What constitutes a good password?

Password Best Practice
Password Best Practice

I’ve had a few rants (mostly in private at my workplace) recently about what a good password is and how forcing people to change their passwords every 30 / 60 / 90 days actually negatively impacts security. The theory here is that no-one can remember a new good complex password every 30 / 60 / 90 days. This will lead to people being lazy and simply start adding and incrementing digits to the password. I’ve recently posted an article about password policies which you can read here.

So what actually constitutes a good password?

A good password is a complex one. It should be:

  1. Unique – a password should never be shared with other sites. What happens if that site is compromised and all your passwords are the same? It means all your accounts are compromised and you now need to change every password across every service you use.
  2. 15 Or more characters long (more is better). Recent estimates were that an 8 digit generated password would take under 25 days to crack assuming it complies with all of the rules below. In contrast, a 15 digit generated password would take just under 4476650254128 years to crack.
  3. Include a combination of uppercase and lowercase letters
  4. Include numbers
  5. Include special characters
  6. Doesn’t contain any patterns / sequences
  7. Is NOT a pet, friend or relatives name. These can often be found quite easily through basic social engineering thanks to sources like Facebook, Instagram, twitter, etc.

I’d personally recommend using a password manager to take care of all of this automatically. I use 1Password and have been doing so for some time now. It’s the very first applications I install on any new device. That being said, any password manager is going to be better than not using one.