Your passwords suck at security…

Kaspersky Blog, “Passwords are like underwear”

Your passwords suck at security because no one taught you how to choose a password. Here’s what you need to teach your kids about passwords.

If you are not a cryptographic nerd, you have two types of passwords:

(a) Memorable passwords. This is usually just one password that you can easily remember. And you use it on 53 websites and 17 apps. It is something simple like “qwerty” or “password” or “123456”.

Check if you are using a common password here.

(b) Complicated passwords that you think are safe. You chose this because the website or app said that your password must have:

  • a number
  • a special character
  • an upper case letter
  • at least 8 characters.

Like this one: Tr0ub4dor&3

And you think that is safe.

Wrong! This is an easy password to hack.

“Password Strength” by Randall Munroe.

So if these aren’t safe, whose bright idea was this?

In 2003, Bill Burr at the National Institute of Standards and Technology wrote an 8-pager telling people to

select passwords that include lower case letters, upper case letters, and non-alphabetic symbols (e.g.;:“~!@#$%^&*()_-+={}[]|\:;’<,>.?/1234567890”)

Funnily enough, Bill also predicted what you would do with your complicated passwords:

Users will then write the passwords down and keep them in a convenient (that is insecure) place, such as pasted on their monitor.

But Bill has now repented his ways and said this

“Much of what I did I now regret,” said Mr. Burr, 72 years old, who is now retired.

Okaaay… so now what?

  • Don’t pick a common password. Check for common passwords here.
  • Longer is better. It takes a computer more time, much-much-more-time, to crack a longer password.
  • Phrase beats word. Randall Munroe calculated that a computer would need 550 years to crack the passphrase “correct horse battery staple”.
  • Don’t bother with uppercase, special characters and numbers. No point making a hard-to-remember password that you need to write down somewhere.
  • Computers are getting faster each year. In 2000, it would have taken 1 month, 1 week and 2 days to crack ‘‘pas5w0rd”. In 2020, just 1 day and 22 hours. So this isn’t a fill-it-shut-it-forget-it thing. [Check the cracking time for your favourite password here.] The machines are coming. Keep up.