Yes, I said “longphrasesarethenewpasswords”. You’re probably thinking “huh, what is this language?” I meant, long phrases are the new passwords. Make more sense now? If not, I’m here to explain how (and why) password best practice has evolved in recent times, and what you should do now to ensure password security and protect yourself from losing access to your accounts.

various different keys on a table surrounding a padlock

The evolution of password attacks

For many years (decades for some), we’ve been told that our password needs to contain lots of random characters, numbers and even the odd special symbol ($%&”) to be secure. Yet, if you speak to anybody that works in IT this has all changed – but why?

Previously, the easiest tool that hackers (and other curious people) used to “break” passwords would be a dictionary attack (going through literally every word in the dictionary, one at a time). So the good guys said to use special characters in your passwords like %$£”$, then these dictionary attackers would be stopped in their tracks. This worked – for a short period, until the bad guys got new tools…

Close up of page in dictionary, showing part of the definition for 'technology'

The other main way of breaking passwords is to make a brute force attack, which uses every combination of letters starting at a, and ending with zzzzzzz, etc. Years ago this approach wasn’t very widely used, mainly due to the speed of computers which meant that if the password was over about 8 characters, it would take years to crack on a standard desktop computer.

However, that all changed with the advent of graphics cards. Instead of using a desktop computer – which originally just had 1 thread of “power”, and now has 8 (or even more) – graphics cards can have upwards of 4,000 power threads. Suddenly, what previously might have taken 16 years on a single threaded computer could take only 1.4 days. Those passwords with special characters don’t look anywhere near as safe now, do they?

Screenshot showing password strength checker

This is before we even talk about cloud computing, which offers the ability to pay on demand for the resource that you want and which can be used by hackers for their own ends. Want 500x GFX cards just for an hour (or equivalent)? Cloud services allow you to hire this with no upfront cost, from as little as $24 an hour. Faced with this scenario short passwords (those under around 12 characters) don’t seem such a good idea, whatever they contain.

So, if passwords with special characters are no longer good practice – what is?

How to increase your password security

Using these three techniques will make your cyber security better than 99% of people:

1. Use a long string of words as a password

Like the title of this post, it’s 29 characters long but actually really easy to remember – much easier than a combination of random letters, numbers and characters. Alternatively, use a password manager service such as LastPass or OnePass to generate and store long (20+ characters) passwords. (At an organisation level, at Box UK we use Passwordstate to manage passwords across teams and departments, in line with our ISO 27001-accredited Information Security Management System).

ISO 27001 and Cyber Essentials accreditation logos

2. Do not use the same password on multiple sites

If one of the sites gets hacked, unless the site owner practised good security (which is unlikely, if they got hacked) then the attacker might be able to work out the password you used and access more of your accounts with it. It’s important therefore to have different passwords for each online account you have, and as above, using a password manager can help you store these securely, to save you having to remember them.

3. Use two-factor authentication where possible

Two-factor authentication (2FA) means you won’t just need your password to get into your account, but also another “token” of some description – this is usually an email/text message, or a specially-generated number that changes within an application on your phone. With two-factor authentication even if an attacker steals your password, they still cannot access your account without this secondary method.

Hand with painted nails holding a smartphone, with a laptop on the table in front

Security on the internet is a constantly-changing landscape, and as hackers continue to find and use more tools, users need to adapt accordingly in order to stay ahead. You can do this by following the tips above, listening to industry leaders, and always following the current best practices, to help keep your online accounts safe and secure.

About the Author

Alistair Gibbs

Head of IT Alistair has been working in the industry for the past decade both in the UK and Europe, supporting internal and external clients in various roles. Operating within a fast-paced environment, Alistair is experienced in numerous technologies such as Amazon Web Services, Windows Servers, Switching, Firewalls, Desktops, and everything in between.