We all need passwords. They are by far the most used form of authentication, not only on the internet but also on the telephone, at the cash machine, for opening the safe, and even to take books out of the library.
Bad advice about passwords is easy to come by. Many institutions, especially banks and government departments, are notorious for arbitrarily restricting passwords. The reasons for doing so may be of varying nature.
- To educate the user: Some institutions want to raise awareness for more secure passwords by forcing you to use complex passwords, e.g., with a certain minimum length or special characters.
- A result of poor security practices: Many sites still store their passwords in plaintext, meaning they have to restrict the types of characters and lengths of passwords of their users.
- False impressions of security threats: One commonly used tactic to extract data from SQL databases is an SQL Injection. An attacker will parse a command to the web form, which is then executed as a program instead of entered like a password. Protections against such attacks are trivial, but many sites will instead exclude characters that could be used in an SQL injection from allowed passwords.
- Bad or outdated advice: Our understanding of passwords, as well as the systems we use to secure them has changed dramatically over the past twenty years. Sadly, not all live systems reflect this.
As a rule of thumb, it is probably a good idea to be suspicious of any site that places restrictions on your password other than a minimum length, as there are no good reasons to.
Major misconceptions we commonly read about
1. Passwords are secure
Passwords are not insecure compared to all of the other options such as phone numbers, government ID, or biometrics. But they are still the top authentication method, especially when enhanced with two-factor authentication. But be careful, not all two-factor techniques are the same!
Here is what we expect from a good password:
- It is strong, meaning it can’t be guessed through bruteforcing
- It is unique, meaning it hasn’t been used anywhere else
- It is transmitted over a secure channel, i.e., a proper HTTPS connection, by a user aware of phishing
2. Passwords don’t have a maximum length
When handled properly, passwords can be as long as they need to be. A service would usually hash and salt your password and only store the hash, meaning there’s no need to worry about the length. Although your password becomes exponentially more secure the longer it is, 17 characters or more is generally enough. But if you are encrypting highly sensitive data, for example, your personal files or Bitcoin wallet, you are better off with 23+ characters.
3. All that matters is the length
As the ExpressVPN password generator demonstrates, a password becomes much more secure with added length than it does with more diverse characters.
4. Passwords can include anything
While not all sites might accept them, your password can literally be anything. No matter if it’s non-Latin script, rarely used Unicode, or even emojis, if you can type it, it’s a valid password.
Use the ExpressVPN password generator to create unique and random passwords. You can also use it to get a feeling for how long or random a password should be, or how adding new characters changes the security of your password.
5. Passwords are not supposed to be memorable
There’s really no need to remember more than two or three passwords—because there’s an app for that.
Password managers are a great example of how security tools can make your life safer and more convenient and will generate and store secure and strong passwords without you having to worry about remembering them, ever. Some will even automatically fill your passwords into your websites, protecting you from phishing or accidentally typing them elsewhere, like your Facebook status, for instance.
The only passwords you should have to remember are the password to your computer and the one for your password manager.
6. Passwords are not on their way out
While there may be many attempts to replace the password with something else, we currently have no idea how to do that securely.
Biometrics like facial recognition or fingerprints hugely lack in security, and while they may be useful in identifying you, they are not useful for authentication. Asymmetric cryptographic keys could be part of a way of a new system, but they might still be susceptible to man-in-the-middle or phishing attacks.
Don’t worry, it’s easy to mitigate password hack risk
The internet might sometimes seem like a scary place, but with some caution, common sense, and some helpful tools, it is easy to avoid even the most serious of threats.
- Make sure your computer and phone are always up to date
- Use a password manager to store strong and unique passwords
- Exercise caution when clicking links in emails or sites. Save sites you commonly visit as a bookmark
