Blog

A common question we get is: "What is a good password?" Before moving forward, think about it for a second. What does a good password mean to you?

Password test

Let's try a simple password quiz. Out of the following passwords, which ones do you think are good?

1. zbG3sw9r3P3t5uQVS4Bf2P8HqS
2. abc123
3. *^U*R$FJ##__!#O#Kytu
4. I love my house!!

Based on common knowledge and what is often recommended online, most people would say that  passwords #1 and #3 are very good and the others are weak.

Really good passwords

But is that really true? Most people only think about a password in terms of length and complexity, but that's only a part of what makes a good password. In our experience, we rate the real security of a password on how well it answers the following questions:

1. How often is it used? Do you use this password on only one site? Or is it shared across multiple accounts? The more often it is used, the LESS secure it is (no matter how complex or long).
2. Where is it used? Is it your bank password? Your email password? Your password for an online forum that you don't care about? Even "test123" is a good password if you don't care about where it is being used.
3. How is it used? Is the password transmitted via HTTPS? Used in a bank terminal? Forwarded in clear-text (like FTP, HTTP, etc)?
4. How easy is it to remember? You don't have to have an easy to remember password if you use a password manager. But it is important if you don't use one.
5. How long and how complex is it?

Did you see our list? The last thing we worry is about the size and complexity of the password. Why is that? First, because the password is only as secure as the location it is being used, how it is stored, how it is shared and transmitted. You could use the password J#n42a2U*b67rP@bH&Ta#Xb2 (theorically secure) in your Gmail account and in an online forum, but if that online forum is compromised (which is not as uncommon as you think), it's only a short step to try logging into your Gmail account with the same details, especially if you've registered on the forum with your Gmail address.

A Better Solution

A better solution is to have just a couple of good passwords remembered in your head (yes, long, complex and only used in high security locations). All the other passwords should be stored in a password manager for easy access and use.

For example, you could have only 3 high security passwords, one for your Email account, one for your password manager software (where you store all your other passwords) and one for your online banking. That's the perfect solution...

If you can't (or won't) use a password manager, we recommend that you create password groups. Still remember 3 high security password (email, banking and other very important uses). For the other sites, classify them in terms of importance (important, medium, don't care about, don't trust, etc) and reuse the passwords among those. But never share a password between different importance levels.