You’ve probably been told multiple times the little pearl of wisdom that your password should be complex.
It’s true. A more complex password is harder for somebody to crack with a brute force attack (guessing over and over and over), but what does that really mean in practice.
Conventional wisdom over the last few years has said that it needs to be a password that is complex to you.
When you’re logging into your bank, for example, they probably have something similar to this: It has to be 8 characters, have an uppercase letter, a lowercase letter, a number, and a special character. And, hey, their heart’s in the right place.
They know that some people (probably not you, right?) would just use something like “password” if given the choice. What’s to stop you from using “Password!1” though?
This is the problem. Those password rules were made to push people into having the bare minimum password complexity.
The problem is that it pushes us into doing something unnatural for our brains. We are really good at remembering patterns. A phone number, for example, is 10 characters, and we can hold onto it without much trouble (maybe less than we used to, but you get the idea). But a weird format that we’re not accustomed to using?
Yeah, we can only hold onto a handful of these in our heads. So what do you do? Maybe use the same password (or with minor changes) across all the things that need passwords?
You know you’re not supposed to, but there’s just so many you have to remember. Well, hackers know that too, and if they have one of your passwords, it’s the first thing they’re going to try on your other accounts. But let’s circle back to complexity and pattern recognition. Look at the above image (sorry folks, these aren’t my real passwords).
Which one of these are easier for you to remember? The sentence, and it’s not even close. See, for a person, that’s only 6 things to remember, and we use pattern recognition to remember that it’s only words we have to remember.
That orange password is 8 things we have to remember, and there’s no pattern to latch onto. But to a computer, the green password is 35 characters to the orange’s 8.
If you’re curious, a billion is 1 with 9 zeros behind it. A quattuordecillion is 1 with 45 zeros (unimaginably longer than the age of the universe).
What can you do?
Here is a simple 3-step formula to follow:
STEP 1: Evaluate password hygiene within your business—see how your team uses passwords. Evaluate their complexity and use. See if any of their passwords are at risk of being exploited. One easy way to do this is to see what passwords are at risk is by performing a cyber hygiene assessment.
STEP 2: Remind your team that passwords are still important—get your team to experience what they put at risk with reused or flimsy passwords.
STEP 3: Rinse and repeat—unless you keep inspecting and getting your team to reevaluate their password hygiene, you will repeat this history of bad passwords. It is human nature to underestimate risk and unless you remind your team about password risks and get them to see why good passwords are important, they will go back to bad habits.
