Currently, password requirements are at least eight characters, of upper and lower-case letters, numerals, and symbols such as – or _. The resultant typically is exactly eight characters, beginning with an upper-case character, and ending with a symbol or the numeral “1”. Invariably, it is a recognizable name easily associated with the user’s environment (child or pet). Worse yet, I know of a college that permits a max of nine characters of either numbers and lower-case letters, only.
Changing a password usually consists of the last character being changed, “1” is “7”, “!” is “.”, etc. The rules are known to criminals. Additionally, they know who enforces periodic password changes, such as the Social Security Administration (a change every six months).
Hackers have ga’gillions of stolen passwords and incorporate them in password-cracking software programs. They also have massive computing power that can try billions of possible passwords per hour. Most of which are cracked within small fractions of seconds.
Simply, more than twenty years of training taught us to create passwords that are difficult to remember, but easy for computers to crack.
Password generators produce longer, more random passwords. Password managers are often employed to keep track of them and associate the credentials to the site for which they apply.
Online Password Managers have been breached, proving that it remains a secret only if you keep it, yourself. In my day, that was the definition of a secret.
Password Safe is my personal choice for managing my 287 account credential recorded. I retain it on an encrypted portion of my hard disk and encrypted on my cloud account. Sometimes, I carry a link to the cloud account on a USB Flash drive.
Unfortunately, most websites thwart password managers from automatically entering the credentials with a two-screen entry method or blocking the auto-fill process. That is because the admins do not understand that they provide a service. Their job is to prevent access to accounts by unauthorized individuals. Their rules are pretentious, forcing users to be less secure; it is a shift away from service.
What I know is that “longer is stronger” and 38 characters total is the magic number for not cracking passwords with the current technology criminals use. That will change but, even so, the time required to hack even 20-character passwords will require more time than the system is willing to spend. My passwords go on for more than 18 characters.