Password Insights

As you all know, I believe a good password safe is essential and recommend KeePass. However, some passwords must be typed, for example, your password to get into your computer or password safe. So, you have to have some passwords that you can remember, but that will be difficult or impossible to crack.

The goal of any password you use is to make it unlike any other password that anyone else has ever used. You must let your weird loose. This is easier for some of us than for others. Over time millions of passwords have been analyzed and systems setup to guess passwords using dictionaries, and systems that are used by other people. For example, one system is to use a name (like mike) followed by two to four numerals. For example, mike3822.

Your job in creating a password is to make sure none of the hundreds of systems a hacker might try will work for your password. That will force the hacker to just try every combination. This is called the "brute force" method. If your password is sufficiently long and complex and you force the hacker to brute force it, then your password will be completely safe and invulnerable, assuming the people storing it stored it properly. Currently, just 13 characters are effectively uncrackable by brute force if you use upper and lower case, numerals and symbols. Without the symbols, you'll need at least 15 characters. However, please make your passwords significantly longer, because you probably want it to be safe in 5 or 10 years and the hackers are getting better and cracking computers faster.

So, by examining what patterns exist, we can determine what to avoid.

Patterns to avoid:

Length

Most passwords are less than 17 characters. Making your password at least 17 characters puts you way ahead of the game.

Character types

90% of passwords use only lower case letters and numerals.
Upper case letters appear in less than 1% of passwords
Both upper and lower case letters are 107 times less likely than all lower case.
All four character types (uppercase, lower case, numerals and symbols) are very rare.

Base plus is a common strategy

Having a base word and adding symbols or numerals after it is a very common strategy. Avoid it.
Having a base made up of a common keyboard group (like qwer) is also common. Avoid that too. So do not use a series of connected keys on your keyboard.
Love is a common base (1.4% of women and 0.7% of men), particularly if you were born in the 1980s or 1990s.
Names are often used as a base, as are animals, fruits, colors, superheroes and months or days.

Character Order

Normally the upper case letter is the first one. Put an upper case letter somewhere else.
When mixing character types almost everyone puts the numerals or special symbols after the words. Noodle* is 215 times more common than *Noodle. People commonly follow words with symbols and or numerals. Put your symbols inside the word.
It is very common to add a 1 at the end of a password. It is also common to put any 1 or 2 numerals at the end. Oddly enough, adding 12 is more common than adding 4.

Exchanges no longer work

Simple letter numeral exchanges (often called leetspeak) no longer work, so h3lp, h31p, and he1p will all be checked against the dictionary word help.

My recommendation is to have a clause and another word or two with a series of numerals and symbols inside the phrases. If you know two languages, use them. Also, intentionally misspelling a word in a way you will recognize can be useful. So something like avalanchesHurt999///Viveka should work pretty well. I like to increase length by repeating numerals and symbols a few times. Viveka is Sanskrit and has meaning for me and I suspect if an avalanche fell on me it would hurt. It is 26 characters long, but not really not that hard to type or remember. I've never seen or heard of the words Avalanches, Hurt, and Viveka being associated with each other.

And, of course, do not re-use any password in multiple locations.

Reference:

Github article (analysis of 32 million passwords)
WPengine analysis of 10 million passwords

Date: September 2017

This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe Search All Articles Browse by Category Security Internet Mobile Business Hardware Fun		Password Insights As you all know, I believe a good password safe is essential and recommend KeePass. However, some passwords must be typed, for example, your password to get into your computer or password safe. So, you have to have some passwords that you can remember, but that will be difficult or impossible to crack. The goal of any password you use is to make it unlike any other password that anyone else has ever used. You must let your weird loose. This is easier for some of us than for others. Over time millions of passwords have been analyzed and systems setup to guess passwords using dictionaries, and systems that are used by other people. For example, one system is to use a name (like mike) followed by two to four numerals. For example, mike3822. Your job in creating a password is to make sure none of the hundreds of systems a hacker might try will work for your password. That will force the hacker to just try every combination. This is called the "brute force" method. If your password is sufficiently long and complex and you force the hacker to brute force it, then your password will be completely safe and invulnerable, assuming the people storing it stored it properly. Currently, just 13 characters are effectively uncrackable by brute force if you use upper and lower case, numerals and symbols. Without the symbols, you'll need at least 15 characters. However, please make your passwords significantly longer, because you probably want it to be safe in 5 or 10 years and the hackers are getting better and cracking computers faster. So, by examining what patterns exist, we can determine what to avoid. Patterns to avoid: Length Most passwords are less than 17 characters. Making your password at least 17 characters puts you way ahead of the game. Character types 90% of passwords use only lower case letters and numerals. Upper case letters appear in less than 1% of passwords Both upper and lower case letters are 107 times less likely than all lower case. All four character types (uppercase, lower case, numerals and symbols) are very rare. Base plus is a common strategy Having a base word and adding symbols or numerals after it is a very common strategy. Avoid it. Having a base made up of a common keyboard group (like qwer) is also common. Avoid that too. So do not use a series of connected keys on your keyboard. Love is a common base (1.4% of women and 0.7% of men), particularly if you were born in the 1980s or 1990s. Names are often used as a base, as are animals, fruits, colors, superheroes and months or days. Character Order Normally the upper case letter is the first one. Put an upper case letter somewhere else. When mixing character types almost everyone puts the numerals or special symbols after the words. Noodle* is 215 times more common than *Noodle. People commonly follow words with symbols and or numerals. Put your symbols inside the word. It is very common to add a 1 at the end of a password. It is also common to put any 1 or 2 numerals at the end. Oddly enough, adding 12 is more common than adding 4. Exchanges no longer work Simple letter numeral exchanges (often called leetspeak) no longer work, so h3lp, h31p, and he1p will all be checked against the dictionary word help. My recommendation is to have a clause and another word or two with a series of numerals and symbols inside the phrases. If you know two languages, use them. Also, intentionally misspelling a word in a way you will recognize can be useful. So something like avalanchesHurt999///Viveka should work pretty well. I like to increase length by repeating numerals and symbols a few times. Viveka is Sanskrit and has meaning for me and I suspect if an avalanche fell on me it would hurt. It is 26 characters long, but not really not that hard to type or remember. I've never seen or heard of the words Avalanches, Hurt, and Viveka being associated with each other. And, of course, do not re-use any password in multiple locations. Reference: Github article (analysis of 32 million passwords) WPengine analysis of 10 million passwords Date: September 2017 This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
		I attempt to provide reliable information, but make no warranty as to the accuracy or safety of these articles. I disclaim all legal responsibility for what following these instructions may do. Follow my advice at your own risk