Here's Why Your Password is Hackable

Category: Security

Over the past two decades, password rules have become more complicated and burdensome upon users. Users have coped with arbitrary, byzantine password rules by creating the most easily remembered passwords that comply with the rules, changing them when required in minor, predictable ways, and reusing compliant passwords on multiple online accounts. The results include lots of frustration and LESS security. Here's how to do it right...

Everything You Know About Passwords is Wrong

A typical site now requires you to create a password at least 8 characters long that includes at least three or four types of characters: upper-case, lower-case, numeral, and special characters such as !, @, #, etc. In most cases, the resulting password is exactly 8 characters long, begins with an upper-case character, and ends with an exclamation point or the numeral “1.” Often it’s a recognizable name associated with the user, such as a child’s or pet’s name. If a password needs to be changed, it’s often only the last character that’s changed, and in a predictable fashion, i. e., “1” becomes “2,” “!” becomes “@,” etc.

Hackers know these official rules, and the de facto rules that users have created to comply with the least effort. They have hundred of billions of stolen passwords from which to figure out the rules, and they incorporate the rules in password-cracking software to make it more efficient. They also have massive computing power that can try billions of possible passwords per hour. The upshot is that most passwords actually in use can be cracked in a matter of hours.

One solution to human predictability is password-generating software that produces longer, more random passwords, and password-management software that remembers what site a password goes with. These functions may be combined in one software package, such as Roboform, Dashlane or LastPass.

battery stapler

But many sites deliberately thwart the use of password managers, either by forcing users to enter usernames and passwords on two separate screens or by adding code that blocks auto-filling of passwords. Apparently, the admins of such sites think a password encrypted and stored on a hard drive is as insecure as one written on a Post-It Note.

Another solution to remembering strong passwords is mnemonic - a sentence that’s easily remembered because it makes grammatical sense, and which contains the characters of a password that can be extracted by applying a simple rule. For instance, a password might be the first letters of the sentence, “My horse knows how to use 2 pink staple guns.” In fact, that whole sentence would make a virtually impenetrable password, if the official rules allowed spaces.

This geeky cartoon from illustrates the difference between passwords as they are and as they could be, if sysadmins allowed it. Following the official rules results in a password that’s easily cracked in 3 days, while the phrase, “correct horse battery staple” takes 550 years, far longer than any hacker cares to spend.

What About Those Password Strength Meters?

Research has found that users will create stronger passwords if they receive feedback about password strength as they create a password. But so-called “strength meters” often measure only compliance with rules instead of statistical strength, according to researchers at Carnegie-Mellon University. The CMU geeks have created a strength meter that uses a powerful neural network to calculate the true strength of a hypothetical password on the spot, and even explains what’s wrong with your password creation strategy. The rules they recommend are:

  • At least 12 characters per password
  • Capitalized and special characters in the middle of the password, not at ends
  • No names associated with pets or sports teams
  • No song lyrics
  • Avoid the word “love” in any language
  • Avoid patterns such as “123,” including keyboard patterns (“qwertyasdfg”)

I advise using a password generator/manager wherever possible. They’re getting better at circumventing the security-limiting roadblocks that some website owners think are important. If you prefer not to use password software, a memorable phrase is the next best thing. In the past, I've used the first sentence from the first paragraph of a certain page in an old book. For example, on page 67 of "The Autobiography of Benjamin Franklin," I found the phrase "There are Croakers in every country." It's memorable, and it makes for a strong password. Or as mentioned above, you can apply a formula of your choosing to such a phrase.

What's your password strategy? Do you use a password manager, a sticky note, or keep it in your head? Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 12 Sep 2017

For Fun: Buy Bob a Snickers.

Prev Article:
Equifax Takes The Data Breach Cake

The Top Twenty
Next Article:
Geekly Update - 13 Sep 2017

Most recent comments on "Here's Why Your Password is Hackable"

(See all 58 comments for this article.)

Posted by:

david sparkman
13 Sep 2017

My bank disables my account after 3 incorrect tries so cracking that will take a very long time. On the other hand, I use a wireless keyboard so an external keylogger is a threat. I prefer not to access by bamk account while on the road. I am using Avasts EasyPass but I am bugged that it keeps trying to save my bank password which is the one password I prefer to only keep in my memory and my home safe.

Posted by:

13 Sep 2017

@Paul Re:"Keepass can fill in online forms just fine"
Thanks! I just started using KeePass a couple of days ago, so I have some research to do.

Posted by:

Donald Potts
13 Sep 2017

I would love to go back to the Microsoft fingerprint reader I had that you could use in lieu of passwords !
Is there anything like that available now??

Posted by:

Jay Bingham
13 Sep 2017

I have used the password manager KeePass for years. It is free and is available for multiple operating environments. Since I have used it I have been generally using 20 character randomly generated passwords, but recently began moving to 24 character passwords where possible. The thing that frustrates me, because I want to use long passwords, is when I set up a new password on a sight and find that I am limited to a password of 12 or fewer alphanumeric only characters. Fortunately most sites that I have encountered allow longer passwords than I care to generate with at least some symbol characters included, but I have been surprised by some of the sites that do not, organizations that I thought would know better. I understand that it takes more storage space to accommodate longer passwords and storage space is not free, but with the low cost of storage these days I think that when comparing the cost of storage to the cost of a break in, it is very shortsighted to restrict passwords to 12 or fewer characters.

Posted by:

13 Sep 2017

My spouse and I know each others' passwords and use them for making airline reservations, etc. Do programs like Roboform and Keepass allow passwords to be accessed by two people using different computers?

Posted by:

Sharon Hutchinson
13 Sep 2017

I must confess--I am guilty of making up passwords based on everything said in the first paragraph of "Everything you know about passwords is wrong". Shame on me. Yet I would have continued to do so were it not for this great article pointing this out and supplying excellent ways to generate passwords in such a way that someone could take 1000 years to figure it out. Many thanks, Bob!

BTW,I went to XKCD and found hilarious stuff that probably would stump the average Joe. Bookmarked for future laughs!

Posted by:

13 Sep 2017

If a person has several (or even more than 2) accounts that require a password, they would be foolish NOT to be using a password manager program like those mentioned - LastPass, KeePass, or Roboform.

Not only are the generated passwords strong, access to the password vault is secure, the program connects to the necessary web site for you, and the program is accessible by more than one person or computer IF you share your master access.

I laugh at someone who writes their passwords down in book. I have helped many foolish people regain access to their computer but hacking their simple passwords. My record was 8 seconds by trying one person's previous dog's name.

Posted by:

13 Sep 2017

Bob, I really enjoy all Your Articles. What would be wrong with creating a "ID & Password" Folder and keeping all on Notepads. Then when You need any of them You can just copy and Paste both when You need Them. Doing it that way, You're not liable to Keyloggers. Thanks

EDITOR'S NOTE: Not necessarily. Some keyloggers can intercept keystrokes entered via copy/paste.

Posted by:

14 Sep 2017

My 50 years of computing experience has been that passwords create more problems than they solve. They are an outdated method of security that should be replaced.

I used the same password for over 40 years in multiple situations before it got hacked. I then changed it for my email only. I still use the now 50 year old one in situations where I dont care if it gets hacked. Eg facebook.

One experience I had with a site that required a password was that it did not validate the entered password so would accept anything entered.

A password that most humans never try is nothing, just press enter. Unfortunately most system do not allow null passwords.

Security is all about risk assessment. Ask an Actuary about it

Posted by:

Jay R
14 Sep 2017

Sharon, you're right. BTW, did you look at the next cartoon? That one made me laugh, too.

On a different note, I don't understand the reason I need passwords on a site where I am paying my bills. I keep hoping that someone will hack it and pay on my account.

Posted by:

14 Sep 2017

Bob - my experience is many sites limit the number of password tries to three. If you haven't gotten it right by then you are locked out and the password has to be reset. In that scenario, how can hackers have unlimited time/tries to hack the password? I imagine hackers have no success at the sites that are limited to three tries, so why don't all sites implement that rule? It seems to me that would go a long way towards solving this problem!

EDITOR'S NOTE: The "unlimited attempts" scenario comes into play when a hacker has direct access to a compromised server, and can direct his attacks against the master user/password file.

Posted by:

14 Sep 2017

I would venture to guess that the password you were using 50 years ago (and to this date) has got to be only 4 characters in length. But I am also guessing that there are not that many sites which would allow a 4-digit password entry in the 21st century. Could this be the reason for wrongly stating "...create more problems than they solve"?
I have prescribed strong AND unique passwords for over a dozen years as an essential need just like making sure there is TP when you visit the bathroom, or stocking up on toothpaste for the toothbrush. It is not rocket science to create/update passwords and to remember them (along w/religious use of a password manager, such as KeePass).
The only issue I have with unique/strong password generation is when sites/programs limit the maximum character length of the password: Microsoft used to limit the password length to 16 and WesternDigital limits theirs to 14 characters max. That is just plain wrong! I think the Apple iPhone EXS facial recognition is a great idea for entry to FortKnox but I will opt-out maybe until DNA verification becomes a mandatory standard for smartphones... at which point, I will opt-out altogether from using them!

Posted by:

15 Sep 2017

I have not just changed the last letter or number, but this article is an eye opener...I was hacked in yahoo. Now I have a Gmail account. I wonder how long till Gmail is hacked? I still clean out my yahoo mail.

Posted by:

15 Sep 2017

The first thing I don't understand is why companies who hold sensitive data don't encrypt their information so if the data is hacked it would be unreadable or inaccessible. Next, there should be a two step approach to security so you need a password and a special answer that only the operator would know. And finally, the company should prevent access if the user fails to enter the correct passwords in three or four tries. These approaches would safeguard any outsider from accessing the data.

Posted by:

16 Sep 2017

Password cracking software has long had the ability to immediately override the 3 tries limitation.

The 550 year example presumes 1000 tries/second. Edward Snowden has said to presume your adversary capable of 1 trillion tries/second, which for the above example would result in account access in 4 hours and 49 minutes.

Posted by:

21 Sep 2017

To all of you minimising the threat, my advice would be to visit the site (and how-to blog) of forensic password-busting software publisher Elcomsoft. It goes by the cute name of Advanced Password Cracking, and it's fully legitimate, by the way (it sells to law enforcement and the like) :

That's what the good guys are able to do. Now imagine what the bad guys might be up to.

Posted by:

Tommy Bengtsson
26 Dec 2017

I use lastpass, and for lastpass i have diceware

Posted by:

Jeff Lindsay
27 Dec 2017

When you mention CMU geeks, there ought to be a link to their site for testing password strength:

Great article, thanks!

Posted by:

27 Dec 2017

One of my banking institutions forces me to change my password every six months; with the following results.

One time I entered 18 characters for my new password and it took it. On trying to use my new password, I discovered there was a maximum length of 17 characters. Did it truncate from the high-order or low-order? Did it not really take the new password?

When I called them, all they asked me was my name and SSN and they gave me a temporary password right over the phone.

Another time when I was required to change my password, I used my old password as my new password and it took it.

This is security!

BTW, I use RoboForm as a password manager. I currently use the free, desktop only version. Previously, this was called the desktop version, and had a cost. I also use VeraCrypt to keep everything important secure. And I backup religiously.

Posted by:

02 Oct 2018

I have used 1Password almost from the day it was created.

It can create long randomly generated passwords that meet Bob's suggested criteria rather than those he suggests are poor choices.

It suggests them automatically when you are on a new site and you can modify them as well. 1PW will even scan all of your passwords and check them for duplication even partial duplication for those who use their initials or similar in their passwords as a memory aid. That memory aid idea negates the concept of a password tool. You do not need memorable passwords if you use 1Password.

It syncs between you computers and Phone. Everything it stores is encrypted. All the user has to remember is the password for 1Password itself!

There are other tools that do similar things. Everyone should use such tools.

There's more reader feedback... See all 58 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy     RSS/XML

Article information: AskBobRankin -- Here's Why Your Password is Hackable (Posted: 12 Sep 2017)
Copyright © 2005 - Bob Rankin - All Rights Reserved