The Problem With Passwords

Those of you that subscribe to the Lucidica newsletter may have noticed that in October we mentioned that mobile application developer SplashData released their annual list of the most common, and therefore worst passwords on the internet. ‘password’ and ‘123456’ are obviously the most popular, but less obvious words, like ‘monkey’, are gaining increasing usage. The list, compiled from worryingly public databases of stolen account details, covers 25 passwords that are used so often that they provide essentially no security. They lack variety, capital letters, numbers, punctuation, even imagination! Worse still, most of these passwords are used to protect an every online interest an individual has.

“But how…”, I hear you plead, “how am I supposed to remember all those different, complex passwords I’m told to think up?!” – and you have a fair complaint. It can be difficult to remember passwords, especially as many websites now demand a minimum of 8 characters, a capital and lower case letter, a number, a piece of punctuation, no more than two consecutive identical characters and for a unique password, not associated with your account within the last year (I’m looking at you Apple).

And even if we follow the advice and throw in all these random, nonsensical characters, computing has got to the point where any 8-year old can use brute force to crack your account. Here’s an example: let’s think of a random password: W1dny35! It’s got 8 characters, upper and lower case, 3 punctuation marks and a number thrown in. It doesn’t mean anything. That has to be totally uncrackable right? According to ‘How Secure Is My Password‘ a desktop computer would take 3 days to crack that. Pretty good. But will you ever remember it? ‘password’, conversely, is incredibly memorable, but would be cracked instantly.

So perhaps what we need to do is rethink our strategy. How do we make passwords memorable, but still safe from brute-force attacks? The answer is simple: sentences. Sentences are as easy as words to remember, but their added length and possible variations make them far harder for a computer to crack.

‘passwordismypassword’ is as memorable as ‘password’, agreed? But instead of the microsecond a desktop PC would need to break the latter, the former would take 157 billion years to figure out. Stick a full stop on the end and you push that time to 413 quadrillion years. Capitalise the first ‘p’? 5 sextillion years. I didn’t know there were that many years.

Arguably this method does nothing to stop people working out your password. If you tell someone that you love hamsters and your password is ‘Ilovehamsters!’ you only have your self to blame. But if you make it more complicated, for instance ‘Ilovehamstersmorethankittens!’, you’ll still be much more secure than using ‘123456’. In fact, if you can make the words in the phrase unrelated to one another, or skip words, you’ll be even safer: ‘Ihamstermorekittens!’.

If you’re looking for that extra level of security you could even follow the method discussed by webcomic xkcd and make up a story from a series of unconnected words:

You can’t argue with that illogic.