Passwords: Long is Strong

As a founder of PassPack, I try and keep up on all conversations about passwords on the internet. In my virtual travels, I’ve realized that the number one reason people don’t feel they need a password manager is because they “have a system.”

One of the more ingenious ideas I’ve come across is David Bradley’s Passwords for Scientists where he proposes using the molecular formula for various pharmaceuticals.

However, most of these home grown formulas, are all some variant on the same theme: take the first letter of every word in a song/title/quote/sentence, mix up the upper and lower case letters, throw in some numbers and perhaps add the a prefix representing the website name.

… folks, this is not as safe as you would think. Really, it’s just not.

The Proof is in the Password Pudding

Roger A Grimes launched this password hacking contest a few months ago. Here’s Roger’s theory:

I proposed that shorter, so-called “complex” passwords were easier to break than less complex, longer passwords. I know this to be true because I frequently password crack for a living, and I know that most people’s “complex” passwords aren’t really that complex. When told to pick complex passwords, 80% of all end-users will use the same complexity tricks. [my emphasis]

Yup. I didn’t run the contest, but I can surely say this is true in my experience from reading blog posts and comments.

The contest gave out three passwords hashes, and guess which one was cracked first?

S10wDr1v3r” was cracked six months before “myengagingwives“.

Does S10wDr1v3r look like any of your passwords? If so, it might be time to change to something longer.

But why do all that work?

I know everyone hates passwords. I do too. We all do. Passwords are so hated that “password fatigue” is now considered a syndrome!

So, if you hate passwords – why spend so much time making them up? Why apply so much of your creative energy inventing a password that will be no more complex than the ones that 80% of all end-users will use?

Think of all the time and energy you could save by just forgetting about your passwords. Yes, I said forget them. Free up your memory. Take all those password and stick them… ehem… in a password manager.

Choose, and use, a Password Manager

Once you have a password manager, you can pack up your passwords away in there, forget them, and look them up whenever you need them.

See? Isn’t that much easier?

Of course, you’ll need a master Pass (and Packing Key) and you’ll want to pick something nice and strong. I know, I know… but consider it the last and final necessary password evil.

Here’s a tip: pick a sentence and use that. This is called a pass phrase. It’s just a sentence. A plain and simple sentence with spaces and punctuation. As Roger’s password hacking contest has shown, the longer the better.

Hippity Hop, the rabbit ate the carrot.

That’s a pass phrase. It’s easy to remember and 39 characters long (and strong). Some more examples here.

So Get Packing

If you’re ready to start packing up those passwords, follow the instructions for Getting Started with PassPack.

If you have any problems whatsoever, just drop me an email. I’ll do what I can to help.

Technorati Tags: , , , , , ,

3 responses to “Passwords: Long is Strong

  1. Password is very important for your digital tools. What Telli’s said about long password is strong is true. But make sure that you remember it and don’t share to anyone.

  2. Pingback: Password Meter Mania « Passpack Blog

  3. Pingback: Email Security: Not Limited to Sarah Palin « Passpack Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s