Don’t follow Dvorak’s password advice

I mostly agree with Dvorak’s Permanence of Posting Online, but I take serious, serious issue with what he says in that piece about passwords.

Dvorak: The processing power of a Core i7 by itself is enough to crack almost any password whatsoever. Within minutes.

This is true for short passwords under conditions where you can see the password hash, such as when you’re busting into a server that you have physical access to, or busting wi-fi passwords. Longer, more complex passwords, under those conditions, take longer than minutes to bust. And when you can’t see the hash, it takes longer.

So under ideal conditions, he’s almost right. But conditions aren’t always ideal, and you can make them a lot less ideal.

Dvorak: And the nonsense about making sure to use a number and symbol and enough letters is all bull.

This is where Dvorak, with all due respect, doesn’t know what he’s talking about. I have successfully cracked 8-character simple (alphabetic) passwords in less than 30 minutes even with P4-era CPUs. But even 8-character passwords containing numbers and symbols take much longer than that to crack. Even with a fast CPU.

I can only guess that he’s saying symbols and numbers don’t work because people using passwords based on street addresses, say, 1600Jefferson, and even 1600Jefferson! or 1600s.Jefferson!, are getting busted routinely. They check out as strong passwords, but they’re too predictable. An attacker can just write a script that cycles through common street names, tacks numbers in front, and optionally tacks common punctuation marks on the end, and tries them all in sequence. Those passwords are less secure than something like 16!.Jeff would be, even though the latter is shorter.

But mathematically speaking, busting nonsensical and even near-nonsensical passwords takes considerable time. Simple math tells all you need to know. I quit taking math classes after the required College Algebra and Elementary Statistics, and I understand this math. With a simple 6-character, all-lowercase password, there are only approximately 300 million possible passwords. By increasing the character set and length, you dramatically increase the number of possible passwords the attacker has to compute and compare. Double the length to 12 and add uppercase letters, numbers, and symbols to the mix, and the number of possible passwords soars to 94^12: 475,920,314,814,253,000,000,000.  Jump to 16 characters, and you’re up to 94^16, which is 37,157,429,083,410,100,000,000,000,000,000 possible passwords. It just so happens that I talked about the math in more depth just yesterday over at Rabbit-Hole.

Utilize passwords that are longer and more complex and more nonsensical than everyone else, and at the very least, the bad guys will go after the people who are following Dvorak’s advice and sticking with simple passwords and not waste time on you, because their passwords are easier to crack. And complexity is more important than changing them frequently.
Using long, complex passwords is like living on a street where everyone else leaves their doors unlocked and you have a deadbolt. Thieves are going to break into all of the other houses instead of yours.

 

The best thing to do is to use completely nonsensical passwords and store them in something like LastPass, or generate near-nonsensical passwords that still make sense to you and that you can figure out given a hint that you can write down and conceal–such as stringing sports statistics together, if you’re a sports fan.
But the rest of what he says, about watching what you say and your photos and what they say about your character and judgment is valid. So watch what you post, and protect it with a reasonable password, more complex than what everyone else uses.
If you found this post informative or helpful, please share it!