Hacker defense: “strong” passwords

Written By Allen Shaw

Based on responses to yesterday's email, I want to drill down a little on "strong passwords".

If you Google a little bit, you'll find lots of advice about what constitutes a strong password.

You'll see assertions like, "A strong password is at least 16 characters long and contains a random mix of upper and lower case, numbers, and punctuation."

Obviously, that is simplistic.

Strength is relative.

My coffee table is strong enough to hold a few books and a glass or two of iced tea. It probably would not hold up under seven dancing teenagers, however cool they think it might be to try.

So you could ask, how strong is "strong enough" for your staff website logins? You could get into a long and tedious debate about that with your security geek friends, if you wanted.

Fortunately, you don't have to do that. Consider:

  • If it's easy to remember in your head, it's probably easy for the bad guys to guess it.

  • So, admit that it should be complex enough that you can't remember it.

  • So, it might as well be at least 16 characters long and contain a random mix of upper and lower case, numbers, and punctuation.

  • Use a password safe to store it, and you get most of the convenience of an easily remembered password, without the liabilities of an easily guessed one.

If you need help generating those passwords, there are lots of tools to help you:

  • Your password safe probably has a feature to do that.

  • WordPress will always offer you such a password as a starting point when you attempt to change your password.

  • There are many free tools online, like this one, that will generate random strings just like this.

Here's the thing:

The criminals who want to abuse your site have been refining their tools for decades.

You are surely far behind them, and weak passwords are very likely the weakest link in your defense.

Remember that security and convenience are trade-offs.

If you want to keep the bad guys from abusing your site —and your constituents’ personal information — the smart choice is to trade off a little bit of inconvenience for a significant increase in security.

All the best,
A.

Allen Shaw
Previous

“Why” is more valuable than “how”
Next

Another hacked site