Love them or hate them, have one or have hundreds of them; you’ll need to use passwords for a while to come yet – despite people trying to move on from them. And while the thought of all the accounts you have, with all their hopefully varied passwords might make your head spin, they provide an essential services to us… keeping out prying eyes and preventing unauthorised actions.Every so often someone will divulge their password pattern or characteristics to me. I’m not usually shocked, because I’ve seen and heard worse – but I wonder just how long it would take to break into something with that many characters including only the types they’ve mentioned.
So I did some digging and found that there are wildly varying results on any one particular password. Presumably websites have been up for a while, and the march of progress has left behind their computational statistics.For this example we’ll use: L3tm31n!
This password rates at 8 hours on How Secure Is My Password?, while on Gibson Research Corporation it ranges from anything over 1 minute (depending on the scenario). Regardless of that, there are two primary ways to break through a password wall: Brute force and Dictionary Attack.
Brute Force tries every possible combination until it gets through.
Dictionary Attack basically throws words and variants thereof at it until one of them fits. This idea has been modified to include classic phrases, verses from religious texts, movie titles, etc, etc. As well as all their misspellings, obvious character replacements and passwords from known real passwords found in data breaches. (That’s right, L3tm31n! isn’t the secure password you might think it is.)
A creative hacker might just mush the two techniques together as well, creating a third option which will no doubt get to password2020 just as fast as it gets to password2024.
The key to hold out until the next password change is to go for length.
As the Gibson Research Corporation implies a password that is simple looking, long password is more secure than a shorter, complex password. This is why you should move your focus from passWORDS to passPHRASES. (This is also the reason why there is a modified dictionary attack.)
Since we’re using these examples, let’s plug them into have i been pwned’s Pwned Passwords. At the time of writing:
- L3tm31n! has been seen in data breaches almost 4,650 times,
- password2020 has been seen over 2,410 times,
- password2024 has been seen over 40 times.
If you haven’t heard of have i been pwned, it’s a collection of all the known data breaches and lists that have come to light, which have been curated and pulled into a nifty website by fellow Australian Troy Hunt, so that anyone can check to see if their email address or passwords known in the land of hackers.
Passphrases, not Passwords
Having a passphrase helps your brain! It means that you can remember less things, but have a longer password. With a password you might be generated a password that looks like someone has rolled their face on the keyboard. Once you get to an acceptable length, you have to remember each character individually. Whereas for a passphrase, you can remember the elements of it.
The below example is almost 40 characters long. However, it’s easy for me to remember, as it’s from a skit by Rowan Atkinson. So really, I’m remembering one thing.
What would you like to eat? A hotdog...
You can see there are spaces, a question mark and full stops. All special characters. You have capitals and lowercase letters. There are two notable points about this however, the obvious lack of numerals, and the fact that this is essentially verbatim from the skit. You should avoid using unaltered text from popular & widely available texts. That includes the Bible, the Qur’ān, Shakespear, quotes from Budah, etc, etc. Missquote them, misspell them, mix your metaphors, remove letters, add numbers or write some parts backwards. It’s not rocket surgery*, but you need to apply some step beyond choosing the source. (* See? Mixed metaphor.)
Ok! I’ve got an awesome PassPhrase. I can use it everywhere, right?
That’s half right. You do have an awesome passphrase (I hope), but you shouldn’t use it everywhere. In fact, don’t do that at all. You should use different phrases for important things where you actually need to enter it manually, and for everything else use rubbish passwords.
Rubbish Passwords
There is still a place for passwords that look like you’ve dropped a live fish on your keyboard. Provided they are long, they still meet the bad-guy-thwarting criteria. For accounts where you’ll never have to type in the password, these are the chaff that fill breached lists full of useless, meaningless strings.
But how do you keep track of the very thing I’ve encouraged you to leave behind? A password safe. If you haven’t heard of these before, they’re a secure & structured place to store your passwords. They provide the ability to put your username and password in the login form for you so you never have to type the live-fish-password ever again.
Check back soon and I’ll put up some further information about password safes.
NB. The above noted password attach techniques assume that there is an online system which they’re trying to get into. If they happen to have access to the database then there are other options as well – like Rainbow Tables – but this is outside of what I’m writing about here. Also out of the scope here is MFA / 2FA – having an additional factor or step to ensure that should someone get your password, they still need access to something else to successfully log in. These days, this is a must.