Passwords are a pain to create, reset and maintain, especially for those security-conscious enough to use unique passwords for every login. For everyone else, who uses the same or similar passwords across platforms, passwords are a headache that don’t make us significantly more secure. When password reuse run rampant, attackers use a tactic called credential stuffing to take known credentials, perhaps acquired after a major 3rd party security breach such as Sony, Home Depot or LinkedIn, and try them across the target’s other accounts. This is especially easy for attackers when they use programmatic tools which can test thousands of passwords every minute, a tactic called brute forcing. Slight variations in the password can be ascertained programmatically, when 90% or more of the password has already been acquired; this occurs when users only add a different number or bit of punctuation to an otherwise largely reused password, often to satisfy some platform’s password requirements or mandatory reset.
Attackers can readily hack a password if it’s in the most common several thousand passwords, meaning the vast majority of passwords can be guessed without much work on behalf of the hacker. Even if you think that you’ve used a unique term, such as your street address or dog’s name, a simple search on social media often equips an attacker with enough keywords to feed into their algorithm. Password management company Keeper reports that a heartbreaking 17% of people protect their accounts with “123456” and the top 25 most used passwords make up over 50% of all hacked passwords. It’s no wonder algorithms are so good at cracking passwords.
To Build a Password
So what makes a secure password? Passwords get more secure — usually referred to as the password’s strength — as they become more complex, and there’s two main ways to make a password more complex (strength is generally measured by the number of guesses it would take to crack the password). First is entropy, which is basically a measure of randomness between characters (eg, “aaa111” is less entropic than “e9&1oA”). The second is length. Common wisdom, until recently, has been that increasing entropy is the best way to increase complexity. That’s why so many websites force you to use special characters, numbers and capital letters when building a password.
However, more recent literature has shown that it’s actually length that makes passwords stronger than entropy.It takes a machine much longer to guess “itwasthebestoftimesitwastheworstoftimes” than “w0rStoFt!m3s,” even if the former is a much more recognizable phrase to a human. To be clear, we don’t recommend using passwords that are also the first lines of famous novels, but the point remains: every additional character increases the computational burden of a brute forcing algorithm.
We highly recommend making passwords both more entropic and longer. However, focusing on length, makes strong passwords more memorable (and thus fundamentally more secure from a behavioral perspective). As a quick aside, those password strength meters that you see when you’re setting a new password are all over the place when it comes to judging password strength; some value length, some value entropy, some look for common words, some look for consecutive characters, some look for dates. Take their ratings with a grain of salt.
Power to the People
One thing that security people often forget is that they are securing systems meant to be used by humans. The ideal secured system is not one that is simply unhackable, it’s one that is both unhackable and functional. As such, security must be as non-intrusive as possible. Most people know that they should use unique passwords and probably even understand intuitively how to make a password more secure, but they don’t question how to make a password more secure, but rather, why bother?
Unless you regularly access critical systems or have a security clearance, most people believe that they are not significant enough targets for hackers and thus would rather take the risk with reused, but infinitely easier to manage, passwords. Thus, our goal should be not just to make passwords more complex, but complex without sacrificing functionality. Good passwords must achieve both, otherwise they suffer from huge behavioral risk.
Luckily for users and security teams alike, making passwords longer is less cumbersome than making them more entropic from a mnemonic perspective. Here’s a few ways to make passwords both longer and more memorable:
My favorite trick is building passwords that make shapes on the keyboard. I create triangles, X’s, diagonals, trapezoids and more. Remembering a sequences of shapes is far easier than remembering each individual letter, and allows for much longer passwords.
For better or worse, this actually means that I don’t know my passwords. I recognize them by shape and feel alone, which makes them hard to share. This makes them secure in the extreme, again, for better or worse.
This is not a new concept — this type of password creation received a good deal of interest when the first glide types keyboard for smart phones hit the mainstream.
I grew up playing the piano and drums, so I have a special appreciation for how percussive a keyboard can be. Most people have experienced this as well — after a while your password can be recognized simply by its sound. For any of the musically inclined, this is a great tool in making a memorable password. Drum out a tune or create some “chords” on your keyboard. Play a little tune you remember from piano lessons. If you’re feeling fancy, treat the shift key like the sustain pedal on a piano, allowing you to capitalize a few groups of letters here and there as you play.
Mary Had A Little Lamb, which is admittedly only 4 different keys, played across the middle of keyboard, would take 188 quadrillion years to crack according to the dubious tool, if not a brilliant piece of branding, howsecureismypassword.net, created by Dashlane. Add some shift key sustain and you have a very strong password.
Our earlier example of “itwasthebestoftimesitwastheworstoftimes” may have tipped my hand for the last method. Find a line from a book or movie or song that you love and can remember, ideally one that is not well known, and use that as the foundation for a password. Sprinkle in some entropic elements and you have yourself a strong password. The Dickensian password mentioned above would take 315*10^36 (AKA 315 undecillion) years to crack. My password would far outlive the sun, and thus the earth itself, which will die in roughly 10 billion years. Take that, hackers.
It doesn’t need to be literary, in fact it would probably even stronger if not. Indeed, quotes, even not well-known ones, can be found online and thus fed into an algorithms by an unbelievably dedicated attacker, although this would be insanely unlikely. To be extra safe, maybe there’s a quote from a home movie or something nonsensical your dad used to say or an absurd inside joke you have with your significant other.
As sadistic as it sounds, I enjoy the challenge of creating passwords. They’re tiny musical or literary puzzles that get my brain moving, even a little bit, whenever I log into my computer or open an application. I enjoy tying certain mnemonics to various websites that help me remember which password is which. Maybe Facebook reminds you of Moonlight Sonata or Dropbox should be an Octagon, and certainly Twitter calls to remind you of the most eloquent and thoughtful of novelists.
In an age when privacy seems to be eroded by the day, passwords are one of the few things in the digital age that are still purely personal. So why not have fun with them?