Pa$$w0rds–good or bad without breaking your brain

Every year some computer security firm releases its list of the worst passwords that people are using. While I do not know the methodology used to compile these lists, I do know that I see these passwords used over and over again in both public and private sector arenas.

password image by Linux Screenshots on Flickr.

password image by Linux Screenshots on Flickr.

Why are people using passwords like 123password? It is likely because the average person, not techno-geek, has a hard time remembering what some ‘best-practices’ list decided was a good password. You know the one; there must be on capital letter, one lower case letter, one number, one special character, and the DNA signature of your neighbor’s cat (I just made the last part up).

Now this is a big deal because passwords are a big deal. They keep people from snooping on your computer, your email service, the websites you frequent, or even keep people out of your bank or credit card accounts.

Passwords are like diapers and politicians. They should be changed and often. Why? Because if you leave a password in place for too long you give an outsider a longer opportunity to crack it open and then gain access to your data/information.

So while password, letmein, 123456, qwerty, or something similar are examples of bad passwords, using a password like 3!dxt*RT2nr$xgg5t06 is a good password but not because it is complex. It is a good password because it is long however the human brain can only remember so much of this string, you have to go back and remember that you are trying to outsmart a computer and not a human being.

A human will guess words that can be found in a dictionary or will tell a computer to look for words that exist in a dictionary. In short…words that make sense to another human being. A computer does not care about dictionary words or special characters.

I will now enter the word “entropy” into this discussion. Entropy, while sometimes relating to thermodynamic relationships in chemical processes, also means a lack of predictability or reliability that can lead to a disintegration of order leading to disorder and thus a large positive run towards randomness. This is a good thing to have in a password or pin.

For instance…your four digit PIN that you use on your debit card has a number of possible combinations of 10^4 (numbers 1-4 give us 10 and since there are 4 of them, that gives us the number of possible combinations) possibilities.

And that 16 character string of special characters, upper and lowercase letters, numbers and your cat’s DNA marker? Well that only nets you an entropy, randomness score, of 119 bits. However, if you were to take the last names of your two favorite teachers, the model of your first car, and your first home phone number..that entropy ramps up to over 200 and that would take the most power computers, hundreds, if not thousands, of years to crack that password…and by then you should have changed it more than two times to something else.

Some examples of good strong passwords in this model are: hulusucksbecauseofcommercials , bernsteincoplandRodeoin38time, spotroverslurpeepepsi

The main purpose of this blog entry is to illustrate to you that a secure password can be one that is long, and strong but more importantly, something that you can easily remember. Just do not use the names of your kids, your pets, or other personal information that you might not want disclosed to the general public.