“p@$$w0rd” — The highly secure password myth!

Services ranging from Banking Websites to that of Social Networking Sites, secure password is a ‘thing’. Its quite unclear whether these password criterias are designed to secure our account from hackers, or secure the bank from users. Because not every tom dick and harry is good at being creative in setting up an amazing password. Oh wait! Your innovation doesn’t last for long, as most of banking sites mandate a 120 day password change! So, don’t think that your creative password would stay for long!

Before we go into the post, let's take things light, here is a standup performance by Naveen Richard,

Why so complicated?

I remember the early days of internet, you can basically write WHATEVER, and still get going with it. And, services started to ask for more, when our heads can’t go beyond Einstein. Google, gives an amazing explanation as in why there is such a combo mandate.

Using numbers, symbols and mix of upper and lower case letters in your password makes it harder for someone to guess your password. For example, an eight-character password with numbers, symbols and mixed-case letters is harder to guess because it has 30,000 times as many possible combinations than an eight-character password with only lower case letters. — Google

And, then Google drops the Mother-of-all-Bombs!

Create a unique password that’s unrelated to your personal information and uses a combination of letters, numbers, and symbols. For example, you can select a random word or phrase and insert letters and numbers into the beginning, middle, and end to make it extra difficult to guess (such as “sPo0kyh@ll0w3En”). Don’t use simple words or phrases like “password” or “letmein,” keyboard patterns such as “qwerty” or “qazwsx,” or sequential patterns such as “abcd1234” which make your password easier to guess. — Google.

Genius? Not!


With requirements for a strong password, which has a combination of Lowercase, Uppercase, numerics and symbols. Our genius minds thing we are unique and things take a bad turn.

However, asking users to remember a password consisting of a “mix of uppercase and lowercase characters” is similar to asking them to remember a sequence of bits: hard to remember, and only a little bit harder to crack (e.g. only 128 times harder to crack for 7-letter passwords, less if the user simply capitalises one of the letters). Asking users to use “both letters and digits” will often lead to easy-to-guess substitutions such as ‘E’ → ‘3’ and ‘I’ → ‘1’, substitutions which are well known to attackers. Similarly typing the password one keyboard row higher is a common trick known to attackers. — Dave Lewis, Author of Ctrl-Alt-Delete.

I recently put up a status that I need to change my password, some of the suggestions were mind boggling! Sharing few herein!


Cognitive Password

A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. Questions such as “What is your mother’s maiden name?”, “Where was your mother born?”, “Your favorite teacher in highschool”, “Your favourite childhood hero”. Memorability vs. guessability aspect is a key

Although Cognitive Passwords cannot become a primary password mode, it can always be a secondary level of security to complement OTP Entry.


Popularly known as SSO, coined by Microsoft, where you could use a hotmail / msn address to login, and sites that have SSO enabled will use the same credentials, or you’ll not virtually need to enter your credentials. This was 2005 way of Social Login.

Social Login

Default Welcome Page of Quora.com

Alike Twitter’s OAuth using authentication systems like OpenID or SAML, Social logins provide 3rd party applications a session token to make API calls on the user’s behalf. Thereby, limiting the need for individual credentials for a site, just Facebook login or Continue with Google. Quite after sometime, many sites started removing social logins, as their Social Graph was not indexable.

Biometric Password

Last week, Citibank N.A in India, came up with a voice based biometric authentication for telebanking services, what this means is you don’t have to answer security questions, just call from your registered mobile number and without saying the account number or your TPIN, you are just good to go with the IVR redirecting you to the customer care executive within seconds (Airtel, che!)

On a hardware perspective, OEMs like Samsung and Apple, already have hardwares such as iris scanner and fingerprint sensors equipped to serve as an alternative for passwords for device use. It's a long way before Apple and Samsung comes up with a Common Standard of API to allow websites, apps to use the biometric data for individual access (as opposed to device owner access in PayTM using device’s biometric as an authentication.

OTP Entry

One Time Passwords arrive into your inbox that’s valid for 15 minutes, and could be used only once. With auto-detect in Android & Apple, it is complete ease, you just let your phone verify itself. Apps such as RedBus, Cafe Coffee Day already have a OTP login, this reduces the stress on user to remember a password. Thereby, making it easy for users to be password-free!

But there is a downside, Sibidharan, a fellow Cyber Security Researcher, says that OTP logins are the worst and is easily hackable!

Developing post! More alternatives for passwords to be keyed! Follow the blog for more updates!