How good is my password? Chances are, not as good as the web site’s strength-o-meter says it is. That’s assuming the site even has a strength-o-meter. Unfortunately, more goes into the quality of a password than just the things the typical web site strength-o-meter measures. Here’s what you need to know, and what you can do about it.
The old assumptions about passwords are no longer valid
The biggest problem with a strength-o-meter is that it just does arbitrary checks. That was good enough a decade ago, when bad guys just cycled through every possibility in alphanumeric order without any thought.
The problem is that sometime around 2008 or 2009, some clever hacker recognized that the passwords he’d managed to guess had a pattern to them. And that makes sense. Human beings love patterns.
Computers aren’t inherently good at recognizing patterns, although there’s a field called machine learning that is getting much better at it. But it’s not especially difficult to turn a pattern into a computer algorithm.
For example, a disturbing number of passwords are just a single capitalized word, followed by a number and a symbol. That formula produces candidates that are at least somewhat easy to remember and that the typical strength-o-meter will flag as strong, and therefore most web sites will accept them.
A computer program to generate every single possibility that meets that formula is easy to write. I could write it in as little as three lines of code, and I’m a lousy programmer.
If your password is in a password list, it’s no longer good
The first penetration tester I ever met told me he collects passwords. His theory was that if one human being uses a password, lots of human beings use the same password. Having analyzed 42 gigabytes of stolen passwords, I agree with his theory. Yes, there is a file of 42 gigabytes of passwords floating around. No, it’s not difficult to find. No, I won’t share it with you. You’ll have to find it yourself but it will take you longer to download it than it will to find it because Internet in the United States is so bad.
If your password is completely random but it’s in that list somewhere, it’s not good. Hackers are trying it.
Here’s how to test it
To test a candidate, first, punch it into the web site’s strength-o-meter. A password isn’t useful if a web site won’t accept it. It may be good, but a password also has to be useful.
Once you identify something that the site will accept, test it with Troy Hunt’s Pwned Passwords site. Punching possibilities you’re considering into random web sites that test password strength isn’t a good idea because you don’t know if they’re saving them. Troy Hunt is an internationally known and respected security researcher and developer from Australia who specializes in web site security and breaches.
If Troy Hunt has the candidate you’re considering using, don’t use it. Come up with another one. Here’s how to create a good one.
How good is my password? If Troy Hunt has it, it doesn’t matter what the strength-o-meter says.
One more thing
A friend jokingly asked me after I posed this if he needs to quit using “password1” on all his banking websites. The answer, of course, is yes. When it comes to banking, I want your passwords to be complex and unique. But I don’t even want you to use your regular computer to check your bank balance, transfer money, and pay bills. I want you to get a cheap Chromebook and dedicate that to banking and bill paying. Create a burner Gmail account, use it to log into the Chromebook, and save your credentials in the browser so you don’t have to remember them. It’s possible to steal passwords from your browser, but since you’ll only be visiting a handful of sites from the Chromebook and you trust all of them, the risk is minimal.