The Worst Password Tips
Because I have always been so fascinated with passwords, I always like to hear different tips people have for creating strong passwords. However, I have to admit that most of the tips I run across are actually kind of lame and really are not very secure. Unfortunately, some of these tips are quite popular and get passed around way too much. In fact, I rarely see any advice besides these I have listed.
Simple Substitution
Tip: Take a word and replace certain letters with numbers symbols. For example, change apple to @ppl3.
While this tip was once great advice, CPU power has made it mostly irrelevant. You cannot make a poor password stronger by simple substitution. Most password cracking tools will try hundreds of common substitutions for all dictionary words in just a matter of minutes, greatly reducing the effectiveness of this tip. At one time this was a way to turn short passwords into stronger passwords, but nowadays a short password is no longer strong no matter what you do to it.
Better advice: Add a whole word to the end of your password to make it longer.
First Letters from a Phrase
Tip: Take a phrase, poem, or line from a song and use the first letter from each word. Then, add a few punctuation marks, capitals, and numbers to make it stronger. For example, the phrase “To be or not to be” could be turned into the password 2BorN2b!.
This is perhaps the most commonly recommended tip I have ever seen when it comes to creating strong passwords, and it kind of aggravates me that it is spread around so much. Again this is a tip that worked fine in the past but it is no longer valid. The problem with this tip is that it tends to create shorter passwords and short passwords are never stronger than longer passwords.
Historically, passwords on systems were limited to a maximum of eight characters so this was a good way to turn eight characters into something very random. Now, however, most systems do not significantly limit the password length so instead of taking the first letter of each word, why not type in the words themselves?
We normally type in terms of whole words (we don’t think about each letter) so typing in whole words shouldn’t be that big of a deal for us. Stopping to think of each letter certainly wouldn’t be much faster than just typing in a few words.
Better advice: Take the 3-4 words from a common phrase, add some punctuation (such as hyphens or plusses between words) and use that as your password.
Random Password Generators
Tip: Use a software program to generate a truly random string of characters.
There is a large group of people who think that a random password is always the strongest password. While this is true when it comes to short passwords, short passwords are no longer strong and with long passwords the randomness isn’t as important.
If someone is trying to crack your password and it doesn’t appear on a wordlist, even after applying common substitution rules, and the hash doesn’t appear in a rainbow table, the only alternative is to perform a brute force attack. With a brute force attack they are going to have to try every single combination of possible characters one at a time until they find the right one.
So consider the following two passwords: ngdh$82K and 3333333333333333333. Which of these two passwords will be cracked last? The answer is the longer one, despite the fact that it has almost no entropy.
See, when it comes to a brute force attack, entropy makes no difference at all, because a brute force attack is a sequential attempt at every possible password, starting with the shortest first. Of course, entropy is not bad and randomness is always a good practice, but it will not slow down a brute force attack.
Better advice: Use a long password rather than a random password.
Using Personal Algorithms
Tip: Take the name of the web site you are using, add a prefix that you use on every site and append a few random letters at the end. For example, to set a password at Google, use Th3google-t5; on eBay it would be Th3ebay-8w.
The problem with this tip is that if someone were to discover your algorithm by seeing a few of your passwords they could easily compromise every account you own. If you have trouble memorizing passwords, you should use a password manager such as KeePass or Roboform.
However, personal algorithms generally aren’t all bad. For example, if you just added the same word to all of your passwords, they would be significantly stronger, as long at the first part is also sufficiently strong.
Better advice: If you haven’t already figured it out that there is a common theme here, the better advice is to simply make your passwords longer.
Tags: advice, Brute-force attack, cracking, dictionary words, Password cracking, password cracking tools, password length, password manager, Passwords, tips
You can leave a response, or trackback from your own site.
I would propose that your Random Password Generators tip is a bit out of date; modern GPGPU powered rules based cracking allows, trivially, repetitive padding algorithms (i.e. 3333333333333333333), and also allows for combinatory dictionary cracking (i.e. long word combinations).
Further, while any tips about “Don’t do that, as of now it’s bad” are fundamentally different than “That’s good, but probably too good… well, until someone comes up with a new method or an old idea becomes practical.” The former are good to know; the latter can decrease security.
You missed the point. The password 3333333333333333333 is an exaggerated example and surely is not a password I would recommend. I used that to demonstrate that entropy is not as important once your password is long enough. Certainly you could write up some patterns to try passwords consisting of all the same character up to 19 characters, and crack this particular password relatively fast.
But what happens if I change just two characters so the password becomes 333333×33333333@3333? The chances of coming up with a pattern to match something like that are extremely slim. So while a password like 333333×33333333@3333 has very poor entropy, when it is that long entropy is not as much of an issue. Now when we get to a point where even 19-character passwords can be brute-forced reasonably fast (whereas now even 12-character passwords will hold up very well) then yes this advice may be obsolete and entropy will may very well again be important. But that is a large leap from where we are today and once that becomes the case the whole concept of relying solely on passwords will be obsolete.
Nevertheless, there’s nothing at all wrong with overkill when it comes to your own password security and there’s certainly nothing wrong with having a password that would be considered strong even fifty years from now especially if you are responsible for the privacy or security of others. But for the average user, a longer password that is easy to remember can be much more effective than a shorter password that is impossible to remember. Many security professionals would argue that, for the average user, a totally random password can in fact decrease security. Furthermore, so many policies focus way too much on entropy and neglect the fact that password length is far more important.
Although the password 3333333333333333333 may soon be obsolete, the concept that entropy is not as important as a password increases in length will always be valid.
I seems to me that a 4 character pin is secure if there are a maximum number of tries that a potential system under attack allows in conjunction with a specific user. In fact that would seem to make system breaches nearly impossible. Certainly a Brute-force attack would be repulsed.
A 4-letter pin may be secure enough in some cases, but the real risk is if the database was ever compromised and an attacker were able to perform an offline attack.