As far as made-up holidays go, “World Password Day” doesn’t quite have the same cachet as, say, Father’s Day, or even National Pancake Day (March 8th). Still, it’s as good an excuse as any to fix your bad passwords. Or better yet, to finally realize that the password you thought was good still needs some work.
By now you know the basics of password security. Don’t write them down, get a password manager, use two-factor authentication whenever possible, and don’t use anything that’s easily guessable. (Looking at you, “111111” crowd).
All of that advice still stands, and you should keep it up. Nice work! But now it’s time for an advanced beginner course. WIRED asked a field of password security experts for their favorite unexpected advice, the best practices that might save you the most headache in the long run. Here are seven tips and tricks to keep your digital locks secure.
1. Think Length, Not Complexity
“A longer password is usually better than a more random password,” says Mark Burnett, author of Perfect Passwords, “as long as the password is at least 12-15 characters long.”
In fact, a long password that comprises only lower-case letters can be more beneficial than crafting just the right combination of alphanumeric gibberish. “Usually all it takes is a password just two characters longer to make up for a lack of other types of characters such as upper-case, numbers, or symbols,” says Burnett.
In other words, the time spent making your password look like Popeye cursing would be better applied toward typing two more (easier to remember) plain ol’ letters.
2. Keep It Weird
That’s not to say you should be content with “111111111111111.” Longer is always better, but that length yields diminishing returns if you’re not still mixing it up.
“We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers,” says Morgan Slain, CEO of SplashData, a password management company that puts out an annual list of that year’s worst passwords.
Slain also suggests avoiding common sports and pop culture terms—Star Wars phrases were especially popular last year—regardless of length. The more common a password is, the less secure it will be, so go with something no one else would (ideally, a random string).
3. Don’t Bunch Up Your Special Characters
Many password input fields now require you to use a combination of upper case and lower case letters, numbers, and symbols. That’s fine! Just keep them separated.
“Put your digits, symbols, and capital letters spread throughout the middle of your password, not at the beginning or end,” says Lorrie Faith Cranor, FTC Chief Technologist and Carnegie Mellon computer science professor. “Most people put capital letters at the beginning and digits and symbols at the end. If you do that, you get very little benefit from adding these special characters.”
It’s that “most people” part that gets you in trouble. “It’s about predictability based on how many people do it,” says Cranor. Avoiding front- or backloading your passwords with special characters also gives you a lot more real estate to work with, which creates a bigger bottleneck for anyone trying to break in.
4. Never Double Dip
You’ve followed every password recommendation, down to the last &$@. It would take years for someone to crack. Your password is so good, in fact, and took so long to memorize, that you’ve decided to use it on a couple of accounts.
This is bad!
“Even if you have an ‘unimportant’ password and an ‘important’ password tier, it’s very unsafe,” says Joe Siegrist, VP and GM of popular password manager LastPass. “It makes it way too easy for a hacker to attack one site and get your password to all the others.”
The main point here, really, is that your passwords are only as secure as the sites to which you entrust them. If you don’t want to pay dearly for someone else’s mistake, limit the potential fallout by using a unique password everywhere. Or, you know, skip the whole thing and use a password manager.
5. Don’t Change Them So Dang Often
We’ve touched on this before, but it’s counterintuitive enough that it bears repeating: Don’t change passwords every month. And if you’re an IT admin, don’t force your employees to.
“Admins who set password policies are better off requiring longer passwords and letting users keep them for longer, rather than requiring them to change passwords every one or two months,” says Burnett. “This encourages users to have stronger passwords and avoids simple schemes like incrementing a number at the end of the password each time they have to reset it.”
Passwords are hard. They should be! But it’s better to go through the trouble of making one good one, and sticking with it, than to expect to be able to turn over that many special characters more often than you do the pages on a wall calendar.
“Frequent password changes are largely a waste of time,” says Microsoft Research security expert Cormac Herley. “There’s no evidence that password changes improve outcomes.
6. Take the Panic Down a Notch
You’re right to do everything you can to make your password as safe as possible. But it might also help to remember that most people don’t need a digital Fort Knox. A digital combination lock should do just fine.
“Ignore the stories about attackers doing billions of guesses and saying that the average password can be guessed in under a second: your bank is not going to allow an attacker to try 100 billion guesses,” says Herley. “For your web passwords you mostly have to worry about withstanding a few thousand guesses.”
Yes, that’s still a lot of guesses. But if anything, it’s a reminder that if you do commit to password best practices, the bad guys are probably going to move right along.
7. Layer Up
When deployed properly, passwords are pretty good. They’re much better, though, as part of an overall plan of attack. This goes double for those on the admin side of the aisle.
“Don’t rely on passwords alone!” says Neil Wynn, a senior research analyst at Gartner who focuses on business security. “Passwords should not be considered sufficient for anything other than the lowest-risk applications.”
Instead, Wynn suggests adding a layer of more robust authentication, like cryptographic credentials, or a biometric identifier (think fingerprint scanner).
Adding a layer of protection makes sense, but it also has potential ancillary benefits that aren’t quite so obvious.
“By adding [extra authentication], a company could have a less strict password policy, like less characters or requiring password changes less frequently,” says Jackson Shaw, Senior Director of Product Management for Dell Security.
Which, hey! As great as an airtight password is, anything that makes them a little easier to achieve is more than welcome.