This post will give you a fundamental understanding of why your password is a big deal, the current problem, and a way forward.
TL;DR (Too Long, Didn’t Read):
- Reusing passwords = bad.
P@$sw0rds L!kĀ£ tH!$
= bad.- Passwords like
Crocodile eating my ice-cream!
= Good-er.
Understanding
A password is simply a form of authentication. It’s meant to prove that you are who you say you are. Surely, you’re the only one in the world who knows that password - so if it’s typed in, it MUST be you, right? Let’s take a journey through your digital life:
You want an email address. So you head over to Gmail, and create an account.
username: hikingfan@gmail.com
password: Super$eĀ¢ure1303
Wow, good thinking; you substituted letters with symbols. Surely, that is super secure š
Fast forward a bit. You’re setting up accounts for Zoom, Amazon, and more. You need to register to continue. All they want is your email and a password. Let’s get this over with:
username: hikingfan@gmail.com
password: Super$eĀ¢ure1303
7 weeks goes by; you yearn for the Nimbus BackScratch 3000. Diamond tipped auto-scratching mechanism. And it toasts bread! You need a higher paying job. So you register on numerous job sites using that super $eĀ¢ure secret p@s$wOrd. It’s just a job site anyway.
username: hikingfan@gmail.com
password: Super$eĀ¢ure1303
1 year, 3 months, 5 days has passed. You are now in your dream job. Good on you! While perusing the news during your lunch break, you notice this:
Wait a minute! That’s the job portal that your company used. Advice is for all users to change their passwords. So you do.
username: hikingfan@gmail.com
password: WiLLiAM@0417
Awww, you soft hearted, proud parent! Baby William was born in April 2017 indeed! This password is secure, and much easier to remember…right?
What about all those other sites that use the same username and password? Eh, this was one site. You’ll be OK.
A few months later, you see this:
The problem staring at us
We reuse the same passwords on multiple websites. The same username and password for a very secure site like Google, a job portal, social media, online shopping, and a site that hosts funny cat videos. If even 1 of these get hacked, assume that all your other accounts are compromised.
When you use the Forgot Password option on any website, where does the password reset link go to? That’s right - your email address. If your email account gets hacked, the attacker could reset every other account connected to that email address, just by clicking Forgot Password.
Why do we use P@$swords liKĀ£ Thi$
?
This popular xkcd comic illustrates a crucial point about password strength. It might seem counterintuitive, but here’s why a passphrase like “correct horse battery staple” is more secure:
- Length matters more than complexity: Longer passwords take exponentially longer to crack, even if they’re just lowercase letters.
- Entropy: The randomness of the words increases the number of possible combinations.
- Memorability: You’re more likely to remember a funny phrase than a jumble of characters, reducing the temptation to reuse passwords.
Yet, we often see password requirements like these, for a major authentication provider:
- Passwords that are 13 characters or longer only require lower case letters.
- Passwords must contain at least 8 characters.
- Passwords between 8 and 13 characters require at least 3 of the following 4 categories of characters:
- Uppercase letters.
- Lowercase letters.
- Numbers.
- Symbols.
- Your new password can’t be one of the last 24 passwords you have used.
- Passwords must not contain your username or any part of your name.
- All passwords are checked against a database of over 1 billion stolen passwords. If you try and use a password that is found in this database, it will be rejected.
These requirements, while well-intentioned, often lead us to create passwords that are hard for humans to remember but relatively easy for computers to crack. When we see this, we might think something like WiLLiAM@0417
is secure. But your brain pays a heavy tax to remember that password. Additionally, even in 2012, it wouldn’t have taken that long to crack it with good ol’ fashioned brute force.
Next Steps
Switch to an easier to remember “passphrase” on an important account - maybe your main email.
Think of something easy to remember - random words, or a nonsensical sentence.
- Random words:
Silly-dance kangaroo party
- What you saw last weekend:
Crocodile eating my ice-cream.
- Something that happened to you:
I fell up the stairs.
Invest 5 minutes more, and secure your email or social media account, with an easy to remember passphrase. Don’t worry too much about the strength for now. Crocodile eating my ice-cream!
is unbelievably more secure than WiLLiAM@0417
.
I hope this gave you a better understanding of why your password is so important, and an immediate next step.