You don’t use passwords like the perennial 123456 and qwerty. Or even slightly better ones, like Cassie86 or Cubs1908. Because you put some thought into them, your passwords are better than those, right?
Maybe. But unless you avoid a little-known mistake recently uncovered by password researchers, there’s a good chance your passwords will still be far easier for hackers to crack than you think.
Can you tell how strong a password is?
To see, try to figure out which of these four are a pushover for hackers.
Spoiler: They’re all an easy mark for hackers, even though every one is 9 or more characters long and contains a mix of both letters and non-letters. How can such apparently strong passwords be so weak? The short answer is that they follow some of the most common patterns of composition that people use to create passwords, patterns that weaken them.
Beat the clock
How does a hacker get hold of your password? Most likely, through a breach of a customer database like the one that recently let criminals obtain confidential celebrity photos from Apple’s iCloud. (According to Apple, the iCloud database itself was not breached). As I explained recently, more such breaches are inevitable. Since many passwords are stored in such a way that they can’t be directly read by people, hackers often use software to crack them. The longer it takes to crack a password, the less likely the hacker will succeed. If it takes too long, the hacker may give up and move on to easier prey.
As I explained in Hack-proof your passwords, which I wrote when I was Technology Editor at Consumer Reports, long passwords comprised of a variety of letters, numbers, and special characters can better withstand cracking software than can short, simpler ones. However, when something about a password’s composition is too predictable—it begins with an upper case letter, for example, or includes a recognizable word—it can be cracked much more quickly.
Games users play
Just how predictable are people in composing passwords? Even when they’re following an organization’s password guidelines regarding length and mix, it turns out, most compose passwords in very similar ways.
In a 2013 study for DARPA (the Federal Defense Advanced Research Projects Agency) called Pathwell, security consulting company KoreLogic found that, among the thousands of users within an unnamed Fortune 100 company,roughly half had relied on just five patterns to compose their passwords and 85 percent had relied on just 100 patterns. (KoreLogic found similar predictability within a variety of other companies).
Here are the three most common patterns KoreLogic found among the thousands it identified in those companies:
• One upper case, then 5 lower case, then 2 digits (Example: Dulith57)
• One upper case, then 6 lower case, then 2 digits (Example: Abugmar64)
• One upper case, then 3 lower case, then 4 digits (Example: Itio1981)
Which of these mistakes do you make?
It’s not practical to try to avoid every one of the many patterns KoreLogic found. But you can still create better passwords by steering clear of some of the most common mistakes people make:
• Starting with an upper case letter followed by lower case letters
• When a password isn’t long enough, adding a letter or two to the base word
• Putting digits, especially two or four of them, before or after the letters
• When a special character is required, using “!” and putting it at the end
• Not using two special characters in the same password
Don’t rely on password checkers
When creating a password, you may be tempted to use online password checkers to test the strength of those you’re considering. Beware: When I tried four of the most popular checkers, How Secure is my Password, Password Meter,Microsoft’s Password Checker, and Kasperky’s Secure Password Check, only Kaspersky’s clearly informed me that the apparently strong password I submitted was actually far weaker than it appeared. Even Gmail’s own password strength tester labeled that password as “strong.”
How to make passwords less predictable
I won’t suggest any compositional patterns here because, once published, they would immediately become a target for hackers. Instead, here are a few rules of thumb to keep your passwords from becoming too predictable:
• Avoid beginning the password with an upper case letter—or maybe even anyletter
• Create an acronym using the first letter of each word in a memorable sentence, as suggested by security expert Bruce Schneier
Example: t2cmlp,@yh (“Try to crack my latest password, all you hackers”)
• Resist your natural tendency to mimic familiar words and phrases
• Use multiple special characters in the same password
• Don’t always place digits adjacent to each other
Jeff Fox was formerly an editor at Consumer Reports and is currently the editor of http://www.StateoftheNet.net, a web site covering online privacy and security from a consumer perspective.