An article about password security, aimed at the average person or IT people who work with average people and need another way to explain it.
Social engineering seems to be the easiest way to grab a user’s password, and despite suspicion on the part of IT staff, the average user gets roped in pretty quickly. Phishing attempts are getting bolder and more sophisticated, and objectively speaking, I have to applaud some of the efforts because they’re pretty good.
Not much can be done to secure an account if the account holder willingly gives it up. But mitigating damage from brute-force attacks and even “shoulder surfing” can be much easier.
Use a phrase or sentence.
Mix in a few capitalizations, maybe even skip a character. Try it out here:
In a nutshell, the more characters there are to try to figure out, the harder it gets mathematically to solve. For illustration’s sake, with a single-digit number, you have a 1 in 10 chance of getting it right. For a human, it’s pretty simple. For a computer, it’s instantaneous.
Add another digit, and the odds increase to 1 in 100.
For a single letter of the English alphabet, the chance of “cracking the code” is 1 in 26. Add another letter (where repetition is allowed) and the odds are 1 in 676 (26 x 26).
Still pretty easy for a computer.
While words of multiple characters and numbers are more complex, computers are able to use dictionaries and heuristics to figure out a password (“heuristic” being essentially the practice of starting with “most likely” then working outward). Add in behavioral analysis (especially through mining big data acquired via social media), and a computer can easily figure out the most popular passwords for a school teacher at this time of year:
- Summer123 (this of course being the most complex…..)
Seriously. We went through a lot several years ago to get our teachers to stop doing this.
Conversely, a password like S&4u_sO9%8sS8^2HhYvoO is nearly impossible to crack….but also nearly impossible to remember. Plus, not every system out in the wild can handle all of these requirements; some systems can’t handle special characters, others can’t handle certain special characters, and I still see systems that demand a maximum of 8 characters (in 2017!!!).
The balance between a password complex enough to make it difficult for computers to crack but simple enough for a human to remember is to use a sentence or phrase. Artificial intelligence is not yet at that point where a system can guess the meaning and impact of certain terms.
Try “My Cat is 17 Years Old” (author’s note: my cat is not 17 years old…I don’t even have a cat……… or do I?).
This isn’t to say that a computer won’t find out your password within seconds or minutes. It could be very, very lucky. But the chance of that happening is incredibly slim. Much slimmer than if your password was cat17. But not as slim as King Illegal Forest to Pig Wild Kill In It A Is.