Any series on personal computer security is not complete without the arbitrary “write good passwords” part. I’m sure you’ve heard it all. Pick some long word you can remember like “bookkeeper” substitute in some 3s for the ‘e’s (bookke3per) and some 0s for ‘o’s (b00kke3per) then add some some random special character at the end (b00kke3per^). That’s secure, right? Wrong! If you were still under the impression that that’s a good way to write a password, you’ve got some learning to do.
In reality, everyone knows dictionary words are a big no-no but common substitutions doesn’t help you much either. Attackers can guess trillions of passwords every second under the right conditions so throwing in a substitute 3 for an ‘E’ or # for an ‘H’ is computationally easy. In fact, password security checkers like Kaspersky’s and My1Login’s find that this password could be broken by a consumer computer in under 10 minutes and in under one second on the right machine. If you’re using memorable substitutions for letters, your password is bad and you should feel bad.
So what then? An alternative is to create a random string of all types of characters. Lower case, upper case, special, numbers, get them all in there in no predictable order. There are even websites that will do this for you. This is also a bad idea for numerous reasons. Who knows what that site could be doing with your brand new password? The site that just generated your password might keep track of it for malicious means. Secondly, any passwords you generate this way will be a major pain to remember. Take for instance this site. It generated the password “ur-YqR9PQa46BjZg”. Sure, that would take until the heat death of the universe to crack however, I can’t see anyone but a genius remembering that.
But wait! it has a helpful hint to remember the password: “usa rope – YELP queen ROPE 9 PARK QUEEN apple 4 6 BESTBUY jack ZIP golf.” Nope, that doesn’t help at all. You could write the password down but then you have to secure the note that holds that big password. If that note gets seen, whatever you’re trying to protect is exposed. No sticky note should ever be worth as much as you bank account. There are better ways.
This comic from XKCD explains it perfectly. You should never use a password. Instead, you should use a passphrase. By combining a number of words, you have so much entropy you no longer have to worry if you’re using words or special characters. “usa rope – YELP queen ROPE 9 PARK QUEEN apple 4 6 BESTBUY jack ZIP golf” is hard to remember but “usa rope – YELP queen” is not.
While there are plenty of other solutions to this problem of password storage, hopefully I’ve dispelled some misconceptions. Common substitutions help noone and random strings are a pain. It can be a lot easier to create and remember secure passwords if, instead of using a word, you use a passphrase instead.