There are many ways to make good passwords.
How do you make a password that barely protects you at all?
1) Use something really identifying
Using a password like “dadof4” or “kayaking” when you regularly tell people that you have four kids or that you kayak is a good way to let your acquaintances know that you might be easy to Facebook-hack. The same goes for any interest, really! If your password is a political slogan or something to do with something you own and regularly post about – like a classic car, or #vanlife – you’re in for a bad time.
2) Use a Sequence
This goes beyond something like “12345” or “2468”. Don’t try the Fibonacci sequence, don’t try whatever the DaVinci Code had going on with that codex thing – don’t try pop-math as a password. Most brute-forcing AI is designed to try these numbers first. Trying a single instance of an eight character password in a dictionary attack takes less than a tenth of a millisecond on a reasonably powerful home-desktop computer, of course a cyber-criminal is going to put all the memorable sequences at the front of the queue.
3) Use Pop Culture
In fact, stay away from pop password references in general. Ramses2? Someone who knows you like Watchmen could guess this. EequalsMCSquared? If your buddies know you like Big Bang Theory, the password’s not good enough. There are plenty of nonsensical pop-culture references that make good passwords – so you don’t need to be using the passwords that are super obviously passwords, the passwords the characters use in the show. Just stick to the sayings or catchphrases that are somewhat obscure, and make sure it’s A) long enough and B) mixes in enough special characters to thwart brute-force AI. Don’t let your hint (if the website lets you set one) become a trivia game.
4) Make it too short
Most websites won’t even let you get away with anything less than eight characters, but in case you find a really ancient one that doesn’t have these requirements, a surefire way to get yourself in trouble is to make your password very, very short. I’m linking a better description that goes over the equation in more detail here.
The equation they use assumes it will take 0.0017 milliseconds to compute a hash, or (1.7*10^-6) seconds. Multiply that by the available character libraries: 26 (all lower- or all upper-case only), 52 (upper and lower cases), 62 (upper and lower cases and also numbers), or 80 (all of the above + special characters allowed in the password field). You multiply the character library by the number of characters in the password, and then divide all of that by two. For an eight character password written with upper and lower case libraries, the equation is this: ((1.7*10^-6)*52^8)/2 (seconds).
This is the time it takes to compute one hash multiplied by the number of characters that could be in any one spot, times the number of spots, on a regular computer. Botnets and super computers, which hackers may have access to if they’re well-funded, take a thousandth of that time. When it’s very crucial to keep bad actors out, limiting login attempts and 2FA can help hold back even the most powerful of computers – but most people aren’t going to be targeted by someone with a botnet.
Basically, what you should glean from this is that a ten-character password using all available character libraries (26 upper case plus 26 lower case plus numbers 0-9 plus special characters) takes about three years to crack on a bot-net or a supercomputer and may as well be impossible on a single desktop.
An eight-character password with the same libraries takes approximately 4 years on a desktop, minutes on that botnet/supercomputer. Still powerful, not as powerful as a ten-digit one though. An eight-character password with only lowercase or only uppercase (26 total possible characters) will take two days on a desktop, seconds on the botnet.
A four-character password with all the full character libraries takes 34 seconds on a desktop, using the equation provided. On the botnet, it’s broken in less than a blink. The number is even worse if you’re sticking to upper or lowercase letters only. If you want a bad password, shorter ones are the best way to make problems for yourself! Vice versa, the longer a password is, the harder it is to crack. Every character adds exponential amounts of time to the botnet’s attempts.
5) Make it a Sequence with numbers
Using “Password – Password1 – Password2…” can turn into a security problem, even though an AI might not be able to guess what you’re doing right off the bat. Using “ILovePuppies2” should, in theory, not be any less secure than “ILovePuppies1” or “ILovePuppies3”. Mathematically, they’re the same number of guessable characters to an AI. However, if your coworkers know that you use a base password with numbers behind it, they could brute force your account with knowledge the AI doesn’t have, and get in.
6) Use special characters in places you won’t remember them.
Doing the bare minimum eight to ten characters with an @ or a & sign thrown in there makes you more secure. However, it also makes the password more difficult to remember. If you were online in the 2000s, you might remember LeetSpeek, wh353 3W3 T&P3 L1%3 7H12. It was awful. Entire paragraphs were unreadable because the writers didn’t have solid rules for letter replacement, and would mix in homophones for words just to up the difficulty even more.
If you don’t remember your own rules for replacement (is 2 an S, or a Z? Do you always use % for K, or can it sometimes also be X? etc.) when writing a LeetSpeek password, you’re just making an easy-to-forget password with more steps. The same goes for using special characters in general – if you know you’re not going to remember replacing A with @ or 4, you’re going to give yourself a lot of trouble by trying to force these special characters in when you could use others, like punctuation characters, in easier-to-remember spots.
LeetSpeek makes great passwords – if you’re used to it, and if you know that your word or phrase will always come out with the same replacements. If SPEAKFRIEND is always 5P34KFR!3ND and never SP34%5R13|\|D, you’ve got a good code going on. Otherwise, you may as well be keysmashing.
7) Keysmashing
Don’t do this unless you have a password manager. You’re not going to remember the keys you hit. Your browser might, but then what do you do when you’re not on your native browser? You’re stuck resetting the password. Don’t keysmash. Just…don’t. It’s a bad way to make passwords. If you’re truly obsessed with randomness in your password, a solid password manager is a great way to make sure you a) always have your password with you and b) always pick a password with peak randomness. After all, keysmashing usually makes all the characters lowercase and keeps special characters out – it’s not actually fully randomized.
8) Make it something you won’t remember at all
Having to regularly reset your password is definitely annoying – and it can lead to security gaps when users get fed up with having to hit the reset password link, go to their email, hit that link, go back to the website, pick a new password, type it in twice, wait for the two-factor authentication message to come in, yada yada. CIS recommends no more than once a year because this is so common. The frustration of having to do this song and dance every couple of weeks can lead users to write their password down – which is significantly worse than just leaving the old, strong password that they remember as it is. Regularly resetting passwords won’t improve the security of the system if the user got it right the first time, and there’s solid 2FA in place – even the FTC agrees!
9) Use a master password for everything
It’s good to have a strong password. It is not good to use that same strong password everywhere! Let’s say you subscribe to an online game website. The game website is free, and the account is purely for age verification, so there’s no payment details. Only your email and password. (This applies to online forums, too!) They don’t invest in top-notch security because there’s no real reason to, no payment details, no SSNs stored somewhere, so a hack wouldn’t destroy their users – it would just be annoying to lose save progress for games. Unless…
Unless those users use a master password that’s tied to their email for every account they have. And if a hack were to get both off some little website that doesn’t even store payment data, like they frequently do, suddenly a hacker has access to everywhere you’ve used that master password. They’ll try everywhere. Every bank, every shipping company, every streaming service. That’s why the gaming website is even a target in the first place. It’s tempting – don’t do it.
10) Don’t use Two-Factor
If you really want an unpleasant online experience, don’t use two-factor anywhere. That way, even good passwords can act like bad passwords! Consider bullet number 4 here to imagine the power of a very determined hacker. Ultimately, if something’s really, really determined – it will spend all the resources it can to get in. Using two-factor can only help you! An eight-character password with no attempt limit is not nearly as much protection as it used to be, so Two-factor is essential unless you’re looking to have a bad time.
Sources: https://thycotic.force.com/support/s/article/Calculating-Password-Complexity
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
