|
|
There's a webcomic called 'XKCD' which, back in the good old days of the internet, asserted that longer common-word passwords ie. passwords strung together from four or more random english words, are better than the typical "8-10 characters, one Uppercase, one lowercase, 2 symbols" passwords which websites generally enforce on us. This is still true. The reasoning goes like this: if an attacker wants to brute-force your password, they'll first try all common passwords (such as "password"), but then have to try every possible character in every possible position, over time, which can take a very long time. So long that it's not worth it (and most websites will block you after 5 incorrect login attempts nowadays anyway). So the longer the password is, the more unbreakable. Hence "horsebatterystableexponential" is a better password than "#(*&$HjK#".
The downside to this technique is that some password crackers use dictionary-based attacks, stringing together common words. But the number of characters on your keyboard is limited - about 63 total for english keyboards. The number of words in the english language is vast: around 170,000, with most people knowing between 20000-30000 of them. So even with four words, randomly chosen, you get a far stronger password, even if a dictionary-based attack is used. And if you start using foreign words, NZ place names for example, it becomes even more unhackable. Of course, most websites will not accept such passwords. You'll need to do what they ask, adding whatever special characters are necessary. But on the bright side, even "Horsebatterystable42." is a heck of a lot stronger than "#(*&$HjK#218".
Having said all this, password strength is seldom the problem nowadays - the main problem is password re-use. Using the same password on multiple websites, particularly important ones like Paypal or banking, is asking for trouble. As soon as one of those websites gets hacked, the perpetrators will likely try and use your email address and password on other sites, because password reuse is common. I got caught out by this last year - yes, me! I had an old password on one site. Nowadays there're no other websites which share the same password, but maybe 5 years ago there were a few. My guess is, at some point in the past one of those other websites got hacked and the details leaked to a database, which got sold to someone. So it was likely an automated attack that just happened to get lucky.
Luckier for me, I caught the transactions the morning they took place and reversed them. Many people don't have that good fortune, and end up losing $5000 or more. In short: make your passwords longer, even if they're memorable, don't worry so much about special characters, but make sure you're not sharing passwords between sites. Oh, and use Maori placenames in your passwords.
- Matt Bentley, computer expert at Bentley Home PC Support.
Email info@homepcsupport.co.nz or phone 0211348576.
Click here to go back to the main page.
© 2025 Matthew Bentley. All Rights Reserved
