DEV Community

So you think your password is strong

spO0q ๐Ÿ’๐ŸŽƒ on April 19, 2022

Let's talk about weak passwords. Obvious weaknesses The following passwords must be avoided: taylor21 qwerty abcdefgh iloveyou7 1234...
Collapse
 
ironcladdev profile image
Conner Ow

One thing I find helpful is to use a few latin or greek characters in my passwords.
รฅ รฉ รฎ รธ รผ, etc. Theoretically those shouldn't exist in brute-force engines usually. Nice article :)

Collapse
 
spo0q profile image
spO0q ๐Ÿ’๐ŸŽƒ

Thanks!

Theoretically, english speakers will likely use english passwords, non-english speakers will likely use non-english passwords.

While it seems logical, I don't have statistics to back up that assertion.

I guess it adds a significant level of randomness to the password if you mix them with other chars, which is great, but the total length is still the most critical element, to me, as there are wordlists for all alphabets and charsets.

Collapse
 
odysseaspapadimas profile image
Odysseas Papadimas • Edited

As a greek person personally I've never used a greek character in a password and I don't think anyone really does

Collapse
 
jonaspetri profile image
Jonas Petri • Edited

Great article! My passwords definitely arenโ€™t very strong, but I try to use login with GitHub and login with Google and have a strong password for my GitHub and Google account. Something I think is a bit scary with using sites like ihavebeenpwned is that they could use it to steal actual passwords that are entered and sell themโ€ฆ

Collapse
 
spo0q profile image
spO0q ๐Ÿ’๐ŸŽƒ

Interesting, you use your GitHub and Google as master account/password. It seems convenient, but it might have some caveats.

One of them could be the single point of failure: 1 account opens everything. Besides, Google can track you everywhere.

Collapse
 
jonaspetri profile image
Jonas Petri

Just wondering, isnโ€™t that a problem if you use password managers too? Iโ€™ve never used one, but isnโ€™t it so that one password opens everything in that case?
Oh, and also, Microsoft (that owns GitHub) can probably also track me everywhere.

Thread Thread
 
spo0q profile image
spO0q ๐Ÿ’๐ŸŽƒ • Edited

Yes to all ๐Ÿ˜ˆ. In my experience, password managers have very secure procedures, though. It's not exactly like hacking a simple login/passwd. You'll get devices/IP monitoring, key-based cryptography, etc.

Thread Thread
 
jonaspetri profile image
Jonas Petri

Oh, didnโ€™t know that! I should try one out!

Collapse
 
ironcladdev profile image
Conner Ow

That's a good idea. I changed my master passwords for large platforms/sites to be almost thirty characters long.

Collapse
 
interprimos80_ng profile image
Stephen N.

Good article!! There was an article I read some time ago that recommended using meaningful phrases instead of passwords as phrases are much harder to guess. For example, the phrase โ€œAStitchInTimeSavesNineโ€ is meaningful enough for me to remember but would be hard to crack. Throwing in a few special characters as well as using longer phrases will also help make it more secure.

Collapse
 
spo0q profile image
spO0q ๐Ÿ’๐ŸŽƒ • Edited

Seems a good practice. I would recommend using something very unpredictable, though, so maybe avoid famous Hollywood dialogs, songs lyrics, quotes, proverbs/sayings.

Alternatively, you might use far-fetched concatenations like "AStitchInTimeSavesNineNowOrNever." Of course, as those two possible passwords are now disclosed, they can't be trusted/used ๐Ÿ˜€

Collapse
 
mrdulin profile image
official_dulin

I like the passwordless solution like microsoft.com/security/blog/2021/0...

Collapse
 
spo0q profile image
spO0q ๐Ÿ’๐ŸŽƒ

Nice. Decentralized authentication with features such as key-based cryptography may improve user experience and security at the same time. It's probably a better approach, but not available everywhere unfortunately and pretty challenging to setup correctly for websites and applications.

Collapse
 
jonidecarvalho profile image
Joni de Carvalho

My passwords are always a concatenation of 8 to 12 chars of a sentence and in the end looks like random numbers, letters and special characters but it makes sense to me, thus easy to remember.

Collapse
 
spo0q profile image
spO0q ๐Ÿ’๐ŸŽƒ

I would probably not disclose my approach, but I usually prefer more safety over convenience. 12 chars seems fine, though.

Collapse
 
larrocax profile image
LarrocaX

just use รกรฉรญรบรผรณรฑ

Collapse
 
spo0q profile image
spO0q ๐Ÿ’๐ŸŽƒ

oh crap, you just found my Bluetooth password ๐Ÿซข

Collapse
 
jetpackmano2200 profile image
sean yan

I think dual authentication is also helpful, such as SMS or Email verification.

Collapse
 
spo0q profile image
spO0q ๐Ÿ’๐ŸŽƒ • Edited

yep, this is what I meant by 2FA and MFA

EDIT: sorry, I did not pay enough attention. I recommend using an app for 2FA or special devices for MFA rather than email and SMS. SMS is probably the worse.

Don't get me wrong. SMS is still better than 1FA, but it's the less secure way.

Some comments have been hidden by the post's author - find out more