Stop Your Password From Opening The Door To Hackers
👆 Watch the full video. Read the annotated transcript 👇
Passwords suck. They’re annoying to remember. You need way too many of them. And it seems like we can never quite make them strong enough.
Why can’t we solve this problem?
Well, we can…sort of.
In this video, we’re going to change how you think about passwords and walk through the simple steps you need to take to keep your passwords safe and sound.
Everything important about passwords boils down to one simple equation:
This equation tells us the number of permutations or possibilities for a password.
n is the number of things to choose from for r positions in our password.
The bigger either number gets, the harder it is for someone—like a hacker—to guess our password.
You’ve probably memorize these rules for making a “strong” password:
- It’s at least 8 characters long
- Has at least capital letter, one number, and one symbol
- Change it every 90 days
This excellent bit from Michael McIntyre really sums it up well.
The goal of those rules was to increase the value of n in our equation. Make sure that everyone was using more characters on the keyboard than just small a-z.
The problem is that those rules actually accomplish the opposite thing. They make passwords weaker!
Those common password rules make your password weaker because they don’t account for the most important factor in any password; your ability to remember it!
If you can’t remember a password, it’s useless. Making matters worse, you don’t just have to remember one password but dozens and dozens of them…more on that in a bit.
For short term memory, it turns out that humans can typically only remember about 7 random things.
So while our equation of n^r tells us the number of all possible passwords, that makes a big assumption that we will choose one randomly.
Especially when those common password rules are in place.
You know it. I know it. So let’s just call it out. We all have passwords that looks something like…
See, it’s super clever by I have more than one capital letter in addition to my symbol and number. I can remember it and at 14 characters, it’s crazy long!
Except that now we’re actually breaking our formula.
“MyCoolP@sswor4” breaks our formula because while it accounts for my shoddy memory and meets those common password rules, it doesn’t factor in how hackers and cybercriminals actually try to guess our passwords
Let’s do a little thought experiment.
If I pick a number between 1 and 10 and ask you to guess it, how would you order your guesses?
Would you randomly pick a number until you got to mine? If you approached the problem logically, you might start a 1 and work your way to 10. Or maybe you’d be clever and start at 10 working your way down.
All of these methods have the same probability of guessing the right answer. This is the reason that we think “MyCoolP@sswor4” is a good password.
But these methods don’t take into account how we think.
It turns out if you’re trying to guess my number, you’d probably have better luck starting with 7, then 3, then 8, 4, 5, 9, 6, 2, 1, and then finally, 10.
That is the order of our favourite numbers according to a 2015 global survey. While not science that I would bank on, it does highlight the key point; people have preferences and biases that you can bet on.
This applies directly to passwords.
As a hacker, I know that people can’t remember random jumbles. So instead of guessing every possible combination of letters, numbers, and symbols, I’m going to use what’s called a dictionary attack.
That’s when the hacker tries to guess your password using actual words and common misspellings—like adding a number. This is much faster as there’s a strong chance they will guess your password well before they work their way through all of the possible combinations.
Learn more about [dictionary attacks]
That why these common password rules make your password weaker. Due to how our minds work, they guide us to choose easier to guess passwords!
Using Our Advantage
Knowing what we know about how our mind works, we can create a better password quite easily.
Up to know, we’ve been thinking about the n in our equation as all of the possible letters, numbers, and symbols.
What if, instead of those characters, we though at about n as the number of actual words in our passPHRASE.
This holds true for all languages but we’ll use English as our example. There are approximately 171,000 English words in common use today.
Our brains are wired to remember words as one “thing” which means stringing a bunch of them together can give us a long password that’s easy to remember. But will it be strong enough?
Our friend, n^r will tell us.
When using the old rules, the total number of possible passwords—after accounting for our bad memories and habits—ends up being around 53 trillion.
While there are a lot of possible characters to type on a keyboard. People being people, we tend to stick to what’s visible and familiar.
To estimate that, we’ll crunch those 93 baseline characters down to 52 (10 numbers, 1 symbol, and about 41 letters covering upper and lower case). That gives us an “n” of 52 and an “r” of 8.
52 ^ 8 = 53 trillion
That is a ridiculously massive number and it feels like it’s be impossible to guess but it’s actually not that hard. Before we explore why that holds true, let’s calculate our passphrase possibilities.
If we select four random English words, there are about 855 quintillion permutations.
n = 171,000 r = 4
171,00 ^ 4 = 855 quintillion
If 53 trillion was ridiculous. 855 quintillion is absurd…and that’s good news for our password.
Especially when hackers can use readily available computers to try hundreds of millions of guesses per second!
Holding Us Back
If passphrases are super strong, why aren’t we using them everywhere?
The answer is as obvious as it is frustrating.
Complex technology takes time to change and if a problem isn’t seen as absolutely critical, it’s pushed aside for a “later” that never comes.
Passwords can be made stronger by simple picking a more complicated password. We know that because of our friend n^r.
That we can’t remember those complex passwords, let alone dozens of them, doesn’t really factor in that often.
…and even in systems where the team puts their foot down and says, “This is critically important, we need to fix it now.” Those fixes can take months before rolling out.
Besides, there is another way of making a old style—or any password—even strong, add another one to it!
2FA & MFA
You may have heard of two-factor or multi-factor authentication. This is where are you enter your password, you also have to enter a temporary code to gain access.
You usually get that code either through a text message or an app on your smartphone.
This makes it a lot harder to gain access to your account. Even if a hacker has your password, they will need your phone in order to gain access.
Why isn’t this everywhere you ask?
While it’s gaining traction, it still asks people to do more while logging in and that usually leads to problems.
However, when possible, you really should be using two-factor authentication. It’s a minor inconvenience that is a massive boost to your security.
Too Many Passwords
We know that it’s hard to remember one password, let alone dozens of them.
You should be using a different password for every app and site you log into. The reason? To reduce the impact of one of those sites getting hacked.
One of the first things that cybercriminals do after stealing a bunch fo usernames and passwords is to try them on other sites to see if they work there…and they often do!
Using a different password on every site is a smart way to protect all of your online accounts.
But that creates the very real challenge of trying to remember all of these passwords. How on Earth are we going to tackle that one?
We’re going to solve the problem by handing it off. The solution is a tool called a password manager.
It…um…manages our passwords for us.
The idea is pretty simple.
A password manager is an app that securely creates and stores our passwords for every account we have. It creates truly random, very strong passwords and keeps them safe in it’s vault.
When the time comes to log in, you open your password manager and it will log into the site for you.
This process is usually seamless but even when it breaks down, you can simply copy & paste the password from the password manager.
Logging in from your phone or tablet? Not a problem. Good password managers offer the app on most platforms and automatically—and safely—synchronize your data to all of your devices.
There are commercial and open source tools available and which one to choose really comes down to device support and the user experience.
I’ve been using 1Password for over a decade and it’s always worked well for me and my family. The small monthly fee is reasonable for the safety it provides. If that’s not your thing, there are a number of commercial and open source options available.
Pick one that works on your devices and whose user experience works for you. The important thing is that you use a password manager, which one is far less important.
Putting It All Together
Now a password manager itself is protected by a password. Here’s where our complete solution starts to come together.
All reasonable password managers follow the latest password guidelines and let you make gigantic passwords.
We’re going to take advantage of that and create a passphrase made up of four or more truly random words, the more words the better.
If you’re feeling feisty, why not add in a symbol or number too…just for fun.
That passphrase is going to be used with our password manager and only with our password manager.
We’re then going to use our password manager to create truly random, large gibberish passwords for each and every site and app we use.
This sets up the odd situation where you won’t even know you Facebook, Google, or Twitter password. But hey, that’s one less place it could leak from!
When visiting these sites or using these apps, we’ll log in to our password manager and let it log in the site for us.
When creating a new account, the password manager will provide a new super strong password too. It’s remembering all of these passwords which words around the limitations of our memory.
We’re maximizing the password strength for each and every site while still making things easy for ourselves.
We’ll add a tiny bit of friction back by using two factor authentication on each and every site that offers it. It’s a minor inconvenience that offers a huge security boost.
There’s a lot of things associated with passwords that are out of your control. How your brain works, how aggressively hackers go after your passwords, how the systems asking you for a password handle them, and more.
This workflow offers the best solution to this frustrating problem. It makes it hard for hackers to guess our passwords by making sure that we are maximizing the impact our friendly equation of n^r.