top of page

All About Passwords

Good news! The most commonly used password today is no longer the easy-to-guess "password". That's right! It's been replaced with "123456". Those of you using "password" can rest easy now (not).

Your password might not be either of those above, but there's a good chance it can be sussed-out nearly as fast. In this article, I'll discuss the state of password security today and how to stay safe.

Back in the day, an eight character password was considered reasonably safe. Not anymore. And just adding a couple of numbers to the end isn't going to cut it, either.

man at computer trying to remember his password

The following list are all recommended suggestions for maintaining high quality password security and integrity.

  • Never use the same password on multiple websites, especially those on which you've ever provided personal information, such as an online retailer, email, banking, brokerage, social media, etc.

  • Passwords should be at least 15 mixed characters and the more the better

  • Should not be stored in unprotected ways, such as the "Notes" section of your contacts. e.g. Storing your banking password in your contacts under the name of your bank is not good.

  • Avoid logging into sensitive accounts from any computer that isn't under your full time control. Never use computers in a hotel's guest business center; there's a fair chance it's been infected by a previous guest. Logging in using a friend's computer is safer but do so sparingly.

  • Connecting to an open and unlocked public wi-fi should be done sparingly. Better yet, if you can, connect your laptop to the internet using your smartphone's personal hotspot feature.

Password crackers are smart

When a password cracker is trying to figure out passwords, they never start with the "brute force" approach. Brute-force simply means trying every possible combination of characters until a hit is made. Yes, it's one approach they use, but it's slow compared to other approaches so they save it for last.

 

Instead, they try popular password lists, common word lists, and apply programming rules in order to crack passwords without trying every possible combination. By combining these advanced techniques and using a very powerful custom-built computer, a password cracker can make billions of guesses per second! The rig pictured here costs less than $10,000, making it affordable to any determined hacker.

You might say "But how can a hacker make several billion guesses per second? No one can type that fast, and besides, won't the website they're trying to break into limit the hacker to five or ten guesses?"

password cracking rig

Custom password-cracking rig

Yes, that's true enough, but that's not how password cracking works. Password cracking is performed offline against a stolen database containing millions of usernames and passwords. Such offline attacks aren't affected by web server security that may limit you to five or so login attempts.

It's beyond the scope of this article to go into the highly technical details of how, exactly, password crackers do their thing. Just please understand and accept that it's true. Or you can Google it for yourself -- be warned, that's a very deep rabbit hole.

So you'll want to create passwords that are hard for a password cracker to guess, even though they are making many billions of guesses a second. How to do that?

Passphrases

Passphrases are an easy way to beef-up your passwords. It's better than using single-word passwords even with a number or two stuck to the end. If you met your wife Sally in Memphis, how about something like "IMetSallyIn1990inMemphis". This password has twenty-four characters consisting of uppercase, lowercase, and numerals -- it's very strong and could likely never be brute-forced during the remaining time humans have on this planet -- certainly not within your children's lifetimes, anyway.

Nor is it likely to fall to a rules-based attack where the cracker applies sophisticated guessing rules.

There's a webcomic by Randall Munroe called XKCD that's a favorite among geeks. One of his comics explains how a simple passphrase made up of four common words is more secure than pretty much any password most people usually think up.

 

Yes, I know, the comic is pretty geeky requiring one to grok "bits" and "entropy", among other ideas. I did say it was a favorite among geeks.

xkcd password strength.png

Popular Quotes as Passphrases

Do not use popular sayings or quotes. They are likely already cataloged in the word and phrase lists that password crackers use. e.g. The passphrase "FourScoreAndSevenYearsAgo" would (probably) be cracked in seconds even though it's nice and long.

Don't use popular bible verses. The entire text of the Old and New Testament is (probably) already cataloged.

Don't use movie quotes. Pulp Fiction is full of excellent quotable lines which, in turn, makes them useless as passphrases. There's not a quote in the entire movie that would stand more than a few minutes in the hands of a password cracker.

If it's something you heard somewhere, especially if it's cool and memorable, then don't use it because the password crackers have likely heard and catalogued it all and they share with each other. The only passphrases worth using are ones that are personal to you that you make up yourself like the "Sally in Memphis" example. Of course, any version of "correct horse battery staple" is totally off-limits.

The key is to choose a passphrase that exceeds twenty characters. It'll probably be mostly lowercase and that's ok as long as you include at least one character from each of these types: Uppercase, Lowercase, Numeral, and Special Character (period, dollar, hyphen, etc.)  Adding characters from each of these types increases entropy, making the password that much harder to crack.

Password Management -- Remembering all those bloody passwords

Even though passphrases can be easier to remember than a deliberately mangled single-word password, you'll still need to remember a lot of them if you want follow good password hygiene. There's several approaches you can take here.

  • The best old school approach is to buy a spiral notebook and dedicate 2-3 inches of space to each web account. That way, you have plenty of room for notes and corrections associated with each website. Use a pencil so you can edit later. Jot down everything you'd ever need to know: Username, password, answers to security questions, account numbers, etc. A spiral notebook cannot be hacked so it's actually a very safe way to record passwords. Write neatly so you can read it later.

  • Save all your passwords in a password-protected Word file (Use a passphrase here, too). Then every time you edit and save the file, print it out as well so you'll have a hard copy, in case your computer dies.

  • Use a password manager program. These are database programs that store passwords, synchronize them between various devices, and auto-fill password boxes in your web browser. This approach requires some tech savvy and dedication to the task.


More on Password Managers

Password Managers are programs that, well, manage passwords. But they do it safely and offer additional features. They hold all your passwords in a secure database that is, itself, protected by a master password. Password managers can also auto-fill password boxes in your browsers and help you generate super-strong passwords for new online accounts that you create.

All the popular browsers (Chrome, Firefox, Edge, Safari, etc.) also have password managers built-in at no cost. They work well enough but are not compaticle with each other. If you use multiple browsers then you'd have to separately teach each one. A proper password manager like LastPass or 1Password can auto-fill your passwords into any browser once it's learned your passwords.

Password managers also help protect your from phishing emails that try to trick you into logging into fraudulent, look-alike, websites. While you, a silly human, may be fooled by a fake Bank of America login page, a password manager would never be tricked like that. Using a password manager, you'll know right away if a login page is fake because the password manager will refuse to auto-fill the username and password.

Another advantage to password managers is they free you from having to remember passwords at all. And since you no longer need to remember them, the password manager is free to create long and random passwords that are insanely secure. Personally, I don't recommend using random passwords due to the off chance that you may need to type it in manually. Typing in a passphrase is much easier than a bunch of random letters and symbols.


Passwords managers automatically sync between your devices so you should rarely have to manually type a password again.

Two Factor Authentication

Two Factor Authentication, or 2FA (also called Two-Step Verification), is a feature increasingly offered by websites these days. When a website account is protected with 2FA, then you must provide two different forms of identity in order to access the account. The first is your password as usual, and the second is generally a random six digit number displayed on your smartphone. This way, if a hacker managed to figure out your password, they would be unable to access your account because they would not have your smartphone and so could not get the six digit number. There are ways around this, but generally the attackers will just move on.

The website TwoFactorAuth.org lists hundreds of popular websites and whether or not they offer 2FA. Check to see if the websites that are important to you offer 2FA. If they do, then take advantage of it! If not, complain to the website owner.

Setting up 2FA is not entirely painless. It must be done correctly lest you lose access to your own accounts. e.g. Authorizing your phone to be the security token, creating emergency backup code keys, setting up alternate email address for account recovery, etc. This is where an I.T. pro like me comes in. I know how to set these up properly to keep you safe!

Insecurity Questions

Lots of websites ask you to give answers to one or more security questions as part of a new account signup process. Questions like "name of your first pet", "name of high school that you graduated from", "best childhood friend", etc... These questions are there to help you recover account access in case you forget your password. But it's insecure if you give truthful answers. Bad guys can figure all this out easily enough using social media and social engineering techniques.

Instead, provide false nonsense answers to these questions. I know a guy who answers them all with "beer". Just remember to jot down your false answers so you can enter the answers correctly later on if the need arises. But since you'll be following my advice by recording your passwords in a notebook or using a password manager, then you won't even forget your passwords in the first place. Right?

Brave New World

Security professionals everywhere constantly grapple with these opposing forces: Security vs. Convenience. TSA; metal detectors in government buildings, in sports venues, and concerts; and more. Same thing applies to computers and websites. Greater security means more hassles for legitimate users.

Imagine the ruin you could face if your bank or brokerage accounts are hacked into. If your business email or cloud accounts like Dropbox were hacked and your confidential info or your client's was ransacked and exposed, your liability could be limitless.

I know that all the things I've discussed and suggested above can be unnerving and even a PITA to follow. Who can possibly remember hundreds of passwords that all have to be different and complex? But this is the reality of living online today. Security is simply too important to neglect and as our lives and businesses are ever more conducted online, good security is critical. Disregard at your peril.

bottom of page