We are continually working to strike a balance between usability of district technology to support our educational mission on one hand, and the need to protect our systems, network, data, and ultimately the students, staff, and families whom we serve on the other. In the case of passwords, we may be able to accomplish both at the same time.
For many years, there was a belief that complex, difficult-to-remember passwords using combinations of characters, symbols, and numbers were ideal for password security. While there is absolutely some truth to this – @pP1E! is harder to guess than apple, for example – passwords became so complex that most people turned to repeating them across multiple sites, writing them down, or using other insecure tactics to manage these complicated passwords.
While I’ll follow up with a post regarding the tremendous value of Password Manager applications, here I want to focus on the passwords themselves. Rather than double down on complexity, there is an easier solution:
Passphrases
Think of a password as a short sentence, used as a password, like: ireallylikecandy
The key benefits of passphrases are twofold. The biggest benefit to passphrases is length. Per the National Institute of Standards and Technology (NIST), password length is critically important in protection passwords from hacking attempts. The second benefit is ease of memorization. Remembering a phrase is likely to be easier than remembering intricacies of shorter passwords with greater complexity.
Demonstrating Strength
In order to show the relative ease of cracking different passwords, I’ve utilized the “How Secure is my Password?” tool at security,org to find out how long it would take a computer to crack each of the passwords in the table below (please don’t set any of these as your password after reading this).
Password or Passphrase | Character Length | How long to crack? |
apple | 5 | instantly |
password | 8 | instantly |
052650 | 6 | 25 microseconds |
@pP1E! | 6 | 5 seconds |
m973E@ | 7 | 5 seconds |
monster! | 8 | 3 minutes |
M0n$tEr! | 8 | 8 hours |
Pq#6Q4Pfs | 9 | 3 weeks |
ilovethesnow | 12 | 3 weeks |
taconightrules | 14 | 51 years |
ireallylikecandy | 16 | 34 thousand years |
mydogbarksattrucks | 17 | 23 million years |
thebearsbeattheniners | 21 | 400 billion years |
As you can see, avoiding common passwords (like password or apple) matters, as does complexity (making monster! more complex adds hours to the time it would take to crack), but nothing can compete with length. The time to crack the listed passwords increases exponentially as you add character length beyond 8, and passwords of 14 characters or greater cannot be easily cracked with modern password cracking algorithms and processing power.
While a very long, very complex password would be very secure, it would also be very difficult to remember. This isn’t a problem if you’re using a password manager (which I’ll discuss in a later post), but for passwords used to log in to your computer, for example, you need something you can remember and type. I’d argue that taconightrules, which would take 51 years to crack, is far easier to remember than the shorter Pq#6Q4Pfs, which would only take 3 weeks.
Changing Your Password
I’d encourage you to test your own password security using a tool like How Secure is my Pasword, and to check whether your email address has been included in any data breaches (this is fairly common) with a site like Have I Been Pwned. ICCSD students and staff members who are interested in changing their district login password after reading this can do so on Windows devices by pressing ctrl+alt+delete and then clicking “Change Password”, or on any other device by navigating to https://password.iowacityschools.org, log in, and click “Change Password”.
Keep an eye on the ICCSD Technology & Innovation for other cybersecurity tips!