Pages

Wednesday 22 December 2010

How secure is your password? (updated August 2017)

---THIS IS NO LONGER CONSIDERED BEST PRACTICE---

Do not follow this advice!

A cartoon image showing an action described as...Image via Wikipedia
Online security blah blah blah

Or so I thought until I started reading an article from Life Hacker about it, following the well-documented Gawker password imbroglio.

How secure do you think your password is? Want to try? How secure is my password? shows you just how difficult it would be to crack yours. Suppose your password just happens to be "secure"...

...it would take a desktop PC about only 30 seconds to crack your password. You might as well not bother having a password.

---Why are you still reading?---


Four basic rules for strong passwords

The first rule for creating a strong password is to make it longer: "securitisation" might take 204,000 years to crack.

Mixing upper and lower case letters helps enormously: "Securitisation", with an upper case S, might take 3 billion years to unravel. That's more than 10,000 times longer, just by switching one letter to upper case.

Throwing in a number, "Securitisati0n", pushes things out to 39 billion years. While changing a letter to a special character, "Securitisati0#" takes us to 564 billion years.

Use different passwords

Part of the problem with the Gawker situation was that members were using the same password for Gawker as for other sites, like Twitter. The problem is, with so many site registrations, how can you recall all your different passwords?

Life Hacker recommends using a password manager, specifically LastPass, which is free and, they say, "remarkable secure". Another option is to select your standard password and then add something to it which makes it unique, while easy to remember. You could add, for example "AG!" to the end of "Securitisati0#" when you register at alexguest.me (if that were possible). This would be your password strength now...


238 quadrillion years is a long time: the universe is reckoned to be 13.7 billion years old... but just as important, your password would be unique to every site you use. So if, for whatever reason, your password is compromised, it would be difficult to break your email/password combination at another site.

Except...

Don't use real words

"Securitisati0#:AG!" might be easy to decipher because it looks like a real word that has been modified.

An acronym formed from a memorable phrase is much better: "Tqbfj0tldAG!" looks like absolute nonsense. But it comes from "The quick brown fox jumps over the lazy dog", which typists will recognise as a sentence containing all the letters of the alphabet.

So I've updated my passwords now. It should take hundreds of billions of years for a PC to crack them.