Passwords - We all have them, but are they any good?
This article was originally published in September 2012 - and is still relevant in September 2015
Any self respecting hacker will pride themselves on being able to crack a "normal" password in a very short time.
So what would a hacker be looking for to crack a password, and how long would it take?
Unfortunately we use passwords that are readily guessed (or found), people use things such as their mothers maiden name, pet names, their own names, "abcde", "12345", "password", "mum", "jean", "rufus", "dockers", or even their own email address. Genealogists and family historians are no different.
To clarify; passwords are cracked, and machines are hacked; some 80% of the information stored on computers worldwide is in English, passwords are also in English (this is changing); there are apx. 290,000 word entries in the Oxford English dictionary (with some 616,500 word forms); the average English speaker knows about 20,000 words and will use about 2,000 in speech in a week.
Assuming an English dictionary word, and say your cracking software can attempt at 100 words a second - using the 290,000 dictionary words, it will take apx. 2,900 seconds to find a common password - about 48 minutes; less than an hour to work out the log in to an online account, or the password on your PC.
Thankfully (most) online accounts have encryption on the passwords, but if the words are plain English, or the hacker has the encryption hashes, it is still just a relatively short time to crack a simple password.
So the theory goes that we therefore don't use a dictionary word, using random letters would be safer, but still not all that secure - say we use a 5 letter password of random letters, i.e. 26 characters in the alphabet times the number of letters, 5 letters say "marys" = 26*26*26*26*26 = 11,881,376 combinations = 33 hours to crack with software using our 100 attempts per second.
How about using upper and lower case plus numeric characters = 62 keyboard characters. So our five character password "Mar6" is now a bit tougher to crack, but will still be done in 106 days at the same rate of 100 attempts per second.
What if we also use the special characters available on the keyboard, i.e. the &*%$# etc characters, we now have 93 characters to choose from, now our 5 character password "M*a6<" has 6.95 billion combinations, cracked in 805 days (2.2 years) at our 100 attempts per second, not too bad you might say.
Well not really, the reality is that it will take a modern desktop PC is capable of apx 4 billion calculations per second, and with up to date cracking software to match, at that rate our 5 character passwords would at best take seconds to crack; "marys" = .00297 seconds "Mar6S" = .2290 seconds , "M*a6<" = 2.0 seconds.
Increasing the number of random characters and character sets in your password will extend the protection by a factor of whatever character combinations you are using, e.g. just alpha characters = a factor of 26 for each additional character; or a factor of 93 for all keyboard characters, and more again if using the "alt" characters eg. " *&%$#@ " etc.
Is this good enough?
Well yes, probably, but a hard to crack 7 or 8 digit random character password is damned hard to remember "6@#a&$" or "oeL*5)m_wz%" are both a nightmare to remember and to replicate each time you need to use them, and when you have to have multiple passwords, the pain multiplies and still relatively insecure a crack for these two = about 20 days.
How about increasing the characters to say 16 random characters PL_56@*SG^DayXMt pretty secure at about 12 trillion years to crack; a potential nightmare to remember and use.
What to do?
We can use password management or password storage software, and store them in there. They are generally pretty safe, and the passwords are encrypted, but if the password to get into the safe is cracked, well....
As mentioned, English speakers use some 2,000 words each week, so if we string some of those together in a random fashion, we have a reasonable chance of remembering them, and a robust password to boot.
For example - "doctorshoppingbeachmaniac" - has 4 common words, and 25 alpha characters - much easier to remember.
Still dictionary words, but to crack we are now looking at 2000*2000*2000*2000 words, or 26^25 letter combinations (albeit not random), and would theoretically take a quintillion years to crack. Good enough for now.
If you want to go further, throw in a couple of other random characters; using 2 Capitals & inserting 2 extraneous characters + 2 numbers, not individually isolating the words but splitting things up a bit we might have: "doc*4torShoppingbea#7chmaniaC" - nigh on impossible to crack, and still pretty easy to remember.
So, where there is sufficient space in the password box, use multi-word passwords, where there isn't, use a good random combination of all character sets and the max characters available.
So are you a doctor shopping beach maniac - or still in the " Name4 " or " *%$# " herd?
Last words; Don't tell your browser to remember the login and password for any site
- Don't use the same password for more than one place or website
- Don't keep it on a piece of paper on your desk
- Don't share your password/s with anyone
- Don't give it to anyone over the phone
- Don't keep them all in one place
- DO keep your passwords secure - encrypted is better than unencrypted
- DO change your passwords regularly
This article draws on information from these sources and references, among others:
(1) Number of Words in the English Language: hypertextbook.com
(2) Article by Ben Everard in the Feb 2012 edition (154) of Linux Format magazine, which draws on a proposal by,
(3) Randall Munroe on multiword password strength
(4) Article by Sarah Granger, 2002; The Simplest Security: A Guide to better password practices
(5) Check your password at: howsecureismypassword.net