TypewriterFrom The Urbach Letter – February 2012

Return to Archive

The Password Game

It's a high-stakes game we play. Win and you get to keep your money, your privacy, and your sanity. Lose, and you can lose big. But the deck is stacked against you. Coming up with good passwords and remembering them is hard. That's why so many folks take the easy way. Kid and pet names, birth dates, nicknames, "password," and other easily guessable choices leave you open to easy hacking, followed by potentially grave consequences. And remember, it's not only your choice of password that puts you at risk, it's also the way you manage your "secret."

Here are the biggest password mistakes most people make:

1. Use the same password for multiple accounts/logins (this is the BIG one).

2. Include any personal publicly known information (names, birth dates, etc.).

3. Any single word that can be found in a dictionary (it will be cracked in seconds).

4. Keyboard patterns (e.g. qwerty, asdfgh, qazwsx).

5. Sequential letters or numbers or patterns (1234, 4321, zyxw, abc123, etc.)

6. All lowercase, all uppercase, or all numbers.

7. Same password as login name (very common and dumb).

If you are guilty of any of the above password infractions (and I KNOW YOU ARE), then it's time to up your game. This ain't 1995 anymore. You didn't bank online back then, enter your credit card and personal info in dozens/hundreds of places, or in general, have this much of your life accessible to legions of evildoers worldwide. The bad guys have easy access to very sophisticated password cracking software and desktop computers fast enough to run through millions of tests and trials. Your weak password will likely not withstand a determined attack, exposing you to all kinds of potential nastiness. (Believe me, you don't want to find out how nasty.)

The Worst Passwords of 2011

Splashdata, as developer of a password app, was able to compile a list of the 25 most commonly used passwords of 2011. This automatically makes them terrible. If yours is here, change it immediately:

password

123456

12345678

qwerty

abc123

monkey

1234567

letmein

trustno1

dragon

baseball

111111

iloveyou

master

sunshine

ashley

bailey

passw0rd

shadow

123123

654321

superman

qazwsx

michael

football

Half are only six characters long and none are longer than eight. It's interesting to note that men frequently use their hobbies or favorite sports/teams as passwords, while women are more likely to use personal names. Hi Ashley, Bailey, and Michael! (I have no explanation for monkey, shadow, or superman.)

Now, at least you know which passwords are particularly bad. C'mon, you're better than this. Fortunately, it's not that difficult to win the password game.

Here's what you need to do:

1. "Harden" ALL your passwords. (There is a definite "weakest link in the chain" risk, especially if you ignore the next recommendation in this list.)

2. Make up a unique password for every site that requires one.

3. Use one or more of the following strategies:

a. Mix upper and lower case characters throughout (don't only start the password with a single cap).

b. Include punctuation marks (;":!-, etc.) when allowed.

c. Include symbols (#@%/}]&) when allowed.

d. Substitute "look alike" numbers and symbols for certain letters:

3 = E, 6 = g, 0 = o, $ = S, @ = a, % = K, # = H, + = t
(Don't be limited to this list. Get creative).

e. Create a passphrase: severalwordsruntogether. More on this technique in a moment.

f. Use an acronym (that's rather long and not in any dictionary or commonly found online). Think of a song lyric or memorable saying and take the first letter from each word.

4. Don't just capitalize the first letter of your password. That's too common. Likewise, don't just add a 1 or 2 at the end of your password. Everybody does that when they find out their password "must include at least one number..."

Next, test your password by entering it in a strength checker:

https://www.microsoft.com/security/pc-security/password-checker.aspx

There are other checkers available but I trust this one from Microsoft (it doesn't store or transmit any information).

Size Matters

In passwords, as in certain other things, longer is better. A six letter password, no matter how random and cryptic, is essentially defenseless against a "brute force" attack. In his excellent 2007 article How I'd Hack Your Weak Passwords, security expert John Pozadzides goes into a lot of detail on why all this matters and presents an interesting table that's worth a quick review:

Password Length Versus Time to Crack

Password Length

Only Lowercase

All Characters

3 characters
0.02 seconds
0.86 seconds
4 characters
.046 seconds
1.36 minutes
5 characters
11.9 seconds
2.15 hours
6 characters
5.15 minutes
8.51 days
7 characters
2.23 hours
2.21 years
8 characters
2.42 days
2.10 centuries
9 characters
2.07 months
20 millennia
10 characters
4.48 years
1,899 millennia
11 characters
1.16 centuries
180,365 millennia
12 characters
3.03 millennia
17,184,705 millennia
13 characters
78.7 millennia
1,627,797,068 millennia
14 characters
2,046 millennia
154,640,721,434 millennia

If your six letter password was all lowercase, it would take just over five minutes to try every possible combination of those 26 characters and crack it. However, if you expand your repertoire of characters to include uppercase and upper row keyboard symbols ($%#^& etc.), you'll make life much harder for the bad guys. For the same six-long password that's now made up of all available characters, the crack time jumps from 5 minutes to over eight and a half days. Add one more character and you're good for 2.2 years. One more and you're up to 2 centuries.

Feeling safe with your eight character mixed case password now? Well you shouldn't.

That table was based on a single desktop computer, circa 2007. Five years later, the average computer is more than twice as fast, so cut all these numbers at least in half. Worse, computational "farms" can be cheaply rented and give almost anybody access to 1000X supercomputer power. Also, the above table excludes ANY word found in the dictionary. If you're using one of those, the cracking is almost instantaneous, no matter the length.

Now I'll share with you my personal password strategy (but not my passwords).

I personally find random passwords with lots of symbols and oddly positioned caps very difficult to remember and type quickly. #9P1pyRDf$%4 will keep me safe for a long, long time, but is downright painful to memorize. That's why I use a commercial password manager called RoboForm. Other people prefer similar managers like LastPass or KeePass. They all work similarly. When you need a password, RoboForm will generate one for you.

You can make the password as long and gnarly as you want, without wondering how you'll ever remember it. That's because RoboForm will remember it for you. Unlike the very insecure method your "helpful" Firefox browser uses when it offers to remember your passwords (turn that off!), RoboForm encodes everything with "military-grade AES 256 encryption." You can unlock all your highly secure, distinct logins and passwords at once with one master password. RoboForm will also store your credit card information, secret notes, bookmarks and personal identity profile(s) with the same "uncrackable" level of security protection. If you do any amount of online shopping or form-filling, it's wonderful to have all your info filled in with one click of the mouse. It does even more but you can read the rest of the details here: Roboform Features.

There's one gotcha to this strategy:

How do you create and remember your master password?

Well, I've got some good solutions for that too. Actually, I had them back in November, 2005 when I prepared a video article called "The Unbreakable Lock." That info is still valid and a link to it is right here:

The Unbreakable Lock (10:29).

I highly recommend the Diceware Method explained in the video (fast forward to 6:10 if you're an impatient type of person).

After the spate of highly publicized security breaches recently (Zappos for one), I'm sure you've come across other articles exhorting you to toughen up your online security by using better passwords. Maybe you've seen some similar tips about hardening your passwords and thought to yourself, "Yeah, I ought to stop using my dog's name," but never actually carried through because it's just such a pain. The info in this article will enable you to create and remember strong passwords that'll keep you safe.

-V-

Return to Archive

(c) Copyright 2002-2012 Victor Urbach
This article
may be reprinted with permission and attribution