By Andrew Somers
So... We've been taught now for years to make our passwords more secure by D0!n97h!n95L!k37h!5 ("doing things like this", i.e. substituting characters with numbers and so forth).
The theory was that by increasing the character set size, password entropy would improve — at the expense of being much harder to read, harder to remember, and harder to type into the hidden void that is the password field. This has long been accepted as "the way".
But does this actually improve password safety? The short answer is "not really".
The improvments gained by a "fist-smash" password is less true today than you might think. Here's a link to a great article that covers practical password entropy and includes code that gives a realistic apprasial in terms of how long it could take to break your password.
https://dropbox.tech/security/zxcvbn-realistic-password-strength-estimation
And here are two live calculators that follow this methodology:
https://bitwarden.com/password-strength/
https://www.bennish.net/password-strength-checker/
Look at this string as a password:
24D@R0ckyR0@d
Strong? It's okay, but in fact the password above is much weaker than:
2ForTheRockyRoad
The second is a set of simple words, and while this may seem counter intuitive, it calculates as substantially stronger than the first password that uses character substitution.
And 2ForTheRockyRoad
is arguably easier to remember and easier to type than 24D@R0ckyR0@d
. 2ForTheRockyRoad
is a scant three characters longer, but as it is composed of a simple string of words in PascalCase, and a single digit, it is much easier to type and much easier to remember.
The fist-smash version:
Rumkin Entropy Calculator:
Length: 13 Entropy: 61.7 bits Charset Size: 72 characters
Strength: Strong - This password is typically good enough to safely guard sensitive information like financial records.
zxcvbn Calculator:
This password's score: good
Time it would take for an attacker to crack this password: 7 months
The plain words version:
Rumkin Entropy Calculator:
Length: 16 Entropy: 77.6 bits Charset Size: 62 characters
Strength: Strong - good enough for sensitive information like financial records.
zxcvbn Calculator:
This password's score: strong
Time it would take for an attacker to crack this password: 17 years
And adding a single special character like an explanation point to the simple version improves things further:
zxcvbn Calculator:
Time it would take for an attacker to crack this password: Centuries
That's a major improvement simply by adding an exclaimation point.
From the point of view of these entropy calculations, adding characters to lengthen the string is more valuable than scrambling a shorter string. And this last example is still only 17 characters total, small enough to fit most password limitations (20 characters seems to be a common limit).
And if it's easy to type and easy to remember, adding a couple characters does not really impact the useability — a string of four or five words in camelCase is deceidedly easier to type out and easier to remember than some crazy collection of characters.
- Avoid common phrases, at the very least make a significant change to the phrase.
- BAD:
ToBeOrNotToBe
- OKAY:
ToBeOrNotTabbie
- GOOD:
ToBeOurKnottyTree
- BETTER:
2BeesAreNaughtyBees
- BEST:
TooBusy&Not2Bizzies
- BAD:
- You'll still need at least a digit and/or a special character like the
!
in order to get past many password checkers. - Don'tuse digits or special characters to replace alphabetical characters:
- l33t or 5ubstituti0n does NOT make a significant improvment in security
- in some cases it reduces security
- and makes the password harder to remember and harder to type.
- But do use digits for numbers instead of spelling the numbers out,
- Or using numeral 4 to replace "for" is certainly okay.
- And do use special characters for their normal purpose!
- E.g.:
Eat7CookiesEveryDay!
orCookies&CremeGives14Dreams
- These two are high security at 98bit and 127bit entropy
- Common patterns like
123456
orAsDfGh
are still bad practice - Choose
PascalCase
orcamelCase
orkabob-case
but:- do not use
alllowercase
orALLUPPERCASE
- being consistent in the case style you use will help maintain your sanity, LOL.
- do not use
- Adding characters to the total string length improves the security of a password MORE THAN doing things like exchanging the E with a 3 and the L with a 7 for instance.
MyLongPassThing!
is stronger, yet only 2 characters longer, thanMy70n6P@$$Bit!
- And
MyLongPassThing!
is easier to type and to remember thanMy70n6P@$$Bit!
- It is still important to avoid re-using passwords on different sites/logins.
- If you do want to have a reusable password for less secure sites, then make sure it is a very strong password so that it can survive a data breech.
- I.e. for a shared passcode, something like:
UseThisCodeOnMoreThan1Site!
which has 130 bits of entropy and is predicted to take centuries to crack even at 10 billion guesses per second. - (Only don't use
UseThisCodeOnMoreThan1Site!
as written here for reasons that...uh...should be obvious. LOL.)
A principal object here is to make passwords that are easy to remember and easy to type even when hidden by •••••••, while at the same time making them very resistant to AI, Machine Learning, and brute-force attacks etc. Make it completely impractical to guess or crack it, even when a would be hacker gains the password hashes from some data breech (which is in fact a far too common occurance).
Password managers are great. If you are using an implementation like Apple's iCloud, the effect is seamless. The security issue is that if someone gains access to any one of your devices, they could potentially gain all of your passcodes. Thus, the password you use to access your password manager should be particularly robust. But on Apple, it's just the device's passcode! At the very least, the password associated with the iCloud/AppleID should be very strong. Also, make it a point to log out devices regularly to minimize the devices logged into the cloud.
Be safe,
Andy
Andrew Somers
I Obsess About Math
So You Don't Have To
Mostly Plain Word Comparisons, using PascalCaseWords. And while it should be obvious, do not use these example passwords anywhere!
Five words and some special characters:
Strength: Ultra Strong - More often than not, this level of security is overkill.
Length: 29 Entropy: 139.5 bits Charset Size: 62 characters
Time it would take for an attacker to crack this password: centuries
Four words and one special character:
Strength: Very Strong - good for master accounts and password managers.
Length: 24 Entropy: 114.4 bits Charset Size: 62 characters
Time it would take for an attacker to crack this password: centuries
Auto created random:
Strength: Very Strong - good for master accounts and password managers.
Length: 20 Entropy: 108.1 bits Charset Size: 84 characters
Time it would take for an attacker to crack this password: centuries
A few word phrase with o/0 sub !, total 20 char
Strength: Very Strong - good for master accounts and password managers.
Length: 20 Entropy: 98.8 bits Charset Size: 72 characters
Time it would take for an attacker to crack this password: centuries
A few word phrase NO substitutions, total 20 char
Strength: Very Strong - good for master accounts and password managers.
Length: 20 Entropy: 96 bits Charset Size: 62 characters
Time it would take for an attacker to crack this password: centuries
Note: substituting a zero for the o made little difference.
A few word phrase NO sub, No !, total 19 char
Strength: Strong - Should good enough to safely guard sensitive information like financial records.
Length: 19 Entropy: 87.9 bits Charset Size: 52 characters
Time it would take for an attacker to crack this password: centuries
Firefox Random (fistsmash):
Strength: Strong - Should good enough to safely guard sensitive information like financial records.
Length: 15 Entropy: 72 bits Charset Size: 62 characters
Time it would take for an attacker to crack this password: centuries
Five short word phrase, 17 characters:
Strength: Strong - Should good enough to safely guard sensitive information like financial records.
Length: 17 Entropy: 76.9 bits Charset Size: 52 characters
Time it would take for an attacker to crack this password: 15 years
Note: so this has just two fewer characters than examples above with 19 characters, yet there was a significant drop in crackability — nevertheless this is still a fairly secure password.
Three words, number, char... 17 characters total:
Strength: Strong - Should good enough to safely guard sensitive information like financial records.
Length: 17 Entropy: 78.4 bits Charset Size: 72 characters
Time it would take for an attacker to crack this password: 9 years
Note: also 17 characters, and making two of them a digit or special char has no significant effect on the password security.
Four words only, totaling 23 characters:
Strength: Strong - This password is typically good enough to safely guard sensitive information like financial records.
Length: 23 Entropy: 106 bits Charset Size: 52 characters
Time it would take for an attacker to crack this password: 6 years
Note: a lot of repeated letters in this one seems to cause the calculation to indicate it is more crackable despite being 23 characters. Also it uses a common name which lowers security.
Four words all lower case, total 23 char:
Strength: Strong - This password is typically good enough to safely guard sensitive information like financial records.
Length: 23 Entropy: 87.4 bits Charset Size: 26 characters
Time it would take for an attacker to crack this password: 3 years
Three words, 16 characters:
Strength: Strong - Should good enough to safely guard sensitive information like financial records.
Length: 16 Entropy: 70.3 bits Charset Size: 52 characters
Time it would take for an attacker to crack this password: 4 months
NOTE: simply adding an exclamation mark brings crack-time to 19 years:
Character substitutions, 13 characters
Strength: Reasonable - This password is fairly secure cryptographically
Length: 13 Entropy: 61.5 bits Charset Size: 72 characters
Time it would take for an attacker to crack this password: 11 days
Same as above, but no substituting the 0
Strength: Reasonable - This password is fairly secure cryptographically
Length: 13 Entropy: 60 bits Charset Size: 62 characters
Time it would take for an attacker to crack this password: 11 days.
In other words, no appreciable improvement by substituting 0 for o.
Three words only, 15 characters:
Strength: Reasonable - This password is fairly secure cryptographically
Length: 15 Entropy: 65.5 bits Charset Size: 52 characters
Time it would take for an attacker to crack this password: 6 days
Three words only, 16 characters:
Strength: Reasonable - This password is fairly secure cryptographically
Length: 16 Entropy: 73.7 bits Charset Size: 52 characters
Time it would take for an attacker to crack this password: 5 days
Character substitutions, 10 characters
Strength: Reasonable - This password is fairly secure cryptographically
Length: 10 Entropy: 43 bits Charset Size: 72 characters
Time it would take for an attacker to crack this password: 3 days
As the previous "ThePlaceToBe" but removing the !
Strength: Reasonable - This password is fairly secure cryptographically
Length: 12 Entropy: 53.4 bits Charset Size: 52 characters
Time it would take for an attacker to crack this password: 1 day
two words and a digit
Strength: Reasonable - This password is fairly secure cryptographically
Length: 11 Entropy: 50.6 bits Charset Size: 62 characters
Time it would take for an attacker to crack this password: 8 hours
Character substitutions, 11 characters
Strength: Weak - Usually good enough for computer login passwords and to keep out the average person.
Length: 11 Entropy: 43.1 bits Charset Size: 94 characters
This password's score: okay
Time it would take for an attacker to crack this password: 7 hours
Weak 9 characters
Strength: Weak - Usually good enough for computer login passwords and to keep out the average person.
Length: 9 Entropy: 36.5 bits Charset Size: 72 characters
This password's score: weak
Time it would take for an attacker to crack this password: 1 hour
WEAK 8 characters
Strength: Weak - Usually good enough for computer login passwords and to keep out the average person.
Length: 8 Entropy: 31.8 bits Charset Size: 62 characters
This password's score:: weak
Time it would take for an attacker to crack this password: 2 minutes
Note: Repeats like "abcabcabc" are only slightly harder to guess than "abc"
VERY WEAK **** 6 lower case letters (Keyboard Sequential)
Strength: Very Weak - Try making your password longer, including CAPITALS, or adding symbols.
WARNING: Short password! WARNING: Common password!
Length: 6 Entropy: 27.2 bits Charset Size: 52 characters
This password's score: very weak
Time it would take for an attacker to crack this password: less than a second
Warning This is a top-100 common password
VERY WEAK **** 4 lower case letters
Strength: Very Weak - Try making password longer, including CAPITALS, or adding symbols.
WARNING: Very short password!
Length: 4 Entropy: 12.4 bits Charset Size: 26 characters
Time it would take for an attacker to crack this password: less than a second
.