For Password Security, Longer Is Better

Remember when experts were advising us to create complex passwords that contained a mix of capital and lowercase letters, numbers, and special figures like dollar signs and question marks?

Well, a recent series of studies from Carnegie Mellon University shows that those nonsensical and nearly impossible to remember passwords are no safer than long “passphrases” of 16 to 64 characters. In other words, a long but straightforward password such as “passwordsaresuchabigpain!” is likely to be at least as secure as a shortened version like “pwsRpain!”

Now, you may not relish having to type in up to 64 characters, but at least you’re more likely to remember a long passphrase. And if you can remember your passwords, you’re less likely to reuse them or write them down on a piece of paper or in a file on your computer—actions that put you at further risk of identity theft.

Of course, there are some catches. You still need a unique password for each site you use, from your email and social media to online shopping accounts and especially your online banking and financial accounts. In addition, your passwords should not be easy for hackers to guess. Using downloadable libraries, hackers can quickly identify common phrases such as clichés and idioms, popular song lyrics, and well-known quotes from TV shows or movies. You can run an online search for your passphrase and see if the search engine auto-completes it. If so, it’s a popular phrase you should avoid it.

Another hitch is that some sites still limit passwords to 16 characters or fewer and require you to include a mix of upper and lowercase letters, numbers, and special characters. That may change if research continues to show the security of long passphrases, but for now some sites may force you to continue using short, complex passwords.

If you’re not sure how strong your passwords are or want to compare the security of your shorter passwords with that of longer passphrases, you can test them here. A unique feature for IDX Identity members will also let you know if your current (or proposed) password has been exposed on the Internet or Dark Web, indicating that it’s not a safe bet

And if all of this makes your head spin, and you’d prefer not to worry about remembering any passwords, there are password managers and other solutions available to ease your password pain.

—————
Originally published: November 13, 2016