I don’t know about you, but these days I’m getting really tired of crazy password requirements. I get that I can no longer use the same 11-letter password for everything because it puts me at all kinds of risks (click here to read more about the bad stuff that can happen), but it seems a bit nonsensical that almost every different system / tool I use that needs a password seems to have different standards for what constitutes as “secure”.
General criteria tend to be:
- Password length
- Upper/lower case alphabet
- Numbers
- Special characters
On one end of the scale, I usually get away with using 2 of numbers 1-3 above; eg long + a mix of upper & lower case (“MyGreatPassword”), or long + a mix of letters and numbers (mygreatpassword2017). However, sometimes I have to jump through all the hoops and do something silly like “MyGre@tPassw0rd”. Yes, security is important, but at some point someone’s got to draw the line and say “hey, for the added difficulty remembering this, it’s not actually that much more secure”.
This sentiment is expressed really well by this cartoon by XKCD. XKCD and many others, including the MIT Tech Review have pointed out that “making a password longer […] is a better way to strengthen it than by adding uppercase characters or numbers. That’s because people tend to add uppercase characters at the start of passwords and numbers at the end, and password attacking methods can take advantage of that”.
What can we do about it? Not a heck of a lot, unfortunately – system admins define password requirements, so you may end up following someone else’s rules that make your life harder without giving you much additional security. However, knowledge is power: that XKCD comic came out in 2011 and is still being distributed around the world wide web. Either there will be a need to implement easy-to-remember but hard-to-guess passwords in the future due to increasing efficiency of bots/hackers, or we’ll reach a critical mass of people in the know and it will simply become a best practise approach. Fingers crossed it happens before we all run out of memory space for increasingly ridiculous, hard-to-remember passwords.