Multiverse 2.357

Short or overly simple passwords are insecure. If you are using a short, memorized password then you need to change it often; if you are using a password manager use a long, complex password and you don’t need to change it as often. For short passwords do not use the first character as your required capital letter, and an exclamation mark at the end of the string as your one required non-alphanumeric character – don’t be predictable.

One further comment about passwords length, aside from what was mentioned earlier (length is more important than complexity) is that there is no good excuse for a website to not allow very long passwords. Passwords should never be stored by a site; they should always be storing a salted hash – which is a fixed length, regardless of the password length. Be suspicious of websites that do not allow fairly long passwords!

How difficult should your password be? If the site allows a password of decent length, use a phrase built from common words. A group of random words is more secure and much easier to remember and type than a long, random string of characters. Remember, password complexity is strongly correlated with length.

To illustrate the point, consider an oversimplified scenario where you choose 4 words from a dictionary of a thousand words – just to keep the numbers easy. There are one thousand choices for the first word, one thousand more choices for the second word, and so on, giving you a total of one trillion possible passphrases. So do yourself a favor and use at least 8 words – i.e 1,000,000,000,000,000,000,000,000 possible passphrases, assuming the dictionary is only 1000 words (which is underestimating the count in almost every case). Also be creative – for example you can use other things besides spaces to separate words in a passphrase.

Avoid using names of people, pets, or places you’re associated with as the basis for your password. Never use memorable dates like birthdays, anniversaries, year of birth, graduation, or any life event. All these types of things can often be found with little effort, and password cracking programs are often setup to check these types of passwords first.

Computers are extremely good at this – so just don’t give in to temptation! Complexity of a password, assuming you’ve avoided using something insecure like your pet’s name, is determined by the number of possible permutations. A common password cracking strategy is to look for easy passwords first, like those we mentioned above. After the low hanging fruit is gone, an attacker would need to brute force the password. It’s not as difficult as you might imagine for short passwords, since off the shelf hardware allows an attacker to quickly try billions of potential passwords.

Speaking of which, perhaps the next topic to cover related to passwords and password security should be password cracking. In the previous post we covered password managers, so go back and read that if you haven’t already or you can start with the initial post about the basics of password security.