In the UK at the moment there is a lot of media focus on secure passwords coming from a Government campaign around the general area of online protection (https://www.cyberstreetwise.com/) – whilst in London last week passing through the Underground I saw a number of billboard posters which gave examples of weak and secure passwords and they offered some great advice which I wanted to share but also look at some of the reasoning behind this.
The general advice around passwords is:
- Use upper and lowercase letters
- Include numbers
- Include “symbols” (things like !, @, # etc)
- Make it at least three words long
This is the first time I have seen the 4th point in any government campaigns. Historically the advice has always been making your password at least 8 letters long. The bit I would add to point four is to make it at least three medium length words long (i.e. not something like inthecar) and I would also like to add a fifth vitally important one to this list:
5. Do not use the same password on multiple sites
So why is this important? Well let’s look at some examples analysing the reasoning behind the first four points using one of the many online password strength tools
Let’s take a standard word of 8 characters long – examples. For the purposes of this, we are going to assume a “hacker” knows nothing about you and therefore does not have any starting point to work from like your cat’s name or your first car etc and is simply relying on brute force to guess your password.
So how long would it take to brute force guess the password “examples”? 52 SECONDS!
OK so let’s add in some of the above advice – let’s change one letter to a capital
How long would it take to brute force guess the password “Examples”? 3 hours!
Just by adding one capital letter the time to crack has increased over 200 times.
So let’s add in a number – for the purposes of what we are showing let’s change one of the characters to a number.
How long would it take to brute force guess the password “Exampl3s”? 15 hours. Getting better 🙂
Now let’s add in a symbol again replacing a character.
How long would it take to brute force guess the password “Ex@mpl3s”? 3 days.
So just by making a few simple changes, we have increased the “security” nearly 5000 times!
Now why is number four so relevant? Firstly trying to remember Ex@mpl3s can be quite tough especially if you are then forced to change it frequently and so on. So lets go back to our original word – examples. Brute forced in 52 seconds.
Without adding any different cases, numbers or symbols – can we make it more secure than Ex@mpl3s?
Let’s change our password now from examples to good examples – simply adding a word but, critically, we are increasing the length from 8 characters to 12.
So how long would it take to brute force guess the password “goodexamples”? 276 DAYS! Wow! So two simple words all lower case is 92 times “more secure than Ex@mpl3s
Take it further and change the password to verygoodexamples and what does it change to? Wait for it – 345 THOUSAND YEARS. Yes – 345,000,000 YEARS. Just by making the password longer.
Obviously, if you want to use all four together then it gets even better – something like v3ryGo0dEx@mpl3s allegedly would take 12 TRILLION years to crack but it isn’t exactly easy to remember but verygoodexamples is pretty darned easy for most.
CAUTION 1: COMMON WORDS
There is always a BUT! If you use the first 3 pieces of advice above against a random word you increase the security by up to 5000 times. Great! But you do need to be quite careful about the word you choose to do this with. Why? Well the second most common password used (found out from some of the huge data leaks of recent times like Adobe) is password. So if you use password you are in trouble but even if you apply the above advice to password such as making it into P@44word, for example, you are still going to be in trouble as everyone does the same thing so that combination and most others using the word password will be in a dictionary or word list used by a hacker. Basically it doesn’t matter how you try and secure the word password – it is a bad idea!
CAUTION 2: DO NOT REUSE PASSWORDS
Second but – reusing passwords. When you set a password you are relying on the site which stores your password looking after it. That means basically that they never store in clear (i.e. that can be read by a human) and that they use a strong hashing algorithm. If they don’t then your 345,000,000 year password is now in the wild most likely along with your email address as that is what most systems ask for so all someone now needs to do is to go to Facebook, for example, and enter your email address and your clear password and they are in – no hacking needed, just simple data entry.
If you want to do just ONE thing to make your passwords more secure – make them longer. Everything else is good and sound advice but the one thing which makes the biggest difference is length – look around your desk now and pick three random items and make your password from those. You will remember them as you can see them and no hacker has 345,000,000 years to spend trying to work through all those combinations!
(For the purposes of the numbers used above we used an online password strength checker at https://howsecureismypassword.net/. The numbers shown are not meant to be taken literally as there are many more things which impact security than just password strength and just because you choose an “ultra secure” password does not mean you are never going to be impacted. The numbers are purely for comparison and should be treated as such).