DEV Community

jmau111 🦄
jmau111 🦄

Posted on • Updated on

So you think your password is strong

Let's talk about weak passwords.

Obvious weaknesses

The following passwords must be avoided:

taylor21
qwerty
abcdefgh
iloveyou7
123456
123456789
buddy123
Enter fullscreen mode Exit fullscreen mode

Many similar passwords are available in public Brute-force wordlists such as Rockyou.

E = log2(Rᴸ)

The formula does not really matter. Focus on the length and the randomness.

Of course, it's best if you can mix uppercases and lowercases with special chars and numbers, but the longer, the better. This is precisely what the fomula highlights.

8 chars, even with a complex combination, can still be discovered way much faster than a long series of 22 lowercase letters.

The necessary time to guess the password by Brute-force will be exponentially bigger with long passwords, like minutes vs. years.

Some counterintuitive examples

You can find the following passwords in the rockyou.txt list:

!@#$%^
P@ssw0rd
Enter fullscreen mode Exit fullscreen mode

@ for a and 0 for o are often used in the hope of obfuscating chars but Brute-Force software include them.

Nice try!

People who are not cybersecurity-aware yet may have interesting but unsafe approaches. For example, they might use a weak password deliberately and think hackers won't try such trivial combinations.

It does not work like that. Hackers use dictionaries and wordlists that include the most basic passwords.

Even good security policies can be misleading

Many websites and apps have broken passwords policies. Some of them push their users to very predicatable strategies, for example, by forbidding special chars or limiting the total length to 8.

However, even seemingly strong policies can lead to unexpected outcomes:

At least 1 lowercase
At least 1 uppercase
At least 1 number
At least 1 special chars
At least 8 chars

While the above rules look legitimate, users can still set passwords that are easy to guess.

For example, my name is Julien. I can enter Julien$7, which complies with the policies but is terrible in terms of security.

The hacker only needs a short list that include my firstname and free tools such as John the Ripper will do the rest.

7 solutions that work

  • set long passwords (more than 16* chars if possible)
  • don't reuse passwords (1 login, 1 password)
  • don't save passwords in the browser or ensure it's encrypted with something like a master password
  • change passwords regularly
  • use passwords managers
  • use haveibeenpwned to determine whether your password has been leaked or not
  • enable 2FA/MFA whenever you can

* 16 because most security policies set the minimum length to 8 chars. I'm not saying it's the magic number for bullet proof passwords. If you can set longer passwords like 22, 23, 24 chars, it's great.

The extremely rare cases where a weak password can be good

Image description

Source: Memcenter

Some organizations use weak passwords and vulnerable applications to track and hunt cybercriminals.

This approach is called Honeypot. The idea is to lure hackers into thinking they’re infiltrating a system when in reality, they’re being trapped by the cybersecurity team.

Oldest comments (19)

Collapse
 
ironcladdev profile image
Conner Ow

One thing I find helpful is to use a few latin or greek characters in my passwords.
å é î ø ü, etc. Theoretically those shouldn't exist in brute-force engines usually. Nice article :)

Collapse
 
jmau111 profile image
jmau111 🦄

Thanks!

Theoretically, english speakers will likely use english passwords, non-english speakers will likely use non-english passwords.

While it seems logical, I don't have statistics to back up that assertion.

I guess it adds a significant level of randomness to the password if you mix them with other chars, which is great, but the total length is still the most critical element, to me, as there are wordlists for all alphabets and charsets.

Collapse
 
odysseaspapadimas profile image
Odysseas Papadimas • Edited

As a greek person personally I've never used a greek character in a password and I don't think anyone really does

Collapse
 
jetpackmano2200 profile image
sean yan

I think dual authentication is also helpful, such as SMS or Email verification.

Collapse
 
jmau111 profile image
jmau111 🦄 • Edited

yep, this is what I meant by 2FA and MFA

EDIT: sorry, I did not pay enough attention. I recommend using an app for 2FA or special devices for MFA rather than email and SMS. SMS is probably the worse.

Don't get me wrong. SMS is still better than 1FA, but it's the less secure way.

Collapse
 
jonidecarvalho profile image
Joni de Carvalho

My passwords are always a concatenation of 8 to 12 chars of a sentence and in the end looks like random numbers, letters and special characters but it makes sense to me, thus easy to remember.

Collapse
 
jmau111 profile image
jmau111 🦄

I would probably not disclose my approach, but I usually prefer more safety over convenience. 12 chars seems fine, though.

Collapse
 
jonaspetri profile image
Jonas Petri • Edited

Great article! My passwords definitely aren’t very strong, but I try to use login with GitHub and login with Google and have a strong password for my GitHub and Google account. Something I think is a bit scary with using sites like ihavebeenpwned is that they could use it to steal actual passwords that are entered and sell them…

Collapse
 
jmau111 profile image
jmau111 🦄

Interesting, you use your GitHub and Google as master account/password. It seems convenient, but it might have some caveats.

One of them could be the single point of failure: 1 account opens everything. Besides, Google can track you everywhere.

Collapse
 
jonaspetri profile image
Jonas Petri

Just wondering, isn’t that a problem if you use password managers too? I’ve never used one, but isn’t it so that one password opens everything in that case?
Oh, and also, Microsoft (that owns GitHub) can probably also track me everywhere.

Thread Thread
 
jmau111 profile image
jmau111 🦄 • Edited

Yes to all 😈. In my experience, password managers have very secure procedures, though. It's not exactly like hacking a simple login/passwd. You'll get devices/IP monitoring, key-based cryptography, etc.

Thread Thread
 
jonaspetri profile image
Jonas Petri

Oh, didn’t know that! I should try one out!

Collapse
 
ironcladdev profile image
Conner Ow

That's a good idea. I changed my master passwords for large platforms/sites to be almost thirty characters long.

Collapse
 
interprimos80_ng profile image
Stephen N.

Good article!! There was an article I read some time ago that recommended using meaningful phrases instead of passwords as phrases are much harder to guess. For example, the phrase “AStitchInTimeSavesNine” is meaningful enough for me to remember but would be hard to crack. Throwing in a few special characters as well as using longer phrases will also help make it more secure.

Collapse
 
jmau111 profile image
jmau111 🦄 • Edited

Seems a good practice. I would recommend using something very unpredictable, though, so maybe avoid famous Hollywood dialogs, songs lyrics, quotes, proverbs/sayings.

Alternatively, you might use far-fetched concatenations like "AStitchInTimeSavesNineNowOrNever." Of course, as those two possible passwords are now disclosed, they can't be trusted/used 😀

Collapse
 
mrdulin profile image
official_dulin

I like the passwordless solution like microsoft.com/security/blog/2021/0...

Collapse
 
jmau111 profile image
jmau111 🦄

Nice. Decentralized authentication with features such as key-based cryptography may improve user experience and security at the same time. It's probably a better approach, but not available everywhere unfortunately and pretty challenging to setup correctly for websites and applications.

Collapse
 
larrocax profile image
LarrocaX

just use áéíúüóñ

Collapse
 
jmau111 profile image
jmau111 🦄

oh crap, you just found my Bluetooth password 🫢

Some comments have been hidden by the post's author - find out more