Did you know that for less than $20,000 you could build your very own password cracker that, under ideal conditions, could try out more than 100,000,000,000 passwords EVERY SECOND?
That means you could churn through every possible 8-letter password in just 2 seconds, and every 9-letter password in under a minute!
So here is a short and straight-talking video that not only shows you how to pick a proper password, but also explains why you should bother.
(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)
Once you’ve watched the video, you might find yourself thinking, “But they didn’t mention two-factor authentication or two-step verification!”
Two-factor authentication (2FA) is a way of making it harder still for cybercrooks to login to your accounts.
Generally speaking, it requires you to use a one-time code that’s different every time you login, usually sent by SMS or generated by a special app on your smartphone.
Indeed, we think you should turn on 2FA for every account that will let you, but because you don’t pick the 2FA codes yourself, we didn’t think it quite fitted into the video, which is about helping you to choose wisely for yourself.
However, we do have an informative podcast that tells you all about 2FA, if you’d like to learn more:
By the way, we’ve had some questions, over in the Sophos Spiceworks community, about the value of online password checkers, those web sites that claim to help you to decide whether you picked a proper password or not.
We’re ambivalent about them.
Password strength meters may help a little, notably that if they say a password is weak, it’s probably very weak.
But some of the ones we’ve seen tend to be influenced by the wrong sort of detail, like how many different sorts of character you’ve used, not how hard the password might actually be to crack.
We think that you’ll do well enough all by yourself if you follow the advice in the video…
22 comments on “How to pick a proper password [VIDEO]”
Fitted? Really? Try E-D-I-T-O-R next time.
I think that’s one of those words where American English and British English differ in how they write the past tense.
There are quite a few words where American English uses exactly the same form in the present and past tenses while British English either adds -ed or changes the vowel.
Sadly, I can think of only one example word right now and it isn’t entirely appropriate for a family-friendly website 🙂
Anyway, I ain’t gonna change it now. I think it’s well-fitted as it is.
Aint? I didn’t know Brits use that word.
How about this method?
Go to 1:18 of the video.
DOOOOOOOOH! I RETRACT. I SHOULD BE PUT IN THE SHAME CORNER OF THE INTERNET FOR THE REST OF THE WEEK.
Some people insist it’s better, but there are a few of problems with it.
Firstly, the assumption is that it’s always easier to remember a sequence of bizarre words using mental images than it is to remember a mnemonic sentence. But different people remember things differently.
Secondly, password “complexity” rules these days tend to insist on not using only a-z letters, even if you choose 48 of them. So you have to do the digits and punctuations anyway, and the plain mental images are no longer enough.
Thirdly, some apps and websites limit the length of your password. Android, for instance, seems to have an annoying limit of 17 (for digit-only PINs *and* all-character passwords); Microsoft’s cloud services don’t go longer than 16. So for those you need the mnemonic approach anyway.
Fourthly, I am not convinced that you really do get the entropy claimed in XKCD. Assume you use a 1000-word vocabulary for the XKCD-style passwords – that’s only 1000^4 passwords, or 10 x the magic 100 billion number mentioned above.
You can always use song lyrics as an inspiration like the one below:
Sure its long, obnoxious, and will take a little bit to type in, but it would take a pretty long time to crack that. I added in some coding too.
My laptop is essentially nothing more than a scratch pad which is accessible only to me. Therefore no password just the ever faithful power on/off button. Love it!
Most laptops have some risk of being lost or stolen, however. (That’s why we recommend full disk encryption, with a decent password. Also handy if you ever want to dispose of it, lend it, sell it or send it in for repair.)
If crooks *do* manage to crack that password, you would have at least some small consolation.
Because you could claim, even as they made off with your money or posted unlikely ads to your social media wall, to have Rickrolled them.
And you know what they say: “He who laughs last may be the only one left in the room.”
Oh I do like a bit of Rickrolling 😉
The two-factor authentication, though not a silver bullet, could be reliable when it comes with a reliable password. 2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password.
Using a strong password does help a lot even against the attack of cracking the stolen hashed passwords back to the original passwords. The problem is that few of us can firmly remember many such strong passwords. We cannot run as fast and far as horses however strongly urged we may be. We are not built like horses.
At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
This might interest you:
There’s no way I’m going to be able to manage typing a ridiculously long and complicated password every time I want to do something with my password manager. You say 14 characters, but they’re only going to get longer as computing power gets cheaper. This is not sustainable. Our brains can’t handle it.
Try it. It’s nowhere near as hard as you think. You just have to get used to a bit of extra hassle.
Great info as usual! Thanks a lot for your continuous effort to do this very important educational work 🙂
I was wondering about the comment about password managers recognizing the websites and this being an additional aspect of security. It is true of course – but (at least for KeePass(XC)) it requires to use a browser plug-in, doesn’t it? And I have been advised to avoid these plugins giving access to the password database for security reasons. Then, what is left, is using auto-type – and having to check the website link oneself. One can’t win it seems.
What’s your take on these two aspects: risk of a plugin vs. benefit of website/link check?
You could always split your passwords between two databases, one of which your browser can access and the other of which it can’t.
Your browser will never need to know the verbal backup code for your bank, or the SSH password you use for console logins.
Personally, I don’t use a browser plugin – the cost is that it generally takes me about 10 seconds longer to login each time that most people. I’m good with that but I have had people express surprise that I am willing to “waste” so much time with passwords.
Oh, and even if you do have hard-random, 99-character passwords for every site plus a browser plugin that checks domain names scrupulously – check everything again yourself anyway!
Don’t add extra strength in one place only to take it away somewhere else you already had it. (In a similar vein, turning on 2FA doesn’t men you can revert to “rover” as your password!)
Thanks, Paul, for your thoughts and advice.
I’m with you on not using a plugin myself. It’s more for finding the right advice for people that are not that much into IT and security like we are.
Password managers are one of the rare cases that increase security AND comfort. Still there is the hurdle to get people to change their habit and actually use one 🙂
Maybe you guys can have a closer look one day at browser plugins in general in regard to security risks…
Keep up the great work!
Any idea why this video is now unavailable?
No idea how did that! But thanks for the notification – it’s public again now.
Thanks Paul. You are always thought provoking. Those of us with memory handicaps rely on password managers like the freebies with Safari or Firefox that come with browsers. But those can be broken by them that know how. Long passwords don’t help when you can’t remember a 4 digit telephone number. And password managers have an occasional glitch so I depend on an address book and a pencil. I dread losing that book and not being able to log into my bank, for cash on a vacation, who has cut me off for too many tries. The book saved me several times at home. I don’t carry it with me for obvious reasons. Why not use the cloud services that Apple, Microsoft, Google etc. offer for backups to get our browser passwords? Would you trust Apple, Microsoft, Google? How many times have their servers been broken into and we don’t know about it because secrecy is their middle name. I’m cynical, yes, because crooks are very smart; looking for ways to infiltrate. The “honest” people are more concerned with operations, selling or adding gimmicks to operating systems and programs. Rarely do they do what the crooks are doing to test their work thoroughly. If they did, Ransomware would never have appeared in the OED.