Helpful website 1: “Think of a song title or memorable phrase, take the first letter of each word and combine that with the first three letters of the website. For instance ‘I want you back’ becomes ‘iwyb’, you’re logging into GMail, so add ‘gma’ and you’ve got ‘iwybgma’. Perfect.”
Helpful website 2: “Never use a song title or memorable phrase, first lettered or not in your password. There are password crackers that can detect this.”
Helpful website 1: “Ok, well replace letters with symbols or numbers, for instance @ for a, 3 for E, etc. so you can’t tell. ‘1wybgm@’ Wow, look at that! Best password ever, eh?”
Helpful website 2: “Symbol replacement is useless nowadays as those same password crackers will take this into account.”
Helpful website 1: “Ah ha! Well, instead of typing those keys, type one key to the right instead. So now it’s... hang on... I can get this... ‘2eunh,£’ is that right? I think so, yeah. Beat that!”
I'm sure you'll agree, this is pretty unhelpful. So I decided to break down my advice into the two facts I know to be correct...Helpful website 2: “Shifting keys up, down, left or right, can totally be accounted for too. Also, looks like you’re starting to forget how to translate that password. How many different logins do you have again?”
- The best password for you is the one you’ll remember
- The only secure password is the one you don’t even know
These facts aren't mutually exclusive, in fact they are complementary and easy to implement. Let’s take a look at them one at a time.
1. The best password for you is the one you’ll remember
I’m certain at this point that we’ve all seen the following XKCD webcomic...
And it’s undeniable, unrelated phrases enjoy better entropy. Even when made up of common dictionary words. Allow me to demonstrate; according to howsecureismypassword.net our seemingly secure password from earlier ‘2eunh,£’ would take a mere 9 days to crack. Whereas a four unrelated word phrase ‘weird winter mass publicity’ would take 3 octillion years to crack brute force style, and is eminently more memorable.
But you don’t want to have to remember a random four word phrase for every password you use, and didn’t I say that...
2. The only secure password is the one you don’t even know
Password managers are a godsend. I personally use 1Password, but I’ve heard great things about LastPass and KeePass too. With a few clicks I can generate the following password; ‘78/e^6HY2B+}V3nCEt&n’ for 2 nonillion years of brute force protection, save it in an encrypted file store, have it automatically submitted next time I browse to the associated web page, and even sync these details securely across my devices. And all without having to remember a thing, other than the one master password that decrypts the rest of my unknown saved passwords in the file store, and that’s where we loop back to point one (I told you they were complimentary didn’t I?), a simple to remember, four unrelated word passphrase.
TL;DR
No, the perfect password doesn’t exist. But we can get pretty close by:
1. Installing a password manager
2. Making the master password a four unrelated word passphrase
And finally; let us not forget that no matter how entropic our passwords are, this will always be true…
Pictures: Password Strength, Security
No comments:
Post a Comment