Stop being creative and start using a password generator

TL;DR: Don’t bother with “creative” passwords. Make them long and random, don’t re-use them, and use a password manager to keep track of them instead of trying to remember.

There are lots of things we do to jeopardize our online and personal security without a second thought. Publishing vacation photos on social media while you’re still out of town, not fully covering the pin pad when making a purchase at the till, or always clicking “I agree” without actually reading the terms of use. These are all things that we know we shouldn’t do, but we do anyway out of convenience, complacency, or just habit. Using unsecured passwords is one of these things.

Now, we all know that password security is important, but we don’t always know why certain practices are important. Use a strong password. Uh, ok, sounds reasonable, but why? Don’t reuse the same password. Sure, sounds like a no brainer, but what if I just tweak my fave password a bit every time I use it? Can’t I just be creative?

Well, my friends, here are a couple of common “creative” password practices you should stop using today, and why.

Strong Passwords

A lot of folks I talk to tell me how they’ve gotten better about using strong passwords. We’ve all learned the guidelines at some point: use a mix of capital and lowercase letters, numbers, and symbols for the most secure password. This leads people to the idea that they can use a really bad password and “spice it up” with a sprinkling of variety and voila! They’ve got a good password! Common techniques are to use an alternative alphabet, substituting numbers and symbols for similar looking letters – @ instead of a, ! instead of i, 3 instead of e (looks like a backwards E, right?) and so on.

This technique is better than nothing – if you take a word or phrase and mix in some capital letters, numbers and symbols, you will definitely get a more secure password than if you didn’t. If I turn “gimlet” into “g1mL3t!” I have definitely improved it to some degree. However, it’s become a common practice for hackers to run through alternate spellings in dictionary attacks (when a hacker uses a program to quickly test your secret password against every word in the dictionary). It does increase the time to break a password by a couple of orders of magnitude, but unfortunately it changes it from minutes to perhaps days if you’re basing it on a dictionary word.

Reusing Passwords

Further, the issue of password re-use is one I’ve covered before – sure, your password may be a secure one, but someone may get a hold of it by hacking a large service like Yahoo. That’s a pretty extreme situation, but illustrates the point very well: if an organization as big as Yahoo is vulnerable to having data stolen, just about anyone is. Now imagine that you’ve used your super awesome secure password across dozens of sites. Not that secure anymore, is it?

So instead of re-using that password, you make some changes: “g1mL3t!” becomes “g1mL3t@” on another site, and “g1mL3t#” on a third site. But nowadays, you’ve got a dozen or more sites that you access regularly – was your Netflix password g1mL3t! or g1mL3t^ or g1mL3t$? At that point you’ve defeated the purpose of using an easy to remember password in the first place. Why not go all in and generate a completely random password? Once you free yourself from the burden of remembering passwords, you can really crank up the security on them.

Don’t try to do this yourself – you won’t actually generate something even close to truly random. Instead, use a random password generator set to 16+ characters. Personally, I use 19 characters. Kitestrings offers a free tool to check the strength of your password and generate random password.

The Geek Corner

Now, I’m going to get somewhat technical for a minute. You can get the important takeaway from this blog post if you stop reading here. But if you’re interested in some deeper knowledge, I’m going to explain why it’s not just for your OWN security, but for EVERYONE’s security that you should do this.

When a hacker gets a hold of a database full of passwords, the first thing they’ll do is try to break the encryption on that database. How do they know when they’ve succeeded? When a large number of the passwords look like something readable. In a database of a million passwords, it’s almost guaranteed that a couple dozen of them will be “password” or “123456.” When the hacker’s program sees that a bunch of passwords are coming up as normal words or matching common patterns (e.g. password, passw0rd, p@ssword, p@ssw0rd, etc.), they know that they’ve cracked the database’s encryption.

On the other hand, if all of the passwords in the database are randomized, it becomes much more difficult for them to detect when they’ve correctly decrypted the database. It’s not impossible, but it takes more sophisticated pattern analysis, creating a bit more of a barrier to entry. The result of everyone using strong, random passwords is a bit of herd immunity. The more random, the less likely they are to be broken by pattern analysis.

(Note: I’m aware that this ignores the modern practice of salting passwords individually, but this isn’t universally implemented, and I’m hitting the limits of how technical I want to get in a blog post that’s not geared towards MS and PhD candidates.)