The standard advice for creating passwords has long been this: use a long string of completely random letters (upper- and lowercase), numbers and special symbols. Make it so long and complex that nobody is able to guess (or remember) it, and it would take a computer billions of years to crack.
But recently a different perspective has emerged: what if those passwords were still long enough to foil a brute-force, script-based hacking attempt for long enough to make the attempt non-worthwhile, but made of words you might actually be able to recall without logging into your password manager app or plugin? What if you used something like a string of four random words?
Let’s look into a few options. I’ll be using the website How Secure Is My Password? to compare. Results on the site are given in the form of “It would take a computer about [length of time] to crack your password” (or “Your password would be cracked INSTANTLY” if you put in a real clunker like “abc123” or “password”). The results from this site are simply an estimate (not a guarantee), but it is useful in determining whether a password is lousy, decent, or excellent.
First, an example of the old random-string-of-characters method:
84xNMat88xy4TkVTE^5!UQty: 1 OCTILLION YEARS
Yeah. That is an unfathomably long time. Written out, that’s 1,000,000,000,000,000,000 years. If the universe is 13.82 billion years old, it would take a computer almost 72.5 million TIMES that long to crack your password.
In other words, that’s a very strong password. But now try to memorize it.
Now let’s try a string of four random words (“wheel,” “grout,” “oyster” and “button”), no spaces, all lowercase:
wheelgroutoysterbutton: 11 TRILLION YEARS
Now, technically, that’s not as secure as 1 octillion years. But on a practical level, we’re still in “might as well be forever” territory. You’re going to be pretty well-protected against a script-based hacking attempt.
What if we add a number, or a number and a symbol, or capitalized the words, or added dashes or spaces (not all online accounts allow this) between the words?
wheelgroutoysterbutton7: 494 QUADRILLION YEARS
wheelgroutoysterbutton7%: 76 SEXTILLION YEARS
WheelGroutOysterButton: 45 QUINTILLION YEARS
wheel-grout-oyster-button: 17 SEXTILLION YEARS
wheel grout oyster button: 169 SEXTILLION YEARS
They’re all fine options, and you’ve actually got a fighting chance of remembering them if needed, and an even better chance of actually typing them correctly if your password manager app/plugin isn’t available (or playing nice with a website, which does happen).
So it’s really a matter of what you’re comfortable with and what the website you’re using requires (some force you to use at least one uppercase letter, number and symbol).
However, bear in mind that this type of brute force hacking is probably not even remotely the biggest threat to your online accounts. It doesn’t matter HOW many octillion years it would take a computer to guess your password if you fall for a phishing email and type it into a compromised website, or if the company that owns the website keeps its list of logins and passwords in a plain-text file and experiences a data breach.
Your best practice, regardless of the type of passwords you use, is to regularly change them, avoid reusing them across different sites, and to know how to recognize a phishing attempt.