How long should my password be?
There does not seem to be consensus on an appropriate minimum password length, but it’s a good approach to make your passwords at least 12-14 characters long. In general, the longer the password, the better your odds are against a brute force attack.
A brute force attack is an attack method often used by hackers where they do exactly what the name describes; they try and guess your password as many types as the system will allow. Often, hackers will use automation to do this quickly and efficiently. The longer your password, the longer this method will take and the greater likelihood that they will be locked out by the system.
A great way to get a long password that’s easy to remember is to use passphrases. At one time, the recommendation was to use complex passwords with random characters and numbers, but those can be hard to remember, confusing, and difficult to type. Passphrases are a series of random words or a sentence that are much easier to remember and type, but still hard for cyber attackers to hack.
Examples:
Springtime in Massachusetts is good 4 me
Three tricky turtles tango terribly
feeling-identity-owl-trade
*please remember, these are examples only. You should not use this as passwords since they are on a public webpage*
But, can they really hack into my accounts that quickly?
To give you some context, let’s look at the password ‘123456789’. Since this password contains a sequence, it would be one of the first combinations a hacker would try. It’s estimated that it would take a human about 15 minutes to crack this password. If we factor in the automation we talked about above, it’s estimated that a supercomputer could hack this password in 0.0085 seconds! If we take a slightly longer and randomized set of characters, such as ‘whithgildnqz’, our odds get exponentially better. It would likely take a hacker over a year to crack this more complex password.
What about special characters and numbers?
Special characters and numbers definitely add complexity and make it more challenging for hackers. Try swapping out letters for a number or special character. For example:
Three tricky turtles tango terribly
could become
Thr33 Tricky Turtl35 T@ng0 T3rribly
But remember, the longer the password the better.
That’s great that I can use passphrases, but I still have all these passwords! How am I supposed to remember them all?
Password managers can be a great resource. Many products offer free versions if you are able to accept some limitations. Paid versions are also available that often allow you to store and access all your passwords across multiple devices. With a password manager, you just need to remember the one master password (so it’s important that it’s your best password). They can help generate strong, long, random passwords automatically. Many of the tools out there will give you the ability to store other sensitive information such as credit card numbers, membership cards or private notes. There are lots of products on the market, all with their pros and cons, but some examples are LastPass, Dashlane and 1Password. A quick google search will give you more information on which on may be the best fit for you. If you would like to recommend a specific product, please email CommonwealthCISO@mass.gov.
Anything else I should consider?
Enable Two-Factor authentication whenever possible. While a great passphrase will help secure you and the Commonwealth’s data, a second factor makes it that much more difficult for hackers to gain access.
Do not reuse passwords across systems. Each account should have a unique password. This is when a password manager really comes in handy.
Avoid passwords with patterns such as 12345, QWERTY or ABCDE. These are often the first combinations that a hacker will guess.
Avoid using personal information in your passwords such as your name, address, birthday. It’s also important to avoid using information about you that’s publicly available, such as your favorite sports team that you’ve posted to Instagram countless times.
Never share your passwords with anyone. Remember, passwords are supposed to be a secret and are the key to all your accounts and information. If you do need to share a password to a critical account, such as sharing the password to your bank account with a family member in case of an emergency, consider using a password manager to do so. This will give you the ability to determine the level of access (e.g. read/write) and revoke access if necessary.
Consider occasionally checking sites such as “Have I Been Pwned” which tracks whether an account and the associated password have been involved in a data breach.
If you no longer need an account, remember to close, disable or delete it.
Always remember to review your organizations guidance and password policies to be sure you are in compliance with the local requirements. The suggestions highlighted above are meant to serve as general guidance.
If you’d like more information on password security, the Global Cyber Alliance (GCA) Cybersecurity Toolkit has helpful content on strong passwords and the various tools available. As always, if you have specific questions or comments, please reach out to CommonwealthCISO@mass.gov.