Computer Security: Passwords

This is the first post in a multi-part series on computer security essentials. I am not a computer security expert but there’s some basic computer security essentials that a surprising number of people don’t understand. The aim of this series is to raise awareness of these. I will be covering password vaults, two factor authentication, devices and local encryption.

Let’s start with the basics of passwords with a quiz.

Which passport do you think is more secure? What do your passwords look more like?

a) Tr0ub4dor&3
b) correct-horse-battery-staple

If you take a look at howsecureismypassword.net and put in these two passwords:

a) It would take a computer about 4 HUNDRED YEARS to crack your password
b) It would take a computer about 1 OCTILLION YEARS to crack your password

This is because b) has a higher level of entropy, even though it is far easier to remember!

This cartoon explains this really well (and shows where I got the passwords!) and explains how we’ve trained everyone to use the wrong passwords!

password_strength

There’s a few things to remember about passwords:

  1. Never give your passwords to anyone else – no matter how nicely they ask
  2. No two passwords should ever be the same – even if they are “throw away” passwords
  3. You should use use pass-phrases like the example b) above for passwords you need to remember, all other passwords should be randomly generated to be at least 24 characters and have numbers, mixed case letters, and symbols – and be stored in a password manager – I’ll cover password managers in my next post.
  4. Passwords and passphrases should not be constructed from known phrases. Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1. is a bad password; it was cracked in minutes as it contains a known phrase from a short story called The Call of Cthulhu.
  5. Don’t store passwords in a Google Doc or other online document service even if it has two factor authentication – use a password manager (which I will cover next post)

Thanks to my employer Automattic for educating me on the importance of personal computer security.

Author: Alister Scott

Alister is an Excellence Wrangler for Automattic.

4 thoughts on “Computer Security: Passwords”

  1. Thanks for this. Making passwords secure has been a puzzle to me. Those password strength meters – are they using the same algorithms that you show for calculating how long it takes to decipher a password? Another question – I don’t understand why, if example b is better, I should still use random auto generated passwords? Shouldn’t I always use something like b?

    Liked by 1 person

    1. Thanks for your comment Lisa.

      Those password strength meters – are they using the same algorithms that you show for calculating how long it takes to decipher a password?

      They mostly are, although the tools that hackers use to crack passwords are more sophisciated in their use of look up phrases like the example Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1 which would be rated strongly by most/all password strength meters.

      Another question – I don’t understand why, if example b is better, I should still use random auto generated passwords? Shouldn’t I always use something like b?

      Good question. There’s two types of passwords: ones you need to remember, which really should only be for your password manager and your device(s) that you log onto to access your password manager, and ones that are generated for everything else. Ones you need to remember should look like b). One that you generate should be a bit like a) but should be longer, and be completely random (not based off of a phrase). So an example would be {(nKe>ca3fzoxJ7&XCk8yauBrUs8xQ which I just generated by 1Password, as this is stronger than both a) AND b) (but is very hard to remember).

      Like

Comments are closed.