DEV Community

Eelco Verbrugge
Eelco Verbrugge

Posted on

Why your password is weak

Does your password requires at least the following?

  • Must be a minimum of 8 characters
  • Must contain at least 1 number
  • Must contain at least one uppercase character
  • Must contain at least one lowercase character
  • Must contain at least one special character (!@#$%^&*)

Research recently showed this password is cracked in 39 minutes! Yes... you took a risk for brain damage in order to come up with a password like this or let your password manager did the job en still it can be cracked so so fast.

In 2020 this password was cracked in 8 hours. That's just 12 times slower then what it is now, imagine how fast it will be within the next 2 years from now.

Password on steroids

Best possible way to come up with a password is according to the Diceware-method

Experts use this to add randomness to the words your password contains. Every 5 numbers you throw in a row belongs to a word. Repeat this process until you have at least 7 words and create a passphrase:

Enter fullscreen mode Exit fullscreen mode

Safety vs userfriendly

One problem is this won't be acceptable by our minimal requirements like we said in the beginning. Of course we can add a number and exclamation mark or whatever, but this isn't the best solution.

Also this is pretty harshe to ask everyone to do for "just a password". This also depends on what the value is of what you are trying to secure. But since people are lazy, lets come up with a solution that works for everyone.

What we can do is higher the least minimal of characters used. If you go from 8 to 12, this means it can be cracked in 3000 years(!) in 2022. Still in 2020 this was 34000 years, so what will it be within the next 2 years? But this takes waaayyyy more time to crack so hopefully the hackers decides to target an easier victim.


Top comments (1)

webbureaucrat profile image

Unique randomly generated keys of the same length are a lot more secure, but the argument for diceware-style word generators is that they are more memorable.

The problem that I have with this argument is that the claim just doesn't pass the smell test. Proponents of this method really memorize all their more-memorable passwords without reuse? That's just not credible for the average Internet user. My own password manager has hundreds of accounts.

Some people try to split the difference and reuse a password for "unimportant" accounts while creating unique memorable passwords for important accounts, but I still find this pretty questionable. I have still probably a hundred user accounts that have access to my credit card information for example, and the ones that don't I may decide to enter that information later. And even if some users have a lot fewer "important" accounts than me and can memorize their important passwords, they're still making a big security compromise with accounts that probably have more social engineering value than the users realize.

So you have to either use a password manager or do a lot of password reuse, and one of those options is VERY insecure. So you use a password manager to collect all your correct horse battery staples. But at that point... just use long randomly generated keys for everything.

There are a very few narrow use cases where I think the diceware approach makes sense. He gives the example of smart TVs with clunky screen keyboards and no password manager integration. (Personally I suck it up and spend 5 minutes entering my passwords before I can start using the service. It's a pain point but a rare one, but I'd understand someone avoiding it.) And of course your password manager itself will need a memorable password.

But saying this is the "Best possible way to come up with a password" just doesn't hold any water.