Vote 2020 graphic
Everything you need to know about and expect during
the most important election of our lifetimes

Your Passwords Suck

Illustration for article titled Your Passwords Suck

The only person you can rely on to keep your password secure is yourself. And let me tell you, you're probably not doing enough to keep number one safe. The reason: Your special lump of letters, numbers, and symbols are likely spread over too many sites, are not long enough, and are probably too personal. Most of our passwords suck. And it's kind of a big problem.


The thing to understand is that the biggest threat to your security isn't some creep sitting in front of your email login screen, randomly bruteforcing his way into your account. Nope, you're up against computers that can run thousands of encrypted passwords by dictionaries of several languages, everything in the World Fact Book, and Wikipedia in a matter of minutes.

And the setup that makes cracking weak passwords a cinch is seriously nothing special. A journalist at the Tech Herald named Steve Ragan was able to crack over 80,000 encrypted passwords the AntiSec movement published on the Internet in just five hours with a $300 off-the-shelf computer and free downloadable software. One of the most surprising things he found from his password-cracking experiment: "Someone used a period. It just blew my mind."


Oh, and note: Leetspeak will not keep your password safe. "Numbers substituted for letters is really, really bad. Most password applications will try that before they do plain English," says Chester Wisniewski, a senior security advisor at Sophos. Patterns on a keyboard are bad news, too. "You think you're being clever, but you have to remember: The criminal's a part of us." It doesn't require much to fell some 6-character entry made from your dog's name with some digits tacked on. "People will use their birth year. If there are four digits at the end, it's not a remarkable coincidence that most start with 19," says Wisniewski.

Once your password has been compromised, it isn't just bad news for your Zappos account. If you've used the same login for other services, you've given a hacker access to more that just your shoe size and sneaker preference-you've opened yourself up to breaches of your Facebook, Twitter or email. Details gleaned from one can open up the next account.

Ok, so all of this sucks. What can you do about it? The most important thing you can do to a single password is to make it long. "Adding one more character makes it exponentially more difficult to break-even if you don't use silly characters," says Wisniewski. "The password, Apple, is bad. But focusing on length, Appppppppppple with 11 ‘P's,' is actually really good. So size does matter." Experts suggest a password 12-14 characters long.

The problem, of course, is remembering that many characters. (Storing your passwords in a spreadsheet or email, by the way, is very much frowned upon. One breach means access to your whole life.)


"I'm a big fan of pass phrases," says Ragan. "It's something that's personal—that's easy to remember. The longer and more random, the less chance of a dictionary crack being successful."

Wisniewski's personal trick is to start with a line from a favorite song. He'll pull the first letter of each word in the line and stick them together for something that's easy to recall but very difficult to crack. The trick gives him length—which stifles brute force attempts—and randomness—keeping him clear of anything that would pop up in a dictionary. (Actually, when many words are glommed together, the password becomes incredibly hard for computers to crack, but a long string of seemingly random characters is even more secure.) Et voila, a password that is easy enough to remember and secure enough to use.


Stephen Bono, a principal security analyst at Security Evaluators, also suggests using every tool you can on your keyboard. "Most people don't know you can use parentheses in your password," he says. Letters, numbers, special characters, and upper case—if you're allowed to, you should use them all.

Even with mnemonic devices and personal tricks, keeping track of the dozens of passwords we're required to remember is pretty taxing. There are just so many other things we have to keep straight. (Rent, btw. It's now passed due). The best thing to do? Get yourself a password manager service. These will allow you to create crazy-secure 14-character, dictionary-search proof, symbol-using passwords for every site you visit, without relying on your brain to remember all the gibberish. Here's a rundown of a few right here.


And if you haven't already done what Mat suggested (ahem, change your passwords!), now's a really good time to do it.


Image: CC licensed, Guillaume/Flickr

Change Your Password Day is February 1 and we hope you'll join us in the most boring-but safest!-celebration ever.


Rachel Swaby is a freelance writer living in San Francisco. You can keep up with her on Twitter.


Share This Story

Get our newsletter


my problem with all of these password tips is that many services do not allow things like more than 12 characters, or special characters like @$?! .... so now I have my really great secure password base and then I tack on something service specific but OOPS this one doesnt accept special characters... ok well then ill just take that out, but now which ones did I have to leave that our of and which ones require it.....

until theres some recognized standard of what counts as secure all these tips are practically useless. Is the fact that one of my banks uses no special characters but an image with a special phrase I pick VS a bank that just allows special characters more secure? who knows.