Reducing the pain of passwords


The IT world is moving slowly towards biometric identification. HSBC have just announced that you’ll be able to login to their banking service using voice recognition, and the newer iPhone models will read your fingerprint to allow you to get through the passcode quickly. But until this technology becomes ubiquitous, passwords are probably going to be here to stay.

You can’t win either. You may have the same password for multiple accounts which you never change. At the back of your mind you know it’s not particularly secure but at least you can remember it and can get on with your online life. Or you’re more diligent, you use different passwords for different accounts, and the passwords are mixtures of cases, numbers and special characters which makes them a lot more secure –  but it’s almost impossible to manage.

Passwords are just one part of the overall security picture, and it’s the area of focus in this article. But like a chain, the security of your IT is only as strong as your weakest link and if your passwords are poor then you’re making it really easy for the hackers to get in.

How passwords can be cracked

  • Social engineering. I won’t go into details here, but in summary it’s a non-technical way of getting you to inadvertently reveal your password.
  • “Brute force”. This is where all the possible combinations of characters are tried. The time needed to guarantee cracking a password becomes a simple equation – the number of possible combinations divided by the rate at which a single combination can be tried.
  • Cracker programs. These are automated computer programs that are run remotely by hackers, often autonomously. They try combinations of characters like a brute force attack, and often use “dictionaries” of real words and commonly used passwords (such as “12345678”) to increase the likelihood that one of their early guesses will be correct.

The problems

What are the common problems?

  • We have too many passwords to manage – on average we have more than 100 online accounts and it’s impossible to remember different passwords for different accounts, so we use the same password in lots of places
  • It’s way too much effort to change passwords for 100 accounts on a regular basis. So if a hacker gets hold of a password, it’s likely they’ll have continuous access for long periods of time because that password will remain valid
  • Cracker programs used by hackers can test many, many common passwords and combinations of words quickly and this rate will go up with increased computing power. Right at the top of their list of candidate passwords are the most common ones, that a scary number of people use. Avoid these.

What makes a good password?

Using an 8 character password is generally weak, and can be cracked quickly with today’s computing power and techniques. A password of 8 mixed, lower case characters can be cracked in less than a minute. If you increase that to 12 mixed, lower case characters, that time increases dramatically to the best part of a year. If you change to a mix of lower and upper case, it becomes 3000 years, and would be even longer if you introduce punctuation characters.  This website is a fun way of demonstrating this difference. My simple advice is to use 12 character passwords.

There’s a trade-off between picking a memorable password involving real words (remember, they can be cracked easily)- and having a strong, but difficult to remember password. However, this is only true if you have to commit the password to your memory. If you use a password management tool, it can not only store your passwords for you, but it can make a good (i.e. difficult to crack) password for you to use.

Some simple solutions

Here are my thoughts on some simple, practical things you can do to strike the right balance between being as secure as possible, but also making things as convenient as possible. This advice may not be security “best practice”, but I believe it’s practical and hence has a chance of being implemented.

I suggest focusing your password management effort on critical services – your computer login, banking, email, cloud services which store your photos, as an example list. Decide which accounts are critical (think about what would happen if you lost access to them, or the data in them was hacked).

By definition, everything else is non-critical and hence can be treated least diligently.

For the critical accounts:

  • use strong passwords (see above).
  • Store these strong passwords in a password management tool, so you don’t have to remember them
  • Use unique passwords – don’t repeat the use of a password for multiple accounts
  • Try to change your passwords on these accounts every 90 days. For personal passwords, I’d recommend setting a recurring reminder in your calendar or task list. Businesses can enforce password changes with policies.

Best practice would say that you do this for all your online accounts, but I don’t think that’s practical. So I suggest having a couple of passwords which you use for all non-critical accounts. As an example, I would class my account with my local cinema as non-critical. It’s convenient that they remember my details when I’m booking a film, but if I lose access to it then it’s not the end of my world.

Be mindful about what you do, and don’t do, with each service. Continuing the cinema example, I don’t allow them to store my credit card details, even though it is slightly more inconvenient to re-type it in every time I book. This is because I’ve mentally categorised this account as non-critical, and hence an insecure, account. That’s no reflection on my cinema’s website; it’s just that I can’t be bothered to carefully manage my password for my account with them.


We generally have a large number of online accounts, and managing the passwords for them is very difficult.

Everyone’s different. People have different levels of risk that they’re prepared to tolerate, and some are happy to trade security for convenience. Hopefully the tips in this article will let you find the right balance between the two. By concentrating on a small number of key accounts, and applying some simple approaches to managing these accounts, I feel like I’ve struck the right balance between convenience and being secure.