Australian technology news, reviews, and guides to help you
Australian technology news, reviews, and guides to help you

What makes a good password?

With this week being “Stay Smart Online” week for the Australian government, it’s a perfect time to get some questions answered, so let’s start with one of the most basic questions, delving into what makes a good, strong password.

It’s a topic that is a deep concern for the Pickr team, and should be on the minds of anyone who has an online presence in some form or another.

Whether it’s online banking, your email, Google, Facebook, Twitter, or pretty much anything else you’re required to login at that isn’t exactly browsed passively, the topic of password security is vital.

Remember, this is one of your staple forms of security, and having good password practices will help ensure that not only is there less chance of an individual breaking into your account, but if something dire did happen and the entire website was compromised, a password may not reflect everything you use.

There are two lessons in that one sentence, so let’s tackle them in the order they come: strong passwords and unique passwords, as both are critical to having what many in the security world would consider a “good password”.

Strong passwords

Perhaps the first lesson one needs to get in their head is that of what constitutes a strong password, and these days, it’s a lesson that still isn’t quite understood by most people.

In fact, every year Splash Data releases a “worst password” list to highlight just how bad some passwords are, with the 2015 index revealing some real shockers to gain insights from, as “123456”, “password”, and “12345678” top the list.

You don’t have to be a brain surgeon to work out why these aren’t good passwords, let alone strong, but let’s really look into why.

A password is supposed to be your first line of defence for an account, and that means it should actually be hard to guess, and not just hard for someone who knows you, but also someone who doesn’t.

An online account is worth money — actual dollars and cents — for someone trying to break in, and security experts doing things that may be regarded as nefarious have sophisticated tools designed to guess passwords by entering as many in as quickly as possible and seeing what sticks.

Called a “brute force” tool, these basically include an index of commonly used passwords, and can be employed by anyone to try and break into an account with ease. They’re not new and have been a part of the web for ages, and believe it or not, the worst passwords are by default tested first.

That means if you use “12345678” because you think it’s easier to remember than something strong, you are at risk.

But your memory is probably better than you think, and so remembering a word or phrase that isn’t necessarily connected to the service but still means something to you is a better way to start with strong password.

If you use Facebook just to keep in touch with the kids, the phrase you use for Facebook’s password might be “keeping in touch”, whittled down without the spaces to “keepingintouch” possibly with a number of how many kids you have added to the end, so if you have three, it might be “keepingintouch3”.

In fact, just to make it a little stronger, it’s advisable to use a bit of punctuation, characters which can make it difficult for hacking tools to break in, with many in the security world suggesting that an exclamation point makes everything a little more secure, updating “keepingintouch3” to “keepingintouch3!”.

You can even substitute letters with numbers, punctuation, and other characters, provided the website allows it (some have very old password system and do not), with these substitutes making it even more difficult for someone to break in.

Our demo password of “keepingintouch3!” could shift the case of “k” to “K” while changing out the “o” with a zero to make that password just a little stronger, turning it into “Keepingint0uch3!”.

“The longer the password is, the harder it is to crack,” said Daniel Cran, Managing Director of LogMeIn for Asia Pacific, the company that owns password service LastPass.

“If you need a long password, try using a phrase that makes sense to you – for example, “theyellowrosessmellgoodinsummer”. To add complexity, swap some characters and some a few new ones: “th3Yell0wroses5mell=goodins()mmer,” he said.

Remember, this is about making things hard for others to guess, because it’s your account, and the protection of it is absolutely vital if you plan to stay smart online, so the stronger and more complicated the password — the harder to guess, basically — the better you will be.

“A good password needs three things: it needs to be unique, complex, and it needs to be long,” said Cran.

“It should be different to every other password you have used before, and use a mix of characters – think uppercase, lowercase, symbols and numbers, and avoiding words straight out of a dictionary. A password that combines these characteristics is likely to be very strong.”

Cran highlights an interesting part of the issue, because while one part of equation is obviously strength, uniqueness is a big deal too.

So why are unique passwords such a big deal?


Unique passwords

If you go online to do more than just read the news and surf a few webpages, you likely have lots of accounts on this great big interconnected thing we call the internet.

You could use Google, Twitter, Facebook, Paypal, iTunes, eBay, Outlook, Skype, Dropbox, Adobe, Coles, Uber, Instagram, Pinterest, Yahoo, Myer, Woolworths, and any other number of services that require a login to make the system more useful than just a “read once” system.

These accounts store large quantities of data about us, including what we like, who we are, where we post, and so on, with some even providing access to financial information used for the purchase of goods online. That’s a lot of information that needs to be protected, and the strength of passwords is one factor that always needs to be considered.

But so is individuality, because there is always a risk that someone could break into an account, or worse: that the service you use could have all of its passwords broken into, leaving the passwords exposed.

These days, companies tend to be quite transparent about when situations like this occur, because while it doesn’t necessarily reflect well on them, it’s important to inform customers about this issue so they can reset the passwords accordingly.

Unfortunately, if a password that is shared between services is linked to a specific email or login, there is now a risk that your password could be used for those services, too.

That means good password security practices should include the use of passwords individual to specific services and account logins, applying the strong passwords on an individual case-by-case situation.

While this can make the management of passwords a little complicated by sheer virtue of the fact that we have so many accounts and therefore so many passwords to remember, one of the more interesting ways to keep these passwords easier to recall came from security company AVG, which has previously suggested amending any password with the initials of the service you’re logging in at.

For instance, our previous demo password of “keepingintouch3!” or the more secure variant of “Keepingint0uch3!” could have “fb” attached to the end if it’s just for Facebook, or “twit” as a shortened version of “Twitter” for logging into that service.

Sure, these aren’t complete deviations from the original password, but they do still make the password unique to those services, bolstering security slightly on the site-by-site basis.

Alternatively, there is another way of keeping those complex passwords in a place where you can always get to them.


Password apps and services

Designed specifically for this purpose, passwords apps and services like LastPass, Dashlane, and 1Password offer online services as well as smartphone and tablet apps that synchronise your passwords across devices so they’re always at hand.

Internet security companies have chimed into this area as well lately, adding in the feature provided you have these services linked up in your subscriptions to internet security solutions, which everyone should definitely have if they own a computer (any computer, since both major operating system, Mac and Windows, are both susceptible to security exploits).

Even synchronised web browsers can save passwords for you, with accounts for Opera, Firefox, and Chrome linking passwords across the installations, doing some of this password recollection for you.

The best advice

Overall, the best advice is to do what’s comfortable for you, taking into account that a strong password is the best course of action for having an account — any account — on the internet.

Whether you choose to shake things up with unique passwords or not, at least making sure some passwords are strong is some of the best advice we can offer, and it’s one shared between the experts we ask.

Read next