Sites Lie To You about What Makes a Good Password

Bad password advice from the 1990s continues to be repeated ad nauseam, even though it has been widely disproven and groups ranging from security firms to academic researchers to the National Institute of Standards and Technology (NIST) specifically advise against most of those principles. Below, I take this apart and offer you actual good advice. (My friend Joe Kissell covers this topic in depth in his excellent "Take Control of Your Passwords.")

You might also wonder why encrypted passwords stolen from breached sites can still be cracked and used against you. I can explain that, too.

Everything you’ve been told is wrong

P@ssw0rd1 could be cracked in a billionth the time it takes for you to recognize that the first P in this sentence is a letter.

P@ssw0rd1 could be cracked in a billionth the time it takes for you to recognize that the first P in this sentence is a letter.

You know the drill. You’re often told, when setting up an account or changing a password, that a good password should:

  • Be at least 8 characters long, but often no more than 12.
  • Contain at least one uppercase letter, one lowercase letter, one number, and one piece of punctuation (from an approved list).
  • Not contain any words found in a dictionary (in any language).
  • Change every few months.

If you follow that truly lousy advice — which may even be enforced by the server — you can wind up with dr0wssaP!, a password that passes all those rules with flying colors and can be cracked in seconds. Crackers also know the above rules and optimize their cracking routines to focus on variants of simple words combined with the obvious numbers and pieces of punctuation. This is what leads people to pick Apples1! for an eight-character password. 

Not really that strong, but it’s green! That’s good, right?

Not really that strong, but it’s green! That’s good, right?

As NIST’s 2017 standards report notes about memorized passwords, “Humans, however, have only a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed.”

All of that is bad advice. The best current recommendation is:

  • Use a password manager that creates and manages passwords for you. I rely on 1Password.
  • Use a different password on each site. A password manager makes that easy.
  • Make it longer, which I’ll discuss more below. Passwords are often 8 to 12 characters because they’re so complicated. A longer, easier to type password can be much stronger than a short impossible one.
  • For passwords you need to type regularly and can’t paste in, make up passwords from words you know, but use several of them, randomly selected; better, let your password manager do it for you.
  • Don’t change your passwords regularly. There is absolutely no reason to create and memorize or store a new password unless a breach has occurred. The only reason to avoid this rule is if you haven’t changed your password in a while and you know it’s short and weak.

You can consult my 2015 Fast Company article, “Everything You Know About Passwords Is Wrong” for more of the research background on why existing rules are bad.

You might be baffled, as I regularly am, as to why a password like Sluggy-Headache-Fedora-Man is much more more secure than KLJf@88!4=Pz9 — should a password made of words be simpler to test and match than one made of totally arbitrary characters? No, and that’s because of the brute force required. Even with crackers using techniques to walk down smarter paths for basic passwords, longer passwords just take vastly longer amounts of times through which to iterate. (I have to go and re-read the background to refresh myself on the details.)

Every character added to a password can increase the difficulty of cracking it by some factor from just a few to thousandsfold, depending on the overall set of characters chosen, repeated characters, whether words are in dictionaries, and more. Add several characters and through the power of exponents, a password could be billions or trillions of times more resistant to brute force. You can trade off a large set of characters used in a password — like mixed case, punctuation, and numbers — against a longer password that’s entirely lowercase or mixed case. (A nice variant is to use a rare punctuation character between words.)

Effectively, the choice is:

  • If you never need to type a password, and your password manager can fill it in, picking a super-complicated 20 characters long will probably survive the heat death of the universe.
  • If you ever need to type a password, especially on a mobile device, picking a longish one that's three or four words long in an unusual combination (which can be generated by 1Password and other software and algorithms) with a story that reminds you of the words gives you until the sun burns out. Or even with vastly improved computational, the rest of your life and far far beyond.

When passwords are stolen from a Web site, aren't they encrypted? Shouldn't that stop the bad guys?

Yes and no. Account databases almost always use "hashing," a one-way encryption process that transforms any input into something that can’t be reverse-engineered to discover the original information. (It performs a large number of mathematical operations that ensures that two similar pieces of starting text produce vastly different hashed outcomes. This prevents guessing and testing.)

When you log into nearly any Web site, you enter your username and password, and the password is sent through the same hashing algorithm and compared to the stored value in the site’s database. Good so far.

Since hashing is a one-way operation, the only way to crack a hashed entry is through brute force: passing a huge number of passwords through the same hashing algorithm until you find one that matches the stored value.

However, many sites long relied on an outdated hashing algorithm (SHA1) that has run afoul of Moore’s Law combined with flaws discovered later in how the algorithm was designed. Because computational power increases on exponential basis, any algorithm that has a flat level of difficulty, no matter how complex, will eventually fall to faster computers. Plus, GPUs (graphical processing units) in computers and graphics cards vastly speed up and reduce the cost of encryption and similar intensive computational tasks. As a result, criminal crackers can afford hardware that's able to perform tens of billions — maybe hundreds of billions — of passwords checks per second. Flaws in the algorithm further reduced the amount of operations required to crack passwords, providing an effective speed boost.

One simple technique could have protected even many weak passwords. Let's say your password is 123456. That's a terrible password, and could easily be broken by brute force checks that would test billions of possible password against the stored hash value. Even worse, that cracked password is now cracked across all accounts in all breaches because it's identical when passed through the hashing algorithm everywhere.

However, if you add unique random data called "salt" to the one-way hashing algorithm, as little as a couple characters of text, but which can be much longer, the hashed results of otherwise identical weak passwords end up different. Even if one salted password is cracked, others won't be, because the salt will (or at least should be) different for each one. Every password has to be cracked uniquely by combining the salt with the current guess, no matter how weak the password is.

In short, because computing power continues to both increase and drop in cost, crackers continue to break more passwords from older breaches and use them to compromise accounts whose passwords remain unchanged.

Nonetheless, we're still talking about relatively weak passwords. It also turns out that many sites had no rules for password security, and even those that did often gave bad advice for choosing passwords. As a result, a lot of people chose 135792468 or p@ssw0rd for what they thought would be a perfectly unguessable password. 

Pick a better password even as sites improve their encryption choices, and you can wind up well protected. Some sites and services that use robust protection have had major breaches and no reported cracked passwords.

I originally wrote this as part of a story where it wound up ballooning out of scale, and too tangential. I revised to share here!