Most people are rubbish at picking secure passwords – “pr0gn0s1s”, for instance, is a crap password. Taking an English word or a name and then changing a few of the letters just doesn’t cut it. Why? Well, the complex explanation is given in XKCD Comic but if “bits of entropy” means nothing to you, it works like this.
Most hacking attempts aren’t a done by a smart but misguided geek, they’re done by other computers and they’re dictionary based. That doesn’t always mean an English dictionary, rather a list of words that are commonly used in passwords. A computer program works through the dictionary trying each phrase in turn. Unsurprisingly hackers are well aware that people change O to zero etc. so all those combinations are tried too. Using the password “pr0gn0s1s” will take maybe a millisecond more to crack than simply “prognosis”. Changing letters to numbers is almost no help in making a password more secure.
So how do we avoid this?
1. Use Multiple Unrelated Words
XKCD makes a good point, you can just use multiple unrelated words, spelt entirely normally. By unrelated I mean that “DavidBeckham” is 2 words but would be a monumentally terrible password. “hollowpoolbutton” is much better and much easier to remember. “The Hollow Crown” is a series of Shakespeare plays on BBC TV, “Crown Pools” is a swimming pool in Ipswich, “Poole” is the town where Jenson Button (a racing driver) wasn’t born (but I thought he was until I just Googled him). So this is an easy password for me to remember.
This might not sound like it’s better than “pr0gn0s1s” but it is, massively so. There are more than 200,000 words that could follow “hollow” and another 200,000 that could follow “pool”. That’s more than 40 billion possibilities. A bit better than the handful of different substitutions that can be made in “prognosis”.
Adding some capital letters, a number, a special character may make it slightly better still, but the main strength of the password comes from it being made up of three unconnected sequences.
2. Insert Something Foreign Into a Word
Another way that sounds rather counter-intuitive but is surprisingly effective is to add something into the middle of a word. Instead of “pr0gn0s1s” you could use “progn9osis”. Now it’s not an English word any more and it’s not an obvious change. Personally I’m not happy with a single insertion, there aren’t that many letters on the keyboard or letters in “prognosis”. Dump an entire other word in, however, and it makes a big difference. It is very improbable that “prognmintosis” would ever be tried by a hacker.
Although, point of order, now I’ve written that exact phrase on a web page about choosing a strong password, you probably shouldn’t use “prognosis” and “mint” in the same password any more.
3. Use The First Letters of a Passage of Text
The last simple method I’ll mention is to find a phrase, a bit of poetry, prose or song fragment and take the first letter of each word. So if you’re a big Samuel Taylor Coleridge fan you might select;
“The naked hulk alongside came,
And the twain were casting dice;”
from the most excellent (but rather scary) Rime of the Ancient Mariner. This would make a password of “tnhacattwcd” which scores well on all levels. It feels like a secure password, it actually is a secure password and it’s easy to remember.
Why Do Systems Insist On Password Rules?
We’ve all been there, “Sorry, you can’t use this password because it doesn’t contain a capital letter, a lowercase letter, a special character a number and a fractal equation.”
XKCD clearly demonstrates that this is a bag of arse. You can do all those things (except maybe the fractal equation) and still have a rubbish password, or you can do none of those things and have a really strong one.
One reason is that some people really are unbelievably crap at passwords. They’ll use their own names, pet names or other information that a lot of people would know and could easily guess. At least if they’ve got a number or some punctuation in the password they stand some chance of their new credit card not being immediately hacked by their 5 year old kid.
A second reason is that, although the world of computers contains some of the cleverest people on the planet, it also contains a lot of people who aren’t. Some people who really should know better actually believe that these things are required for a strong password.
Then there are managers who just want to feel safe. Despite having the situation explained to them multiple times, they still feel that a password needs to have these elements to be strong. At an emotional level we can have some sympathy, it does feel like “pr0gn0s1s” is a stronger password than “PencilDaquiri” but it isn’t. Unfortunately, when a manager has those emotions, the wrong password rules tend to propagate into systems.
The last thing I want to mention is user expectation. There are situations where everyone in the production of the system is fully aware of the facts, but they’re producing a system that the users need to trust. We’ve established already that people have an emotional connection, if they feel a password is complicated they also feel it is secure.
People might feel, because they had to try 3 times to meet the password strength requirements, that because there are fancy traffic lights telling them how “strong” their password is, that a web site must be really secure. Behind that, the password might written in plain text into a database that itself has poor security and is directly exposed to the entire Internet.
It doesn’t matter if the a rival site has a much better password policy and a much better and more secure way of storing those passwords, if the user doesn’t feel that the site is secure, they’ll use the one that it is actually less secure.
Sadly, I think that all adds up to us being stuck with these rather silly password rules. Fortunately if you’re in the habit of setting secure passwords then it doesn’t actually make them much more difficult to remember. It’s just irritating.