Close this window
Think about your various organizational-wide
and personal accounts. Do you use the same password or a slight variation for
each account? Is your password something fairly obvious, like your founder's
name or the street your office is located on? Or is your password a phrase from
a famous piece of writing, like say the Bible or the Constitution? Password
hackers are using some new tactics to break into your online accounts. Ars
Technica reports that hackers are expanding their password cracking
frontiers into Wikipedia, YouTube, song lyrics, and other works of literature or
Passphrases have become a popular way
to beef up security on a password. With multiple characters, up-and-down
capitalizations, and spaces, phrases from your favorite books or
movies seem like the perfect hacker-proof solution. But your efforts to use a quote from Mrs. Dalloway
might be fruitless.
Security researcher Yiannis
Chrysanthou had no trouble cracking the passphrase "Ph'nglui mglw'nafh Cthulhu R'lyeh
wgah'nagl fhtagn1." How'd he crack such a crazy phrase? It's a quote in a
fictional language from the H.P. Lovecraft story "The Call of
Cthulu" and it is noted in a Wikipedia entry. Besides books, whitehat
(good hackers) and blackhat (bad hackers) are tapping into news websites, movie
scripts, song lyrics, and social networking sites to pull potential
passphrases. Even if your quotes are slightly varied, like "123it_wasthebest_of_times321,"
a hacker can still probably uncover it.
end of Ars Technica's three-page long report, it appears there's an arms race
between hackers and everyday users and the security experts trying to protect
them. It's a fascinating read, but it almost seems like the hackers are
you can still build a strong, uncrackable password. But here's the catch: You
won't (or shouldn’t) be able to remember it easily. You should have lots of
upper- and lowercase letters, numbers, characters, and more. Interestingly, in
article published in May, security writer Rick Broida of recommends using long
passphrases. But as this Ars Technica report points out, hackers are figuring
this strategy out.
using Intel's Password Grader to test your password's vulnerability (while it
promises not to store your password, it recommends still not using your actual
one). The passphrase "g1nny_is_c00l" got a score of 710 years to
crack while "ginnyiscool" got a score of 32.3 seconds to crack. Yikes! (Neither of those are my passwords, don't
even try it). I'd go even further, however, and not use my name at all nor
would I use proper English syntax.
Ginny Mies is a Content Curator at TechSoup Global.
There are alternatives to passwords with random gibberish that are still virtually uncrackable but very easy to remember: Pick a nonsensical "passphrase" of 4-5 words or so. XKCD (a webcomic) explains it pretty eloquently at: http://xkcd.com/936/
The short version is -- as long as your nonsensical phrase (e.g. "correct horse battery staple") doesn't exist as a common saying anywhere (e.g. don't use the one I just provided, it's pretty common) -- it's going to be a lot harder for a computer to try guess it. Even if the computer was trying words in a dictionary instead of individual combinations of letters, there are a LOT of words in the dictionary, and it has to get the right combination.
The drawback is most websites won't let you supply a password that only has letters in it -- a few even impose length limits on your password. (Though I have seen one site that allowed either a minimum of ~8 characters of gibberish or 20 characters of just letters).
Also, if you're using the same username and password everywhere it only takes one site to be compromised to potentially leak out your password to other sites. If your Techsoup password is the same as your email password and a hacker get a hold of it somehow, they now have access to your email. And how many sites have you used where you could get a password reset email sent to your email? The hacker might now have access to them as well.
This is one of the most compelling reasons to use a password manager. If you use the above-mentioned LastPass or similar (I use KeePass personally), you can use a good passphrase to protect your password database, and then use truly random passwords on every site you visit. Thus, if something happens at one site, the damage is limited only to that site. I make a few exceptions -- I rely on a memorized Google password (but I have 2-factor authentication on the account), as well as a small handful of things where I can't always rely on having my password manager available.
Thanks so much for your comment, Dewin! Some really great advice here. Also, I love XKCD -- going to share that comic with our community on Twitter.