Passwords need to be complex. “Complex” in this case means:

  • At least 8 characters; preferably 10 at a minimum
  • Not be a word in the English dictionary
  • Have at least one upper-case (capital) letter
  • Have at least one lower-case letter
  • Have at least one special character (!#$%^&)
  • Have at least one numeral (0-9)

I have heard a lot of questions and complaints about these new requirements, and the first question is usually “WHY?”

I’ll make this as simple as I can: Well-programmed websites (Amazon, Netflix, etc.) have no idea WHAT your password is.

To be specific, they don’t know what you typed when you created your account password ‘lo those many years ago.

What happens is that when you create your password, the web page does some weird-ass one-way math on it and scrambles it all up into something we propeller-heads call a “hash.” So, you may type “hello123” as your password, but after the one-way math on it, that becomes $%xpp6& and that hash value is what the website stores as “your” password.

The next time you log in, it does the math again on whatever password you provide, and then compares that to the stored value. If they match, you typed the same password, and are allowed in. If they don’t match, you didn’t type the right password, and you’re denied access.

I said ‘one-way math’ because it’s impossible to take the stored hash value, do some reverse-fancy-math on it and get your original password. That’s the entire point of using one-way-math.

However, those nefarious folks what want to steal your identity (and money!) have powerful computers at their disposal. What they learned to do a long time ago is pre-compute the hash values of every word in the English dictionary. So if your password is, say, “peanut63”, then they probably already have a hash value for that.

By using a “complex” password, you thwart an attempt to figure out your password through brute force.

“6^1froGb#!!” isn’t in anyone’s dictionary.

And the raw computer power required to compute every possible hash value for a 10-character password that uses the rules above will take, literally, billions of years. We’ll all be loooong gone before someone cracks THAT code.

Some password questions I get:

Q: Can I use the same complex password for all my accounts, (mail, Amazon, brokerage account, bank, retirement account, etc.)?

A: You CAN, obviously, if it fits all those different websites’ password rules. SHOULD you? I say no, because on the off chance someone manages to obtain the password (you wrote it down on a Post-It and then lost the Post-It, for example) your entire online life is now open to that person. You should use a different complex password for every important account.

Q: But I can’t remember all those different passwords?
A: No problem. Here’s what you do:

1. Create a six to eight character complex password, say 4a!#BcD.
2. That is your “base” password. You can use the BASE to create other passwords.
3. Then, you use prefixes or suffixes to indicate which site or account uses that password:

AM4a!#BcD    – Bank of America
AZ4a!#BcD    – Amazon
SH4a!#BcD    – Charles Schwab
KS4a!#BcD    – Kaiser Medical

….etc. So you only have to really remember the one complex password BASE that you create, and then just modify the first characters as needed, and that gives you a unique yet complex password individually tailored for each website.

Leave a Reply

Your email address will not be published. Required fields are marked *