A simple guide to ensuring your passwords are strong, secure, and easy to manage
Our daily lives take place increasingly online. That brings a need to create and maintain dozens, if not hundreds of online accounts, each requiring a new set of usernames and passwords.
At the same time, we hear about data breaches routinely, and unfortunately, they show few signs of slowing down.
So how do you know if your password is secure?
Guidance for Password Security
The National Institute of Standards and Technology (NIST), founded in 1901, is now part of the U.S. Department of Commerce. NIST provides a range of recommendations and frameworks across industries, but in particular, they have excellent resources for cybersecurity.
In recent years, NIST released this Digital Identity Guidelines publication which details online security and identity authentication best practices. In Appendix A, there is a section called “Strength of Memorized Secrets” which outlines three simple yet effective password security techniques. We’ll walk through these recommendations and incorporate key steps to ensure your passwords, PINs, or passphrases are always secure.
The Three Pillars of a Secure Password from NIST
To address evolving security threats online, service providers are introducing new login requirements in an effort to increase password complexity and make them more difficult for hackers to crack.
While there are different methods for introducing password requirements, the most common form is known as composition rules, which require users to include character types or symbols in their password. However, according to NIST, “Analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe.”
Since composition rules alone lack the effectiveness needed to guarantee your password is secure, NIST instead recommends these three pillars for password security: length, complexity, and randomness.
1. Your Passwords Should Be Long
Here’s the simple equation: longer passwords are more secure. NITS describes password length as the most critical element to strengthening your passwords and protecting your private data.
Short passwords are far more susceptible to a brute force attack, where a computer or malicious software program goes through every 8-digit combination (or more) of characters until it finds a match. Hacker programs often attempt the most commonly used passwords as well, such as 123456 or Password. Bottom line––the shorter and more common your password is the faster and easier it will be for hackers to guess it.
According to NIST, “Users should be encouraged to make their passwords as lengthy as they want, within reason.” At just 14 characters, random strings are extremely secure. Take this one for example:
A truly random password at this length would likely take a computer or hacker program centuries to guess. Sounds pretty good, right?
On the other hand, increasing the length also makes passwords more difficult to maintain and harder to remember. Fortunately, there are secure ways to store and manage your passwords so you don’t have to rely on memory or unsafe methods (we’ll cover this later in the article).
A newer method to lengthen your password and make it easier to remember is the use of a “passphrase” instead. A passphrase is a random combination of words often separated by dashes to form one random phrase, for example checkers-sailboat-lollipop is considered a passphrase.
The following three-word combination passphrase with 8-digits per word would take a computer program centuries to guess, but is far more user friendly and easier to remember.
We recommend the use of passphrases to make memorizing your logins easier and your online data more secure.
2. Your Passwords Should Be Complex and Secure
Websites and online service providers often require certain levels of password complexity at the time of registration. Password complexity will typically include a combination of different letter cases, numbers, and symbols.
The challenge is that our human brains are wired for efficiency and complex passwords are not easy to remember or efficient to manage through memorization alone. Too often the resultant is the use (and reuse) of passwords that meet the complexity requirements, but are also simple in nature. Unfortunately, this only guarantees a false sense of security.
As an example, here is a side-by-side comparison of two passwords that both meet the same complexity requirements but achieve very different results:
Meeting the complexity requirements defined in a website’s registration process does not necessarily mean it is truly complex, and therefore, password vulnerabilities will only diminish once we’ve removed the human element from the process.
Security-conscious sites might offer a recommended complex password, and in that case, what should you do? We recommend using a strong password generator from a reputable source to ensure the tool is safe to use. Bitwarden, for instance, offers a free password generator available to everyone that is both strong and safe to use. (Existing Bitwarden customers can leverage the same feature within your Vault.) When using these free tools, we ensure your password is never transmitted to our servers and is processed locally in your device's web browser window. Here’s a screenshot of what a password generator might look like, using the Bitwarden free tool as an example:
Now that we’ve covered the steps to generate secure passwords, the challenge then becomes storing and accessing your complex credentials whenever you need them. Fortunately there are easy and secure ways to enable this with the help of a password manager. (We cover more about password managers and how to get started later in this article––click here to skip ahead.)
3. Your Passwords Should Be Random and Unique for Every Account
According to NIST, “secrets that are randomly chosen... will be more difficult to guess or brute-force attack than user-chosen secrets meeting the same length and complexity requirements.”
Most online users today are aware of the significant risks associated with reusing passwords for multiple online subscriptions. Even so, the results of a survey Google conducted in 2019 revealed 65% of people use the same password for multiple or all online accounts. This suggests people are more willing to accept the risks associated with reusing a password than they are willing to endure the pain of forgetting one’s password. On the other hand, accepting these risks could also be the difference between happy internet surfing and identity theft.
So, why does reusing a password for multiple online accounts pose such a threat?
A data breach on one website, where millions of user data and login credentials are stolen, means your credentials are now in the hands of people with malicious intent. As a result, any other account that uses the same stolen password is also compromised, and the private data you’ve stored in each of those accounts is at risk of being stolen as well.
All of these requirements would, of course, be impossible to manage by memory alone. Fortunately, there are easy and secure ways to optimize this process––we’ll cover that next.
How to Manage Your Long, Complex, Random Passwords
Passwords, still ubiquitous across websites and applications, deliver a powerful first line of defense for internet users. This is especially true when users create secure passwords for each website.
In summary, the passwords we use for every online subscription should be unique to every account, at least 14 characters long, complex, and random. Great! Now, how do you manage it all? The easiest and safest way to do this is with the help of a password management solution.
What is a password manager?
A password manager is a software solution that enables you to safely generate, store, and manage personal or business subscription login credentials. With this technology, the process of generating and maintaining long, complex, and random passwords is easier and far more secure than generating complex passwords manually.
How does a password manager work?
The goal of a password manager is to strengthen the security of your private data online and completely remove the need to memorize or reuse complex passwords. With a password manager in place, users can create unique passwords that are long, complex, and random for every online subscription. Users can also synchronize passwords across multiple devices and if desired, share information securely with family, friends or colleagues.
Bitwarden, for example, is an open source password manager that stores your secrets with end-to-end, zero-knowledge encryption before it ever leaves your device. Upon creating a new Bitwarden account, you will first generate a master password (this should be long, complex, and random) which is then used to encrypt and store your passwords and other private data.
When selecting a password management solution for you or your business, it’s important to ensure the provider never stores your actual passwords. Secure password managers only store encrypted versions of your private data which can then only be decrypted by the user themselves.
For more information about password managers and security best practices, see our help section on security.
Get Started with Your Password Manager
- Bitwarden Password Generator
- Password Strength Testing Tool
- NIST Special Publication 800-63B - Digital Identity Guidelines - Authentication and Lifecycle Management
- NIST Special Publication 800-63B - Appendix A - Strength of Memorized Secrets
- Forbes, How Many Streaming Video Services Does The Average Person Subscribe To?