Good passwords vs bad passwords
We know it’s important to use a good password. But what is the difference between a good password and a bas password?
There are four things that make a really good password, and we need to use all of them. If we don’t, we’re probably going to be a password that doesn’t keep us as safe as we think.
What should we think about when creating a password?
Length
A good password is a long password. The longer the password, the stronger it is. Let’s look at some different lengths and see how long they would take for a cybercriminal to crack through.
| Password length | Time for someone to crack |
| 6 characters | 5 seconds |
| 7 characters | 6 minutes |
| 8 characters | 8 hours |
| 9 characters | 3 weeks |
| 10 characters | 5 years |
| 11 characters | 4 hundred years |
| 12 characters | 34 thousand years |
| 13 characters | 2 million years |
| 14 characters | 200 million years |
| 15 characters | 15 billion years |
| 16 characters | 1 trillion years |
As you can see, as a password becomes longer, it takes more time for cybercriminals to hack through it.
Have a go on the password-checking tool available at security.org, to see how strong your password is.
We should always use a password that is at least 12 characters long.
Complexity
Is using a long password enough? Unfortunately, we can’t rely on just having a long password to keep us safe. Our passwords need to be complex too – we need to have a mix of different things in our passwords. These things are:
- Uppercase letters (for example, A B C D)
- Lowercase letters (for example a b c d)
- Numbers (for example 1 2 3 4)
- Special characters (for example £ % & #)
Using a blend of all four of these means that our password is stronger than if we just use one type of character. Let’s look at two examples
Password 1: AppleShed33Lamp!
Password 2: aaaaabbbbbbccccc
Which do you think is a better password, password 1 or password 2?
Password 1 is the better password, because it is more complex. In fact, according to security.org, it is nearly three million times better!
Many places make you use at least three of the above categories. We should always aim to use at least three, but if we’re asked to use four, we’ll need to use four.
Randomness
We now know we need to use a long, complex password. Do we need to do anything else?
Let’s think about these next two passwords:
Password 1: InvernessCaledonianThistle1
Password 2: SquashMobileEmbargo3
Which do you think is better?
You might think that password 1 is better – it is longer. But what if you are a big Inverness Caledonian Thistle FC fan? What if there were photos of you on your social media wearing their kit, or at the stadium? Or maybe you follow them on social media? Cyber criminals can look for this information and use it to target their password-cracking efforts, making it easier for them to crack your password. This means that password 2 is the better password.
When we make a password, we should make sure we don’t include anything personal. Everything needs to be random. This means we shouldn’t include the following things:
- Special names, like partners, parents, children, or pets
- Special dates, or parts of special dates
- Special places, like where we’ve been on holiday
- Our addresses, both our current address and any old addresses, or parts of these
- The place we live, whether it’s the town, county, or country
- Our favourite teams, bands, and other hobbies
- Anything else that people might know about us.
When we make a password, we should always use random things. This means we only use things that are not otherwise meaningful.
Memorability
Is creating a long, complex, random password enough? Nearly – there’s one more thing to think about. Here are two passwords:
Password 1: MangoChaffinchSwings2%
Password 2: M8uY^t4@0jU*9jd67^G$dD
Which do you think is better?
They’re both the same length, they’re both complex, and they’re both random. But one password is better. Try reading each password and then looking away and seeing if you can remember. Is one easier to remember than the other?
Password 1 is the easier to remember, and this makes it more secure.
Having a password that we can easily remember is important for security because it means we’re more able to use it. Passwords are important for keeping other people out, but they are also important for letting us in. Although we don’t need to remember every password we use – we’ll look more at this in the next two lessons – we probably will need to remember at least some passwords, such as the login details when we turn on a device, our email passwords, or the verification codes for approving a transaction through a banking app.
The final thing we need to do is to ensure that we create a password that is memorable. So how can we create a memorable password?