We’ve already shared 5 concrete steps to improve your security, in light of recent events. With mobile privacy being in the spotlight, I want to build on that by discussing “What’s wrong with your pa$$word,” a TEDTalk given by security researcher, Lorrie Faith Cranor in March.
“… A smart attacker, on the other hand, does something much more clever. They look at the passwords that are known to be popular from these stolen password sets, and they guess those first.”
Now, it might not be as surprising today as it was last week, but your password likely isn’t as good as you think it is. Don’t worry, this isn’t your fault. Cranor says that most password meters (the software that ranks how strong your password is when you’re setting up a new account online) today are too soft. The most effective password meters are the ones that make people work a little longer before giving approval. Here are a few things that would make your password stronger:
(Updated with some key points – see bottom of post)
1. Make it memorable, but not personal
Everyone understands the memorable part. Obviously, you need to remember the password or else you’re locked out like everyone else. What is also important to remember is that you can’t make it too personal. While this makes it easier to remember, it makes it easier to guess and no one needs that.
One tip we shared in our earlier blog was creating a password from the first letter of words in the title of a favorite song. In Matt Young’s case, that was Meatloaf’s song, “I Would Do Anything For Love (But I Won’t Do That).” You can even use the parentheses. It would look like this: IWDAFL(BIWDT). To add in numbers and an extra special character, substitute the number “1” for “I” and a “+” for “T” and you end up with 1WDAFL(B1WD+).
2. More is more
Short is sweet but, in this case, size matters. It might be easier to remember a shorter password but think of it as a numbers game: each character in your password could be one of 26 letters (upper- and lowercase), 32 symbols, or 10 digits, totaling 94 possibilities.
Simply put, more characters are better. Each additional character multiplies the possible outcomes by 94. A 4 character password has over 78 million possibilities, while 6 characters have 689 billion different possible outcomes. Nowadays, 8 or 10 characters are recommended to ensure password’s strength. Using 10 equals over 52 quintillion possibilities (that’s 52 followed by 18 zeroes).
3. Break the norm
Make sure to use your full arsenal of characters. Like the first point stated, you can interchange characters. Replace various letters with numbers or other characters. This adds variety to your password and decreases the chances of anyone guessing your password. Even a long password can be easily guessed.
4. Browser beware
Although it’s convenient, it isn’t a good idea to have your browser remember all your passwords for you. In the event you lose your laptop or your computer is stolen, all your info is open for the taking. View the hassle of constantly entering your password as reassurance that you’re keeping your data safe. Or consider using a password manager app that encrypts your passwords such as BlackBerry’s Password Keeper app, which protects them with 256-bit encryption.
5. Show some support
Your password can only do so much. It’s a depressing fact but it’s true in today’s tech world. Support your password by turning on two-step authentication wherever it’s offered. Here is a list containing all the sites that have enabled two-step/two-factor authentication.
6. Different strokes for different folks
Again, taking the inconvenient route could be the reason behind saving your data. Using a different password for each site or application you use prevents hackers from using your information from one site to access the rest of your accounts. It might sound crazy, but a password manager app could actually let you do that. And you’d only have to remember one password to get into your password manager!
Consider all the items that you’re likely to store on your smartphone. In the past decade or so, it’s gone from a simple list of contacts and numbers to – photos, addresses, banking information, emails, other passwords. As your mobile phone increasingly becomes the center of your computing world, it only stands to grow as your keeper-of-information. Getting into the habit of building stronger passwords matters today more than ever. If I’ve taken away one thing from this TEDTalk and the news cycle of late, it is that mobile security matters, and that’s not changing anytime soon.
Note: After writing this, I have learned from our resident security evangelist, Alex Manea, that the majority of my points refer to security systems that allow infinite password attempts. While my points are correct, with BlackBerry, the rules are completely different. BlackBerry will only allow 10 attempts. Because of this, a password doesn’t necessarily need to be long or strong. It just needs to be hard to guess.
Alex gave an example. if you had to guess a simple password (4 digits, no numbers or symbols, and all lowercase) on a BlackBerry in 10 tries, your chances would be less than 0.003%. After that, the device would wipe and you wouldn’t have access to any of the data.
So, to end this addendum, if this highlights anything, it’s the additional BlackBerry advantage that is its usable security. Alex made a great point, “What would you rather type every type time you unlock your phone: ‘avkb’ or ‘1WDAFL(B1WD+)’?”