Many sites have developed ridiculously high standards for passwords in an attempt to get people to stop using common passwords such as “password” or “letmein”. However, many websites may be at risk of inadvertently worsening the passwords. It is important to set restrictions, however, they should be set with consideration to the importance of the material being protected, as well as with guidelines that do not hurt the quality of the password.
What Websites Are Doing WrongSome websites restrict the number of months in which users are allowed to use each password. Arguably, this is one of the most harmful requirements. “Requiring frequent password changes often causes users to develop predictable patterns in their passwords”, says Mark Burnett. To further worsen matters, it is more difficult to keep track of frequently changed passwords. As a result, more people will write them down in a password book, which is one of the first items a thief will take.
Also among the most harmful of restrictions are assigned passwords. While these may prevent “password” from making an appearance, they also prevent those more adept at deciding on passwords from keeping their information as secure as they otherwise would have. They also assist in password cracking, since hackers can automatically eliminate passwords that don’t fit into the pattern.
Possibly the easiest way to figure out all of someone’s passwords is through “forgot password” links, which usually ask simple questions such as “What’s your mother’s maiden name?” or “What was the name of your first pet?”. These questions are particularly bad for those with accounts on social media sites, as their passwords can be stolen through a technique called “nabbing”, which involves using the information easily found on these sites to answer the questions.
What Websites Could Do InsteadWebsites need to keep in mind the importance of the information they’re trying to protect. If you’re signing into an account that allows you to comment on funny cat videos, you likely don’t need the same level of security necessary as a government official guarding top secret files. In fact, on websites like those you likely don’t even need any password restrictions, as you’re more in danger of forgetting your password than it is of being cracked.
Personally, I think passwords should be treated like usernames. If a password is already taken, then no one else should be allowed to use it. This would completely eliminate the issue of common passwords while still allowing people to use the password of their choice, provided that it’s original.
It doesn’t hurt for users to be required to change passwords occasionally on sites that guard important information, but not more than once every few months. While I don’t feel this is the best approach to solving the issue of password security, many believe in it strongly, and if you’re decent at remembering passwords, it isn’t a bad idea.
What You Can Do
So how exactly should you choose a password? I recommend using Correct Horse Battery Staple. This is a method that involves choosing a number of randomly generated words, (usually four) and optionally adding capitals, spaces, and/or numbers if you so choose. You can find a word generator specifically for this purpose here.
Maybe you want to use your own system, but you’re not sure how secure it is. Checking is simple enough, but you need to watch out for sites that claim to check the strength of your password. Many of them are actually stealing it. If you’re looking for a safe one, I’d recommend going to this website.
Conclusion, updated March 6th, 2014
A few of you have commented on my idea of treating passwords like usernames, expressing disagreement. The issue you brought to my attention was the potential difficulty of choosing a password on larger sites that incorporate this system. While I feel this wouldn't be an issue, considering the Correct Horse Battery Staple system would work for choosing untaken usernames virtually every time, it did inspire me to search for further issues that could be caused by the idea. I came to the realization that hackers might be able to use this system to their advantage by keeping track of which passwords are taken, particularly on smaller websites. I'd like to thank those who commented for helping me to come to this conclusion.
One commenter (Holly Gerla) also mentioned a useful strategy I seem to have left out. One good method of keeping unique passwords for different websites is to insert your password between the initials of the site. Her examples include "F*insertpasswordhere*B". I'd like to add that I've seen different variations of this system, including using the first two letters, or the first and the last. I'd like to thank Ms. Gerla for her contribution.
It's been excellent hearing feedback from all of you. I'm very happy to hear so many of you found it helpful, and I'm grateful to have made a positive (hopefully) impact on your views regarding passwords. I wish you all good luck with passwords in the future, and I thank you again for taking the time to read and comment.