Password Security Which Will Surprise You
For so long, we in the information technology field have been pressing upon our users to maintain “secure” passwords, which included upper- and lowercase letters, punctuation, numbers, and absolutely no dictionary words. This began back in the day when hackers actually had to manually try to gain access to user accounts, which was time-consuming. If a bad guy couldn’t guess your password after a few tries he or she might move on to another unlucky victim with a less-secure password. I am totally guilty of recommending ridiculous passwords to users, because it’s how most systems administrators were brought up. Imagine my chagrin when math got involved!
These days, however, most hackers will use some kind of automated script to gain access to a server or account. These scripts (or “bots”) can rapid-fire login attempts at up to 100 login attempts per second! Black Chicken Host servers will shut these bots down after 5 failed login attempts, but it’s still an excellent idea to make sure you have a password that’s difficult for them to crack. We’ll do a post about our security metrics at another time, but suffice it to say, they’re pretty good!
These scripts often utilize a database of commonly-used passwords, dictionary words, and dictionary words with special characters like “p@assw0rd” instead of “password.”
Here’s the kicker, though: If you make a password out of four unrelated dictionary words, you’ll have a password which would take thousands of years to crack, but which is far easier to remember than the standard garbledygook we’re often forced to implement.
Did I just blow your mind?
Allow me to demonstrate with a comic from the renowned geek comic strip, xkcd:
By using the password “correcthorsebatterystaple,” the user has effectively created a password that would take a dedicated hacking script performing at 1000 attempts per second 550 years to crack. And? It’s dead simple to remember – yay!
Now, please don’t actually use “correcthorsebatterystaple” as your super-secure yet easy-to-remember password; it’s on the internet, and scripts are going to include it as one of their possible attempts. Come up with your own, such as elevatorbarnyardbackpackdonkey (please don’t actually use that one either, of course – it’s just an example.)
The goal with complex passwords is to ensure (as much as possible) the character combination does not exist in a database anywhere. “z%^Mgt501?$$” is very unlikely to exist in a database, but who can remember that? Prior to xkcd coming out with the “correcthorsebatterystaple” comic, that combination was also incredibly unlikely to be in a database, and is so very much easier to remember.
This is not to say the random passwords aren’t still secure, or that they aren’t more secure.– they are. The issue we’re trying to address here is easy of usability. If you have to write down your password on a sticky note, that’s utterly defeating the password process. So, let’s use something you can remember!
Personally, I still use a mnemonic to generate my own passwords (take the first letter of each word of the chorus in a favorite song, and insert the punctuation from the pauses in the song, too;) however, when we need to generate passwords for customers, we’ll be using this far simpler method of stringing four words together.
Some admins don’t want to tell their customers this is the case – they’ve been preaching the nonsense passwords for so long, they don’t want to admit simple dictionary words are better. To be perfectly honest, I almost didn’t share this because how embarrassing, right? In my view, though, it’s better to be upfront and share the information, because this can make our lives so much easier! Who needs added complexity when we have gardens to plant, livestock to tend, jobs to go to, kids to feed, et cetera? Bask in an easy-to-remember password, courtesy of Black Chicken Host. 😉
If you’re interested in the science behind why this four word schema works, you can read more here: The Usability of Passwords. This quote hits the nail on the head:
“In Hollywood, passwords are hacked one digit at the time. Meaning the system would return true or false information based on partial matches. This is not how the real world works. You cannot match a password based on a partial matches. “This * *” is not the same as “this is fun”. It would return it as FALSE. You have to match all three words, all at once.”
In short, the real world of “computering” is far, far different from what film and television make it out to be. You can craft highly secure passwords by using a combination of plain old-fashioned dictionary words.
THANK YOU for this! I did NOT know a lot of this– very, very informative! 🙂 Off to change some passwords….
I’ve read about this before, and love the idea in theory. Here’s the rub, not a single bank, social network, or other computer system I regularly access will allow me to use such a password, even when I’ve given them the same mathematical evidence proving the security. The issue now is that relaxing the crazy “one number, one capital, one symbol, 16 character minimum’ type passwords is that so many users will go back to using ridiculously easy-to-crack ones like ‘password’, ‘god’, or ‘imwithstupid’
I agree, Peter — the more we keep putting the word out about the number of characters being more important than the complexity of characters (after all, the server isn’t going to give a pass/fail for each character,) we can move out of the archaic framework for security most places have implemented. They mean well, but are misguided.
And Jill – you’re very welcome! 🙂