Remember when experts were advising us to create complex passwords that contained a mix of capital and lowercase letters, numbers, and special figures like dollar signs and question marks?
Well, a recent series of studies from Carnegie Mellon University shows that those nonsensical and nearly impossible to remember passwords are no safer than long “passphrases” of 16 to 64 characters. In other words, a long but straightforward password such as “passwordsaresuchabigpain!” is likely to be at least as secure as a shortened version like “pwsRpain!”
Now, you may not relish having to type in up to 64 characters, but at least you’re more likely to remember a long passphrase. And if you can remember your passwords, you’re less likely to reuse them or write them down on a piece of paper or in a file on your computer—actions that put you at further risk of identity theft.
Of course there are a few catches. One is that you still have to come up with unique passphrases for each site you use, from your email to social media, work, and online banking.
In addition, your passphrases should not be easy for hackers to guess. Using downloadable libraries, hackers can quickly identify common phrases such as clichés and idioms, popular song lyrics, and well-known quotes from TV shows or movies. Run an online search for your passphrase and see if the search engine auto-completes it. If so, it’s a popular phrase you should avoid.
Another hitch is that some sites still limit passwords to 16 characters or fewer. That may change if research continues to show the security of long passphrases, but for now some sites may force you to continue using short, complex passwords.
If you’re not sure how strong your passwords are, or want to compare the security of your shorter passwords with that of longer passphrases, you can test them here.
And if all of this makes your head spin, and you’d prefer not to worry about remembering any passwords, there are password managers and other solutions available to ease your password pain.