In a recent study, Deloitte reported that over 90 percent of passwords created by individual users are "vulnerable to hacking in a matter of seconds." This includes stupid passwords like "password" and "123456," but also includes "those considered strong by IT departments." The researchers determined that a dictionary of the 10,000 most common passwords would match over 98 percent of all secured accounts. How can you improve your passwords? Sophos suggests you just need to be smart.

Well, actually, they suggest you need to be S.M.A.R.T. That's a reminder to use five specific best practices when creating passwords: Strong, Multi-character, Avoid associations, Random, and Tools.

Click the image below for a full-size view of the infographic they created to illustrate these points.

What's S.M.A.R.T?

A long password is a strong password. Brute force attacks get exponentially tougher with each character you add. Many sites require that your password be at least eight characters long. Sophos suggests you go longer, much longer; "20-25 characters is a good goal." Think you couldn't remember such a long password? Try creating a passphrase instead.

Most password policies require multi-character passwords that include capital and small letters, digits, and punctuation. However, most people tend to stick with the most common punctuation marks. The Deloitte study notes that "although a keyboard has 32 different symbols, humans generally only use half-a-dozen in passwords." When permitted, use less common punctuation marks. And whatever you do, don't play leet-speak games substituting 3 for E, 5 for S, and so on, as those variations are already well known.

I ran across a cartoon recently that showed a boy holding his new puppy while his father reminded him that he'll be using the puppy's name as a security question answer for the rest of his life. That's a terrible idea, of course. If a hacker is actively trying to crack one of your accounts, he'll glean all the personal information possible from social channels. Your birthday, your pet's name, your child's name—these are all terrible passwords. Avoid associations!

Any common word is likely to be in a hacker's dictionary of common passwords, so you need to avoid those. Make your passwords as random as you can. Above all, don't use the same password on multiple sites. According to the Deloitte report, "the average user has 26 password-protected accounts, but only five different passwords across those accounts." A security breach on a seemingly-unimportant entertainment site could expose your bank account, if you re-used the same password.

Last and Best, Tools

How do you make a password easy to remember? Well, using some name or activity from your life might help. And yet, Sophos tells you to avoid associations. A short password would be easier, but they say you must go long. What to do? The answer, of course, is to install a password manager tool and then actually use it.

Choose a password manager that makes it easy to rate the strength of your existing passwords. Both LastPass and Dashlane will report on the strength of every password and will also flag passwords that you've re-used. Now act on the results of this report, eliminating duplicates and swapping weak passwords for strong ones.

If you'll always be logging in with the help of the password manager, you focus on long, random passwords generated by the utility. If you sometimes need to enter the password manually, perhaps on a non-PC device, at least keep the password long and varied. Staying S.M.A.R.T. will keep you safe.

Further Reading

Security Reviews