What’s more important? Password length, complexity, or strength?
Neither.
None of those things is as important as uniqueness of your passwords.
Why Uniqueness Is The Most Important Factor?
The reality is that you’re more likely to have someone obtain your password from a previous breach then someone to guess your password.
Attackers know a lot of people reuse passwords. So hacking that no-name website you used 10 years ago to get the passwords is worth it to them. The odds are in their favor that you still use that password for a bank or for many other accounts.
With a list of passwords from other breaches, the attackers can check 1000’s of other websites quickly to see if any of those passwords work.
They want accounts that make them money.
They want obvious ones like your bank but also simple accounts like Netflix or Reddit. Yes, a simple Reddit account is worth money to advertisers and anyone who wants to push an agenda. Getting on the first page of Reddit means you get millions of eyes on whatever you’re pushing – there’s money to be made in doing that, and you need real accounts to get around the filters.
Never Reuse Passwords
Once you’ve used a password, you can never use it again. Passwords need to be treated like they’re disposable.
Let me ask you a question… Who do you trust more? Yourself or 10’s of websites you don’t control.
Most people say they trust themselves more, but yet they reuse passwords.
If you’re reusing the same password across 10 different websites, you’re trusting that one of the ten doesn’t screw up and leak your password.
All it takes is one website to screw over the other 9. You don’t have any say in how they handle your password and reusing the same password is putting way too much trust into something you don’t control.
If you’re using unique passwords for every account, you’re putting the trust back in your hands. One website getting breached won’t affect the others. Only you, the person you trust the most, have the notebook or password manager that holds all the keys.
And before I get the people saying, “what if the password manager gets hacked?!?!” please read about peppering your important passwords. This will remove the fears you have.
What Is A Unique Password?
Even though I say to use unique passwords, I find some people don’t fully get what that means.
If you’re not randomly generating your passwords, they’re not as unique as you think.
When I say unique, I mean every single account has a password that is not related to any other passwords.
Using “Fluffy123Facebook” for one and “Fluffy123Reddit” for the other is not unique. There is a pattern here, and I go over why this is bad HERE and HERE.
Also, using “Fluffy123!” and “Fluffy1234!” is not unique enough either.
When I say unique, I mean you use passwords that look like…
- x2Bc3><FB=gV!3i
- fade sample retail unwilling
- Crops51]show
- mistybell54
- QhLcHyo4ERKyG5Fc
None of those passwords relate to each other. Some are complex, and some are easy to type in. But all are truly unique.
To be unique, you will need to use a password generator. People are not good at being random. We often pick easy to guess words like pets or a child’s name. People are predictable!
But I Won’t Be Able To Remember Those Unique Passwords!
Remembering passwords is the problem.
Passwords are meant to be stored, not remembered.
The average person has well over 100 passwords. That is 100 different passwords following 100 different password requirements. It’s not possible to remember them all, and that’s okay.
No one remembers phone numbers anymore; it’s all in an app on your phone.
So why are we treating passwords any different?
With the amount of passwords everyone has the only option left is to store them.
It’s such a relief to not have to worry about what password you used for what website. With a password manager it autofills the password so you can move on with your life.
The Second Most Important Factor
Behind uniqueness is the length.
The simple truth is that the longer you make your password, the longer it will take to guess.
The reason why it’s behind uniqueness is that if you use the same 100 characters long password for everything, then that password is only as strong as the weakest site you used it on.
If you used that 100 characters long password on a website that leaks that password, it’s still nothing for a bot to check 1000’s of other websites to see where else you used it on.
So uniqueness will always come first.
What About Complexity?
All the websites telling you to add a unique character or swamp an “E” with a “3” are just wrong.
They would have been better off telling you to make your password one character longer instead.
To give you an example from my post on how long your password should be.
With a computer that can guess passwords at 1 trillion guesses per second, it would take…
- 11 Characters long takes 229 days to guess all possibilities
- 12 Characters long takes 16,020 days to guess all possibilities or about 44 years
As you can see, adding just one more character took you from days to years to guess all possibilities.
In other words, a password that looks like this.
v>!V8wN?s
Is less secure than
stapleswizz93le
The second password lacks uppercase letters and special characters, but it would take vastly longer to guess than the shorter password with more character combinations.
At 1 billion guesses per second it would take 10 years to guess “v>!V8wN?s“. For the same 1 billion guesses per second, it would take 3,504,659 years to guess “stapleswizz93le” assuming the attacker is guessing every combination of characters.
Not only is the second password harder to guess, but it’s easier to type too. This means it’s easy to transfer from a notebook to a computer. It’s also easy to enter on a TV remote if you had to.
What About 2FA?
Using 2FA (two-factor authentication) like an SMS sent to your phone or an app is not an excuse to keep reusing the same passwords.
If your first factor is already known because you reuse passwords, adding 2FA will defeat the whole point of having TWO factors.
Then the only thing protecting your account is 6 easy to guess numbers.
Even though the 2FA code changes often you still have a 6 digit code protecting your account. No one in their right mind would use a 6 digit password so why is it okay with 2FA? These codes have been brute-forced and bypassed before. It’s only 6 numbers, yet people treat it as some magic cure to hacking?!
2FA is meant to be the cherry on top, not the whole cake. Another way to put it is your password is the dead bolt and 2FA is the door chain.
The last reason why 2FA is not our savior for this problem is that a lot of websites don’t support 2FA.
It might amaze you to learn that 90% of Google users don’t use any kind of 2FA.
No matter how much the savvy internet users want 2FA, the average person doesn’t care for it.
Why Don’t Websites Generate The Password For Us?
They should.
I have a whole article that goes over why they should.
You quickly solve the password reuse problem if you generate the password for the users.
And yet, companies are going the route of forcing 2FA instead. People will keep using the same password and thus defeating the whole point of having two factors.
If you’re going to force 2FA, you’ll be better off generating the passwords for the users instead. You not only solve the root of the problem, but it’s more privacy-focused.
The reason why so many companies go with 2FA is that it’s a way to get your phone number. A phone number is another data point for them to sell to advertisers.
The best part of generating passwords for users is that it’s something that can be done overnight, unlike installing a new 2FA system.
Forcing A Bad Habit
The other issue with forcing 2FA is that it’s reinforcing a bad habit of people reusing passwords.
For most people, it’s not apparent that you need to use unique passwords for every account.
Every account you sign up for has trained you by way of password requirements. You need an uppercase, lowercase, numbers, special characters, or it needs to be X long. This has taught us how to make complex passwords, not unique ones.
What websites should have done is trained people to store passwords and not how to make something they won’t or can’t remember.
Websites should have generated the password for the user and had them either print the password out or store it in their password manager or web browser. You can’t use the internet without a web browser, and every browser will offer to save your passwords.
But we don’t live in that fairy tale world. So you must generate your own passwords and store them somewhere. And if you use 2FA please don’t use it as an excuse to reuse passwords or you defeat the whole point of having two factors and the only thing left protecting your account is 6 numbers.