Another year, another article in the media slamming the password habits of people. Evidently the advice of the past few decades hasn’t quite sunk in, with “123456” taking the award for the most obvious password for the 30th year in a row.
I’m sure we’ve all been guilty at some stage of using bad passwords. I remember being a young teenager, and inviting a friend over to my house in order to create a Hotmail account for MSN Messenger. “What do you want your password to be?” he asked. Being a child who possessed the three quintessential qualities of a teenager: naivety, stupidity and a general smart assary, I thought it would be hilarious to choose the password ihateyou. My reasoning was sound, “Well, if anyone hacks into it then they know I don’t like them”. Genius, really. Unsurprisingly, my Hotmail account was compromised a year later, and I lost my 2MB of e-mail space and my friends list of people who I saw at school every day.
Self-deprecating anecdotes aside, the largest reason for this blog post comes from a BBC article posted a couple of days ago.
It starts off with a fairly standard shock scoop of “The top 25 passwords people use based on 2 million compromised passwords has barely changed in decades. Stay tuned for next year to see the same thing happen again.” And that’s where the story usually ends. This time, however, there was something a little different about this article; they provided some advice on how to make a “good” password. It starts off brilliantly with “Pick something you know”. Great advice! People have terrible memories, which is why we’re in this password hell to begin with. In this example, they pick a song lyric from the Foo Fighters: “Give me the flammable life, I’m cold as a match”. Awesome choice. Great length, easy to remember, a mix of upper and lower case and special characters with all that’s ideally missing is a number. Based on this, it has an “alphabet” of 85 characters (26 lowercase, 26 uppercase and 33 possible special characters) and is 47 characters long! The search space (i.e., possible combinations) for this would be 4.87 x 1090 . Even if all the super computers in the world combined, it would take literally trillions upon trillions of years to guess it at one hundred trillion guesses per second. OK, so, we can stop there, right? We have the key to a great password that is 1) Easy to remember 2) Hard to guess.
No, we must carry on apparently. We’re advised we have to shorten it to GMTFLICAAM (the start of every word) and change some of the letters to symbols and numbers, so we then end up with 6mT411C@@M. Now, I don’t know about you, but is that easier to remember? Not only that, those guys with the hacks are smart enough to realise that people replace some letters with symbols or numbers… Replacing an “A” with a “@” is well known and will be checked by many password guessing tools. Worse still, and more importantly, our search space has been massively reduced to 6.05 x 1019 . Remember our “worse case” scenario of one hundred trillion guesses a second? It’ll take them 1 week to crack it.
Essentially, on the advice of the article, we’ve gone from an easy to remember and hard to guess password, to a hard to remember and easy to guess one. This is why passwords like “123456” are still common, the advice given to people is too complicated and it doesn’t benefit them in the slightest.
Gibson, S. (2012). How Big is Your Haystack?. Available: https://www.grc.com/haystack.htm. Last accessed 20th January 2016
About the author
Joseph Williams is a University Instructor within the section of Computing, Digital Forensics and Cybersecurity