Why your password is lousy

Passwords: everybody loves them and hates them

Few things in modern life are more irritating than creating a new password for a website you just joined. Perhaps you just signed up for the latest music streaming service and are itching to try it out, but there it is: the dreaded password box. It is the only thing that stands between you and the millions of new songs to be at your fingertips. With each attempt at creating a password you are told that yours is insufficient (not enough characters? not enough numbers? it doesn’t even say!), raising your ire. Out of desperation you start throwing random numbers and exclamation marks on your “usual” password, and eventually it works! Sadly, the next time you login you realize you have no idea what your password is.

The above situation is common to all of us, and is an integral part of modern life. The average person has dozens of passwords from everything from banking and email to blog subscriptions, and almost certainly those passwords are far too weak. Someday those passwords will be useless.

What is password strength, really?

The preceding hypothetical scenario is actually rather rare. In an effort to prevent new users from becoming discouraged as they attempt to sign up, a great number of websites bypass minimum security requirements for passwords, allowing for very weak passwords. This temporary convenience for the customer creates a very real security threat, as unauthorized access to a site can create a great deal of headaches for all involved.

Today’s more or less “standard” password security requirements are relics of the earliest days of the Internet, when a password was secure only if it wasn’t obvious. At that time, there were no sophisticated, automated bots attempting every possible password combination in order to brute force its way into a site. Even a password like P@55w0rd! was considered quite clever.

Those innocent days are long gone. Today’s hackers have very sophisticated high-powered tools at their disposal. Modern computing power opens up the possibility of testing every feasible combination of keyboard characters rather rapidly, and dictionaries have been created to make this process even more streamlined. For example, research has shown that P@55w0rd! is a very common password, and a brute force bot will try that password before it starts the more tedious task of complete random guessing. With computing power ever increasing as well as the dictionary of known passwords (each data breach you hear on the news means millions of additional known passwords make it onto the list), the odds of your favorite password being secure diminishes by the day. This is even more pronounced if hackers are targeting you particularly. Since it is popular to use pet names and birth/graduation years in passwords, hackers who know that your dog is named Fred and you were born in 1976 means that your favorite password Fred1956 is doomed for failure.

So what is a good password? In short, the longer the better and the more random the better. The longer the password, the less likely a brute force attack will compromise it, proving that it isn’t comprised of well-used dictionary words. To ensure randomness, it is a good idea to have some computer-generated program create the password for you (such as sites like https://passwordsgenerator.net/ or the native WordPress password creation method). By doing so you won’t let inherit biases creep in, nor will you subconsciously use keys next to each other on the keyboard as keyboard patterns are also in the known dictionary of oft-used passwords.

What can help me remember all these hard passwords?

Naturally, the more difficult your password is to guess, the more difficult it is to remember. To make matters worse, it is a very bad idea to use the same password, no matter how good on its own, on all accounts. There are services such as LastPass that allow you to have a one-stop-shop for all your passwords, allowing you to remember only one password and let these online services do the rest. However, keeping all your security eggs in one basket is risky, and these sorts of services have been hacked in the past, exposing all customer passwords.

Increasingly, the best way to handle passwords is to take the radical step of pivoting towards biometric and two factor authentication (2FA) systems. As mentioned previously on this blog, 2FA relies on the possession of a unique device (usually a smartphone) that has the “key” to access a site. Biometrics (which use human-unique characteristics such as fingerprints) are becoming more common on standard consumer devices.

With the advent of ever increasing computing power and sophisticated password-cracking algorithms and dictionaries, it is conceivable that the era of passwords may come to an end and a new era of device or human-centric authentication will take its place. For all those frustrated with the seemingly never ending process of creating and maintaining passwords, that day can’t come soon enough.

Work With Us

We've been building websites for over twenty years, and have learned a thing or two about how to make web projects go smoothly.