This is a now famous comic about password strength. Cryptographers the world over have agreed, disagreed and debated over it ever since it was released but in the end, NIST admitted it was wrong – Tr0ub4dor&3 is a stupid password.
First, a direct answer: using a password calculator it’s clear that length is more important than content:
Current minimum standard: eight characters, upper/lowercase letters, special characters and numbers: 6,634,204,312,890,625 combinations.
Just 12 characters, anything you want. “makeapasswdk”: 95,428,956,661,682,180 combinations.
That’s 6 qudrillion versus 95 quadrillion potential combinations, all from adding four more characters to your password. It’s now WAY easier to remember too because it can be anything you want it to be.
Additionally, with the compromised password databases the world over during the last six years, a study on how people come up with passwords has been completed and in fact, we’ve learned that humans are really lousy at making up passwords, people are really consistent. Cracking software such as John The Ripper now runs permutations based on common patterns first, so in all likelihood any 8-10 character password is going to fall in just a few hours given the opportunity. When it comes to passPHRASES, how me come up these passwords changes, it’s not the same as 8-10 random/junk characters, making it trickier to guess systematically.
In the end though, passwords need to be abolished in favor of math-based tokens. Consider the ways your password can be compromised:
- It can be cracked via brute force / raw computing time
- It can be guessed based on what someone knows about you
- It can be stolen from a compromised website and applied to another site (never re-use passwords across sites)
- It can simply be reset based on foolish questions you’re only supposed to know like “What’s your mother’s maiden name?” (about that, by the way: lie. The answer is “blueberry”, “fiftyeight”, “fluffyquilt” or something, make it up. Type that in instead, it’ll work great.)
- It can be surrendered via site compromise
- It can be found under your keyboard on a sticky note (please let that not be true…)
- It can be uncovered by a spouse / significant other who knows, or who knows the PIN to get into your password database
- Your typing the password once created a security token that can be hacked and replayed into the site, fooling it into thinking yo have an active session.
- It can be stolen in a phishing attack where someone sends you an email and tricks you into logging into a fake site
- “Shoulder surfing” – watching you type it in
How many of the above have anything to do with the password being “strong”? One. 1. Uno. Ichi. ONE, for Pete’s sake: cracking via brute force / raw computing time. This means “Is your password A? No? How about a? Is it B? b? ab? AB? abc? Abc? aBc……..?” until the keyspace is exhausted. If you have a 40 character password with all the junk in it, that will help you in exactly one of the 10 scenarios listed above and it is impractical and rarely leveraged anymore.
The speed of modern computers will discover common passwords regardless, it’s just a matter of time and money. You can select better passwords but we need to move towards password-less identification.
Some sites are still in the stone ages and demand that your password isn’t strong unless it has a whole mess of stuff in it, but some will let you create passwords that are longer with anything you want so use that to your advantage:
- Come up with passPHRASES that you can remember, longer is better regardless of content.
- Use a password manager such as 1Password or Dashlane to reduce password re-use across sites
- Multifactor and antivirus (Whisper recommends ESET) are far more valuable ways to protect your logins than putting a bunch of c.h@ract3rS into your password – install AV and use multifactor anywhere you can as those measures are far more effective.