Let's talk about weak passwords.
The following passwords must be avoided:
taylor21 qwerty abcdefgh iloveyou7 123456 123456789 buddy123
Many similar passwords are available in public Brute-force wordlists such as Rockyou.
E = log2(Rᴸ)
The formula does not really matter. Focus on the length and the randomness.
Of course, it's best if you can mix uppercases and lowercases with special chars and numbers, but the longer, the better. This is precisely what the fomula highlights.
8 chars, even with a complex combination, can still be discovered way much faster than a long series of 22 lowercase letters.
The necessary time to guess the password by Brute-force will be exponentially bigger with long passwords, like minutes vs. years.
Some counterintuitive examples
You can find the following passwords in the rockyou.txt list:
o are often used in the hope of obfuscating chars but Brute-Force software include them.
People who are not cybersecurity-aware yet may have interesting but unsafe approaches. For example, they might use a weak password deliberately and think hackers won't try such trivial combinations.
It does not work like that. Hackers use dictionaries and wordlists that include the most basic passwords.
Even good security policies can be misleading
Many websites and apps have broken passwords policies. Some of them push their users to very predicatable strategies, for example, by forbidding special chars or limiting the total length to 8.
However, even seemingly strong policies can lead to unexpected outcomes:
At least 1 lowercase
At least 1 uppercase
At least 1 number
At least 1 special chars
At least 8 chars
While the above rules look legitimate, users can still set passwords that are easy to guess.
For example, my name is Julien. I can enter
Julien$7, which complies with the policies but is terrible in terms of security.
The hacker only needs a short list that include my firstname and free tools such as John the Ripper will do the rest.
7 solutions that work
- set long passwords (more than 16* chars if possible)
- don't reuse passwords (1 login, 1 password)
- don't save passwords in the browser or ensure it's encrypted with something like a master password
- change passwords regularly
- use passwords managers
- use haveibeenpwned to determine whether your password has been leaked or not
- enable 2FA/MFA whenever you can
* 16 because most security policies set the minimum length to 8 chars. I'm not saying it's the magic number for bullet proof passwords. If you can set longer passwords like 22, 23, 24 chars, it's great.
The extremely rare cases where a weak password can be good
Some organizations use weak passwords and vulnerable applications to track and hunt cybercriminals.
This approach is called Honeypot. The idea is to lure hackers into thinking they’re infiltrating a system when in reality, they’re being trapped by the cybersecurity team.
Top comments (21)
One thing I find helpful is to use a few latin or greek characters in my passwords.
å é î ø ü, etc. Theoretically those shouldn't exist in brute-force engines usually. Nice article :)
Theoretically, english speakers will likely use english passwords, non-english speakers will likely use non-english passwords.
While it seems logical, I don't have statistics to back up that assertion.
I guess it adds a significant level of randomness to the password if you mix them with other chars, which is great, but the total length is still the most critical element, to me, as there are wordlists for all alphabets and charsets.
As a greek person personally I've never used a greek character in a password and I don't think anyone really does
Great article! My passwords definitely aren’t very strong, but I try to use login with GitHub and login with Google and have a strong password for my GitHub and Google account. Something I think is a bit scary with using sites like ihavebeenpwned is that they could use it to steal actual passwords that are entered and sell them…
Interesting, you use your GitHub and Google as master account/password. It seems convenient, but it might have some caveats.
One of them could be the single point of failure: 1 account opens everything. Besides, Google can track you everywhere.
Just wondering, isn’t that a problem if you use password managers too? I’ve never used one, but isn’t it so that one password opens everything in that case?
Oh, and also, Microsoft (that owns GitHub) can probably also track me everywhere.
Yes to all 😈. In my experience, password managers have very secure procedures, though. It's not exactly like hacking a simple login/passwd. You'll get devices/IP monitoring, key-based cryptography, etc.
Oh, didn’t know that! I should try one out!
That's a good idea. I changed my master passwords for large platforms/sites to be almost thirty characters long.
Good article!! There was an article I read some time ago that recommended using meaningful phrases instead of passwords as phrases are much harder to guess. For example, the phrase “AStitchInTimeSavesNine” is meaningful enough for me to remember but would be hard to crack. Throwing in a few special characters as well as using longer phrases will also help make it more secure.
Seems a good practice. I would recommend using something very unpredictable, though, so maybe avoid famous Hollywood dialogs, songs lyrics, quotes, proverbs/sayings.
Alternatively, you might use far-fetched concatenations like "AStitchInTimeSavesNineNowOrNever." Of course, as those two possible passwords are now disclosed, they can't be trusted/used 😀
I like the passwordless solution like microsoft.com/security/blog/2021/0...
Nice. Decentralized authentication with features such as key-based cryptography may improve user experience and security at the same time. It's probably a better approach, but not available everywhere unfortunately and pretty challenging to setup correctly for websites and applications.
My passwords are always a concatenation of 8 to 12 chars of a sentence and in the end looks like random numbers, letters and special characters but it makes sense to me, thus easy to remember.
I would probably not disclose my approach, but I usually prefer more safety over convenience. 12 chars seems fine, though.
just use áéíúüóñ
oh crap, you just found my Bluetooth password
I think dual authentication is also helpful, such as SMS or Email verification.
yep, this is what I meant by 2FA and MFA
EDIT: sorry, I did not pay enough attention. I recommend using an app for 2FA or special devices for MFA rather than email and SMS. SMS is probably the worse.
Don't get me wrong. SMS is still better than 1FA, but it's the less secure way.
Some comments have been hidden by the post's author - find out more