If your organization provides any computer security training at all then it should be no news to you that long, complex passwords are more difficult to crack than the more simple passwords that most users choose today; however, nearly all people I’ve talked who work in banks don’t realize how fast their passwords can be cracked by today’s modern computers.
Mike Halsey, a Microsoft MVP, posted the chart below on Ghacks.net. This chart shows how long it would take a modern computer to crack passwords of varying complexities, assuming the hacker knew the basic password requirements for the application.
Length of time to crack passwords of varying complexity
The passwords I use are all off the chart, which is a good start toward protecting my online data. But even a super long, complex password is still no defense against one very common practice – using the same password for all services. When sites such as LinkedIn get compromised and passwords are stolen, your super long, ultra complex password that you use on every site is now as useless as having no password at all.
In all likelihood, many of the users in that LinkedIn database use the same username + password combination on every application they access. Duplicating your credentials across all applications completely undermines the value of using a strong password.
Consider these principles when choosing your credentials for websites and applications that you use:
- Use long, complex passwords that use spaces, capital letters, lower case letters, numbers and special characters. To make them easier to remember, consider using a sentence that has meaning to you.
- Use a different username and password for online banking and similar sensitive systems than you use for forums, Facebook, e-commerce and other websites
- Change your most frequently used passwords once a month
- When offered challenge questions, avoid those with easily guessed answers, such as “What is your favorite color?”
- Limit the data that you post about yourself on social sites that makes answering challenge questions easy, “What is your Mother’s maiden name?”, for example
Finally, if you work for a bank or credit union and you have influence whatsoever over your online banking security processes, demand that your system allow strong, complex passwords. Banks have been slow to adopt strong password policies, with many online banking sites still prohibiting people from using special characters in their passwords and limiting passwords to an 8 character length. Worse than not choosing a strong password is an online banking system that will not let you create a strong password.