Why I stopped using passwords

Ten years ago I attended a conference session on security that convinced me to stop using passwords to protect data that I actually cared about. I made the change and haven’t looked back. The speaker at that conference was Steve Riley, who at the time, was a Security Strategist for Microsoft[1].

And his basic argument was this: Good passwords are hard to create and harder to remember. Coupled with security theater “best practices” like changing your password every 90 days the average user comes up with some pretty poor passwords.

Steve’s advice: Instead of a password, use a passphrase.

It’s a simple change but an incredibly powerful one as well. Look at the following examples of a password vs passphrase. If one were to use a simple brute force attack (trying all possible combinations of letters and numbers) notice the substantial difference in the time required to crack the password.[2]

P@ssword1–6 years, 5 months
Thisismypassword — 32365987337 years, 1 month

The real key to password security is the complexity. And length as a complexity factor is by far the most important. Sure it would be “better” if my passphrase used numbers or symbols. In fact, just substituting “0” for the “o” in my passphrase changed the time to brute force crack to 539886407674 years, 11 months. But the reality is brute force cracking of passwords is pretty inefficient and hackers use dictionaries and common substitutions ‘@’ for ‘a’ for example before resorting to brute force attacks on a password. Since most users utilize the common substitutions to meet password complexity requirements of capital letters, symbols and numbers aren’t really as secure as they lead you to believe. In fact my passphrase would probably be more secure if I misspelled “is” as “iz” or “word” “as “wurd”.

How to choose a passphrase?

There’s really no wrong way if the passphrase is long enough. Even if you are the president of the American knitters association, the passphrase “ILoveKnittingSockz”, is significantly more secure than the 1337 name of your cat “M!tt3n5”. A quote from your favorite author or book works well. Here’s a link to 100 great opening lines in literature. “andalltheclockswerestriking13” is part of the opening line from George Orwell’s 1984. It is complex enough that it broke the “time to crack” calculator I was using for this article, so feel free to use that if you can’t find one you like.

Do you really expect me to type a different 42 character passphrase into every application I use?

Well, I don’t anymore. But you certainly could. “Thisismypasswordforgmail.com” and “Thisismypasswordforamazon.com” are easy enough to remember and differentiate. I’ll tell you how I was able to stop typing a different passphrase into every application in part 2 of my series on password best practices (coming soon).

Thanks for reading!

[1] All joking about Microsoft security aside Steve is a brilliant thinker in the security space and his talks have had a profound influence on my approach to security.

[2] Clearly an attempt at common passwords would obliterate the first example below in under a minute. :)

Enjoyed that read? Click the ❤ below to recommend it to other interested readers!