I Hate Passwords

123456I honestly hate passwords. It seems like every site that I register with has some slightly different rules for what constitutes an acceptable password. Having different passwords drives me crazy because my brain can remember things like phone numbers, but passwords seem to elude my memory.

And now I have been reading that the rules on the various sites having to do with password safety are largely in vain anyway since it’s now pretty easy to crack the kinds of passwords that most sites require you to create. I suspect that these sites all know this, but they put you through the effort to come up with an acceptable password to give you a false sense of security.

We all know what good passwords are supposed to be. They must be eight or more characters, with a mix of upper and lower case letters, numbers, and symbols. They should not include any word used in a dictionary including silly substitutions like using ‘!’ instead of the letter L. And you are not supposed to repeat passwords on multiple sites.

And so we sit at each new web site (and it seems that everybody wants you to create a password these days) and we cook up some dumb new combination that we are never ever going to remember just so we can shop for tea or read a news article. We try combinations until the site takes it and also shows us a nice green bar to prove that our new password is a safe one.

But this is more or less a waste of time. The bad guys who crack passwords also know all of these rules and the rules actually make it easier for them to crack your password. It doesn’t seem like somebody ought to be able to crack a password like aN34%6!bJ, but they can, and fairly easily. (Have I mentioned yet that I also hate sites that make me pick stupid passwords?)

Of course, it’s even easier to crack the really stupid passwords. For yet another year ‘123456’ is still the most commonly found password followed closely by ‘password’. But let’s face it, anybody using those is not really caring too much if they get hacked or if somebody deletes their Pinterest page or sees the news articles they have saved.

So how do hackers crack our passwords so easily? They get a surprisingly large number of them directly from people through phishing. People type their passwords into fake websites all of the time and then are dumb enough to also type in credit card numbers or bank account numbers when asked. There is not much more advice about that other than – don’t do it! You are much better off if you are like me and you don’t even know your bank account number! (But luckily my wife does).

But hackers also get millions of passwords by breaking into commercial sites and stealing their password and account files. This lets hackers get access to huge numbers of passwords at the same time. Almost all websites save passwords using an encryption algorithm. A simple password like dog might be saved as a 30-digit mix of letters and numbers called a ‘hash’. When web sites are hacked and the bad guys make off with millions of passwords, they don’t get your actual passwords, but a file of these encrypted hashes.

Hackers then attack the pile of hashes with computers that can look at billions of cracking attempts per second as they try to reverse engineer the algorithm used to create the hashes. They start with all of the easy-to-crack passwords like ‘123456’ which will turn up multiple times in the pile. Eventually they figure out the algorithm and then they can figure out many of the passwords in the file they have stolen.

I say many passwords, because it turns out that there is one set of passwords that is harder to crack than most. It comes from stringing together long chains of nonsense words that you can remember but that are not commonly used together. For instance if your password is ‘frogflatchevydog’ to memorialize the day you ran over a frog and then your dog sniffed it, then such a password is much harder to crack than a normal one. No password is impossible to crack, but the amount of effort required to crack the above password might take somebody a hundred hours more effort than cracking easier passwords, and it’s likely that nobody will put in the effort unless they really want you specifically.

Keep in mind that you can’t string together any common phrases that can be tested easily. For example, allmimsyweretheborogoves’ is relatively easy to crack because it’s all over the Internet since many people love Lewis Carroll books. Cracking programs search for billions of common phrases that they find on the Internet, meaning you probably can’t now use my great password suggestion about the flat frog.

Hopefully we are soon moving to a day when we won’t need any passwords. There has to be something better, which would be a combination of multiple biometric readings from your own body. Hackers have already shown that they can crack a one-layer biometric password like a fingerprint. But it gets mathematically nearly impossible to crack a system that uses multiple biometric readings simultaneously. So the ultimate password is eventually going to be you. That is a password I can finally like.

One thought on “I Hate Passwords

  1. Submitted March 5…
    ” Dear Doug:
    Another warm snowy day in beautiful Washington DC… See? The U.S. Congress isn’t the only thing here that’s frigid!!
    Son and his girlfriend were here on “Spring Break” from college (Spring… yeah, right!) and when their flight today back to Boston got cancelled yesterday morning, they decided to hop on a 10PM Amtrak last night — pulled out of Union Station in time to get to Beantown early this morning. Smart thinking, kiddo!!
    Now to your topic — I have a few “unique” protocols that I use to develop my passwords, and I do not use any of the easy, most frequently used ones. Over the past three to five years, I was substitute teaching in a few different school systems, and every school system had its unique system security requirements, and they all drove me crazy.
    Eventually, I just decided to keep track of my passwords in my cell phone…
    I could tell you the details of my protocol, but then anyone that knows me could figure them out. So, let’s just keep it at that…

Leave a Reply