria might take 420,805,123,888,006 years and 6 months to crack. Thats a long long time but even thats not stricty accurate and I may discuss this in a future blog article, but simply mention “Moores Law” or more the death of Moores Law and the advent of Quantum Computing. As a comparison the password “password” can be guessed within 1 minute and 13 seconds, and thats if the computer doing the guessing isn’t cycling through commonly used passwords first.

If we consider that the only way we’re likely to remember these passwords is to use a piece of software such as a bespoke password manager, or even the web browser itself as many of them offer the ability to remember passswords or perhaps spreadsheet then ideally we should also be password protecting this source too, in case our computer gets hacked and vital data is exposed to the hacker. We could write them all down on a piece of paper and file that away, however my writing is atrocious and did I write a “1” or an “l”, a “O” or a “0”.

The more pressing issue is remembering all these passwords for each and every service. If we were to follow the above 5 points then I expect that we would be continually requesting password reminders. But is that really such a bad thing? After all if we’re asking for a password reset every time we need to log in, we’re potentially fulfilling point 5 while of course fulfilling all the other points as well?