Your Password Sucks!

Maybe your password doesn’t really matter.  A determined hacker with enough computing power can guess your password fairly quickly.  But please!  For Pete’s sake, please try to make your password difficult for others to guess!

My early career was in IT and I’ve seen many stupid passwords.  The problem spans the entire organization.  The CEO at one company I worked for had the password “getrich”.  The CFO at another company had “123money”.  These are smart people.  Why did they pick such incredibly stupid passwords?

Most people choose poor passwords.  Need proof?  Three popular sites were hacked and passwords were captured and subsequently disclosed.  You can find a summary of the most popular passwords over on Jimmy Ruska’s blog.  There’s another list over on boingboing.  Any of them look familiar?

Here’s an incredibly simple way to make your password stronger.  Stop thinking of words and start thinking of phrases.  Let me give you an example.

My favorite band is The Who.  As a password, “thewho” belongs on the Incredibly Stupid list.  Let’s think of a phrase from one of the band’s most popular songs, “Baba O’Riley”. We’ll use the phrase “They’re all wasted!”   That’s 19 characters, and uses punctuation and spaces.  In short, it’s a really good password.

What if you can’t use spaces?  Take them out!  17 characters – still good!

What if they insist that at least 1 character be a number?  You could stick a 1 at the beginning or end but it doesn’t make the password much better.  How about this?  Substitute the number “4″ for the letter “A”, “3″ for “E”, “1″ for “I”, “0″ for “O”. You don’t need to use these letter/number pairs just make sure you can remember the ones you use.  Now, your password is “Th3y’r3 4ll w4st3d!”  That’s an incredibly good password and it’s easy for you to remember.

Don’t limit yourself to songs.  Favorite poem?  “Whose woods these are I think I know.”  is a far better password that “123money”.  Quote?  “A foolish consistency is the hobgoblin of small minds”  Get it?

In short, forget passwords and think passphrases.  Your data will thank you.

- Paul -

[Aug 23: Be sure and read Marc's post on how easy it is to crack passwords these days]

11 comments to Your Password Sucks!

  • You Rock!

    The other extreme is to have passwords that are so draconic and difficult that people end up putting them on sticky notes on their displays….

  • anonymous

    Well with my two finger typing typing a 20 char pass phrase takes a very long time

  • Paul

    Some people just feel better writing their password down. In that case, I suggest that they keep the written password in their wallet. Far from perfect, but beats having it displayed on a sticky in their cube.

    - Paul -

  • paul

    @anonymous: Practice makes perfect! :)

    I am not a touch typist either. You will find that since you enter your password frequently, you will be able to type it much faster than you type other words. At least that’s how it works for me.

    And you don’t have to make it 20 characters long. Just make it robust.

    - Paul -

  • Who is working to solve the inherent problem of passwords? We have not one password to remember, we have many, & those passwords unlock access of varying criticality.

    I use a “strong” password along the lines you suggest for my everyday log-in. I can remember this OK. But I need dozens of other passwords.

    – Should people use the same password, where they can, for different domains?
    – How does one remember a password they use maybe 4 times a year?
    – How does one remember literally dozens of passwords?

    If one has dozens of passwords and revises them every 90 days or so, the passwords are a data management problem in and of itself, and not one easily managed in one’s head, nor safely managed outside it.

    There’s a lot of pain (opportunity) here…

  • Have you hard of a Mac utility called “1Password” from Agile Web Solutions? It has hooks for the Mac OS X keychain and can populate web passwords for you. I’m sure the same kinda thing exists for Windows.

    Of course, if the haxxors get that single password and get into your system, the castle is theirs…

  • paul

    Random Eric,

    Sadly, most people use the same, single password everywhere because it is nearly impossible to remember many tens of passwords, even easy ones. And you are right that there is a lot of pain (opportunity) here. Most likely, the reason that nobody has already solved this is that creating an easy to use password management system is a complex problem.

    For my own use, I store all of my passwords using KeepassX. It’s a highly encrypted password vault (256 bit AES or Twofish) that allows to me to store many unique passwords which are all very long and random. Passwords like ‘]^jfl^{Hp{E:.}yf.Z-;IQ and 6qYOltwn2iHR would be impossible to remember (unless you also happen to know exactly how many more minutes until Wapner :) )

    KeepassX has some limitations:
    - If you guess my master password, then you have access all my passwords. My master password is 25 characters and uses the techniques described in the article, so good luck! :)
    - It is awkward to try and keep the password file synchronized across multiple machines.
    - There’s a bit of inconvenience in having to open the password vault every time you need a password for another place.

    I am currently looking at another application called Passpack which may address limitations #2 & #3. More on that after I’ve had a chance to spend more time with it.

  • paul

    In the news again today. Somebody stole 10,000 Hotmail usernames/passwords and was offering them up on a web site. Researcher Bogdan Calin from Acunetix published this analysis. While you can dive into all the gory details in his report, let’s look at the Top 20 passwords used. It’s very discouraging.

    Top 20 most common passwords:

    1. 123456 - 64
    2. 123456789 - 18
    3. alejandra - 11
    4. 111111 - 10
    5. alberto - 9
    6. tequiero - 9
    7. alejandro - 9
    8. 12345678 - 9
    9. 1234567 - 8
    10. estrella - 7
    11. iloveyou – 7
    12. daniel – 7
    13. 000000 – 7
    14. roberto – 7
    15. 654321 – 6
    16. bonita – 6
    17. sebastian – 6
    18. beatriz – 6
    19. mariposa – 5
    20. america – 5
  • [...] Uses a strict personal password policy – at least 8 characters containing at least one of: upper & lower case alpha characters, numbers and special characters, must not be “guessable,” is not reused in numerous instances, and is changed regularly, checkout the July blog post Your Password Sucks! [...]

  • When I was one of 3 engineers managing an enterprise level network, we had different passwords depending on the class or level of the equipment and sometimes the larger routers had their own passwords. Common password construction for us was to make an acronym from a phrase or sentence and then replace letters with numbers. Very random. Passwords were changed at regular intervals and committed to memory.

    I’ve seen other passwords constructed by taking a book, picking a page number and taking the first character from next 9 even (or odd) numbered pages. Random? Yes. Easy to remember? Not for me…

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>