yu6RutR-
Sta&afr4th
steSWE4=s!UCaVe
This is what you see if you have recently had a password generated for you. These are passwords that are considered strong — lengthy, is not a word and includes a mix of capital letters, numbers and symbols. There is just one problem: IT MAKES NO SENSE.
A password needs to be complex enough to be secure, but at the same time, if the password looks like strange math formula, then it is not serving the user well.
There can be balance; it’s very possible that we can have a secure password that we don’t have to write down on a post-it note to remember. First however, we need to understand what a weak password is.
What is a weak password?
The first thing to look at is what makes a password weak. Here are 3 criteria for a weak password:
1. It’s Short
This comes down to combinations and permutations.
Each character in a password represents 95 combinations, as seen below:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*()_+-=|\{}[]:;”‘<>,.?/`~(space)
If your password is only 1 character, then there are only 95 possibilities (95^1), meaning a hacker can guess your password with 95 tries. By simply adding a 2nd character, you can increase the complexity of your password exponentially to 9025 possibilities (95^2). And if you make your password 8 characters long (which is recommended by most password generators), that means 6,634,204,312,890,625 possibilities (95^8).
Let’s assume a hacker is using a strong hacking program to guess your password at a rate of 103,000 guesses/second. How long would it take to go through all combinations?
password length | password possibilities | time to crack (rounded) |
1 | 95 | < 1 seconds |
2 | 9,025 | < 1 seconds |
3 | 857,375 | 8.3 seconds |
4 | 81,450,625 | 13.18 minutes |
5 | 7,737,809,375 | 20.9 hours |
6 | 735,091,890,625 | 82.6 days |
7 | 69,833,729,609,375 | 21.5 years |
8 | 6,634,204,312,890,625 | 442,882.6 years |
Lesson: don’t make your password too short.
2. It’s easily guessed.
Even if your password is long, it is useless if it is easily guessed. Here are 10 of the most common passwords in 2013 (source):
- 123456
- password
- 12345678
- qwerty
- abc123
- 123456789
- 111111
- 1234567
- iloveyou
- adobe123
Anyone with the using the above passwords are probably using a device’s default password or probably not aware of how to make a secure password. Either way, if I was hacking someone’s password, even before running a program to guess every combination, I would go through a list of common passwords, like the one above, to save time.
Lesson: Ensure your password is not so generic that it’s easily guessed.
3. It can be found in a dictionary.
Much like the situation above, hackers aim to be efficient, to save time. Instead of trying to guess every single password combination, which can result in nonsense guesses, they can go through a dictionary.
Why a dictionary?
It’s because people don’t like passwords like “yu6RutR-” it’s secure, but it doesn’t make sense to them. Passwords need meaning in order to be remembered, so that is why it is very common for people to use real words and names in their passwords. This is also why a lengthy password like “aardvark” or “apocalypse” are bad passwords: they will be in a dictionary, thus a hacker’s dictionary as well (note: Oxford 2nd edition has only 171,476 words).
Lesson: Don’t make your password a dictionary word.
How to make a strong password.
Now that we know why passwords are considered weak, we can look at strategies to make a strong password without making it incoherently complex so that you can’t remember it.
First, make sure your password is long enough: 8 characters minimum.
Second, consider using words that are personal to you, which people would have a hard time guessing.
The idea is we don’t want anything easily guessed, used, or generic.
For example, if I am born on January 1, 2000, I can make my password “01012000” or “jan12000”. Or if I am a New York Giants fan, I can use a password “nygiants2007”.
Although my mother may be able to guess these passwords, a hacker that does not know me at all will not because they are personal.
Third, don’t use singular words, but rather, use strings of words, slang, mnemonics/acronyms, and foreign words coupled with numbers or symbols.
We already talked about how passwords found in dictionaries are easily guessed. This is because words allow us to remember our passwords easily by giving them meaning.
Here are some examples of passwords that aren’t words, but still have meaning: “showmedamoney$”, “kamsamnida313”, “hmimnwftroyd”
“Show”, “me”, “the”, “money” are all words that can be found in the dictionary, but combined, they become nonsense, especially when a misspelling is used (“da” instead of “the”). This password is memorable because it is from a popular movie, Jerry Maguire.
“Kamsamnida” meanwhile, is the romanization of “thank you” in the Korean language, thus something that is not going to show up in a dictionary. Even a Korean dictionary may not show it, as it is one of many variations of spelling it. The 313 meanwhile, is the area code of Detroit. To remember this, all we have to do is think “thank you, Detroit.”
Finally, “imnwftroyd” looks like nonsense, doesn’t it? It does not look much better than “Sta&afr4th”. However, this password is actually an acronym for song lyrics: “it means no worries, for the rest of your days.” These lyrics, of course, are from the unforgettable “Hakuna Matata” from the movie, the Lion King.