Passwords suck. Plain and simple. They’re a pain to create, reset and maintain, especially for those who are security-conscious enough to use unique ones across all of their personal accounts. For everyone else who uses the same or similar passwords across platforms, they’re a headache that, in all honesty, really don’t make us that much more secure.
When password reuse runs rampant, malicious actors use tactics like credential stuffing and brute forcing to readily hack accounts with relative ease. The former is used to take down known credentials, perhaps acquired after a major 3rd party security breach such as with Sony or Home Depot, and try them across the target’s other accounts. This is especially easy for attackers when they use programmatic tools, which can test thousands of passwords every minute via brute forcing.
Slight variations in the password can be ascertained programmatically, when 90 per cent or more of the password has already been acquired. This occurs when users only add a different number or bit of punctuation to an otherwise largely reused password, often to simply satisfy a platform’s password requirements or mandatory reset.
Attackers can readily hack a password if it’s in the most common several thousand passwords, meaning the vast majority can be guessed without much work on behalf of the hacker. And, even if users think they’ve created a unique term, such as their street address or dog’s name with a few numbers sprinkled in, a simple search on social media often equips attackers with enough keywords to feed their algorithms into cracking the metaphorical code.
So, what makes a secure password? Ultimately, it boils down to complexity – passwords get more secure as they become more complex, and there’s two main ways to achieve this: entropy and length. The former is essentially a measure of randomness between characters (e.g.aaa111 vs. e9&1oA). The latter is exactly what it sounds like – the longer the password, the more difficult it is for man or machine to guess. Every additional character increases the computational burden of a brute forcing algorithm.
Recent reports have shown that it’s actually length that makes passwords stronger, as opposed to entropy. It takes a machine much longer to guess “itwasthebestoftimesitwastheworstoftimes” than “w0rStoFt!m3s,” even if the former is a much more recognisable phrase to a human. To be clear, we don’t recommend using passwords that are also the first lines of famous novels, but the point remains: every additional character increases the computational burden of a brute forcing algorithm.
For users and security teams alike, making passwords longer is less cumbersome than making them more entropic. Below are a few ways to make passwords both longer and more memorable.
One of my favourite tricks is building passwords that make shapes on the keyboard (triangles, Xs, diagonals, trapezoids and more). An example could be something along the lines of “yguhijok”, which creates two side-by-side trapezoids when looking at your standard QWERTY keyboard.
Remembering a sequence of shapes is far easier than a bunch of random letters, symbols and numbers. For better or worse, this actually means that I don’t know my passwords. I recognise them by shape and feel, which makes them much harder to share (which is a good thing).
This is not an entirely new concept, as this type of password creation received a good deal of interest when the first glide type keyboard for smart phones went mainstream. However, it seems to have lost relevance over the past few years.
After a while, your password can be recognised simply by its sound. It might seem odd, but next time you’re typing your password, see if you can recognise the percussive pattern.
For anyone who’s musically inclined, or just likes music in general, this is a great tool for making a memorable password. Drum out a tune or create some “chords” on your keyboard. Play a little tune you remember from previous music lessons. If you’re feeling fancy, treat the shift key like the sustain pedal on a piano, allowing you to capitalise a few groups of letters here and there.
From Uptown Funk by Bruno Mars to the newest Bieber hit, take your pick and get “playing.”
Find a line from a book, movie or song that you love and can remember, ideally one that is not well known (looking at you again, “itwasthebestoftimesitwastheworstoftimes”), and use that as the foundation for a password. Add in some entropic elements, and you have yourself an extremely strong password.
It doesn’t have to be literary – in fact, it would probably be even stronger if it’s not. Quotes, even less well-known ones, can be found online and thus fed into algorithms by an unbelievably dedicated attacker, although this would be highly unlikely. To be extra safe, if there’s a quote from a home movie or something nonsensical your dad used to say, those provide great options.
As sadistic as it sounds, creating passwords can be an enjoyable challenge. They can serve as tiny musical or literary puzzles that get the brain moving, even a little bit, whenever users log into computers or open an application. Additionally, in an age when privacy seems to be eroded by the day, passwords are one of the few things left in the digital age that are still purely personal.
So, why not have fun with them?
Diana Parks, Security Research Writer, ZeroFOX
Image Credit: Rawpixel.com / Shutterstock