Typically, when I speak to someone about passwords and how to improve them, the follow-up question to the instructional “do this” is inevitably “why?” So we’re going to start with “why certain passwords are bad” and then follow up in a few weeks with “what should we do about that?” This post will attempt to show you the pitfalls many passwords fall into, broken down into four main categories.
Easy to Guess
The first category, and possibly the most famous, consists of passwords that are easy to guess because of simplicity and common usage. Examples include “password,” “opensesame,” “12345678,” etc.
Also Included in this group are single words that can be found in the dictionary, even if they’re relatively uncommon words. These passwords are often cracked by “dictionary attacks,” which use wordlists that an attacker automates through scripts.
Analysis of passwords exposed in data breaches shows just how frequently these weak passwords are used. For example, almost half of the passwords in the 2009 RockYou data breach (more on that below) consisted of names, consecutive keyboard keys or digits, and dictionary or slang words.
A second group of passwords are easy to guess because they’re based on personal information that is publicly known or could be discovered through a targeted attack. That’s why using your name, birthday, home address, kids’ names, Social Security number (double yuck!) or pets’ names is a bad idea.
Many of our social media accounts haven’t been properly locked down, so we leak intimate data about ourselves to the searchable Internet (not just the ominous “Dark Web”). And while we often rely on our relative anonymity for protection, recent data breaches show just how accessible our personal information can be to anyone who knows how to use Google.
The third category of “bad passwords” are ones that are reused. The more you reuse a password, the more likely you will lose track of where it is. You also are trusting the websites/devices where the password is used to protect your security. That’s not smart.
The hack of social networking application developer RockYou Inc. exposed 32 million passwords that were stored in plain text. The 2015 hack of “dating” site Ashley Madison not only embarrassed cheating spouses – it revealed more than 11 million passwords. The 2013 Yahoo! data breach impacted 3 billion customer accounts, exposing names, email addresses and passwords.
Hackers generate lists of the passwords gleaned from these breaches for use in their next attack. That’s why it’s critical to use a distinct password for every account, particularly sensitive accounts such as online banking.
People often ask, “How long should my passwords be?” There are many different answers to this question, but I’ll put a stake in the ground at 14 characters for offline systems and 20 characters for services accessible via the Internet. Those numbers assume you are employing the full printable ASCII table (everything you can see on your U.S. English keyboard).
An eight-character (non-dictionary) password with at least one upper-case letter, one lower-case letter and one digit could be cracked by a desktop computer running free software in about 25 days or by a specialized password-cracking rig (that costs around $5,000) in 11 minutes. An eight-character password that includes special symbols would take 5.75 hours to crack with the same password-cracking rig. Further increasing complexity and length improves password strength on an exponential scale.
[Note that this calculation is based off of a truly randomized eight-character password. Human-generated passwords can be cracked more quickly using common patterns gleaned from large password breaches.]
XKCD’s famous “Password Strength” comic recommends that you adopt a simple but long password instead of a short and complex one that can be difficult to remember. The problem with XKCD’s approach is that there’s a clear pattern to the characters (dictionary words again!). Nonetheless, length in excess of 20 characters (and please, don’t let my minimum constrict your aspirations!) makes for a stronger password even if it’s not overly complex.
This list may be exhausting, but it is not exhaustive. There is much more that could be said about password pitfalls, but I’ve covered what I believe to be the most prevalent problems. If you’re a bit overwhelmed and maybe even a little scared — good. That was my intention. Fear precipitates action, hopefully to the point of changing bad habits.
We’ll discuss in a few weeks what can be done to fix the habits that produce bad passwords in an easy and approachable way. Until then, be secure!