Why Your Password Is Probably Crap

You're a technical person. You don't need to use a password manager, because you have mastered the art of obfuscating your password so it can never be cracked, right? Wrong! Let's have a chat about why your password is probably crap...

First of all, if you're not running a password manager, why not? They will make your online accounts infinitely more secure, but that's a discussion for another post. Let's talk password security.

If you know anything about Cyber Security, you wouldn't be caught dead using a password like Password123, amirite? However, obfuscating your password in such a way to make it more cryptic for a would-be threat actor is surely the way to go? So Password123 becomes P@$$w0rd123 - IMPOSSIBLE TO CRACK! Look, even How Secure Is My Password says so:

With Password123 entered:

hsimp01

With P@$$w0rd123 entered:

hsimp02

Apparently, it will take 400 years to crack P@$$w0rd123. So who cares if someone cracks it, right? As none of us will be around then anyway. Problem is...

It's Not True

41 years to crack Password123, c'mon! If that doesn't prove how useless password strength indicators are, I don't know what will.

We have all been duped in to thinking that obfuscated passwords are more secure, and will make it much more difficult to crack passwords.

The problem is, online strength indicators use very basic mathematics to work out how long it would take a standard computer to brute force a password buy recursive guessing. Threat actors are more technical than that (shock horror) and any password list worth its salt (haha salt...get it?) will have obfuscated versions of common passwords within it.

Getting a password list with billions of passwords in is very simple to do. They're easily downloadable from many places online, so don't be thinking you need to be up against a hacking ninja to have your "awesome" obfuscated password circumvented - script kiddies can do this stuff.

So what does all this mean? Well, it means that obfuscated passwords, like P@$$w0rd123 are just as crap as their non-obfuscated counterpart, like Password123 when it comes to real-world password cracking.

Here is the same example in Twitter, when I enter Passwrd123 it simply won't accept it and asks me to enter a different password:

twitter-pw01

Change the password to P@$$word123 and not only does Twitter accept it, but it also shows that your password is super secure, by way of a completely filled in (and green) strength indicator to the right of the field:

twitter-pw02

What's The Answer?

Well, if you want to make your passwords more secure, stop using your crappy passwords and get in to the habit of using a passphrase instead.

For example, something random like The yellow apple is 12. is much more secure and probably won't be any password lists. It's 23 characters long, has a capital letter, numbers and punctuation (full stop and spaces). Plus, it's super easy to remember!

NOTE: do not use that passphrase ANYWHERE, as it's now "out there" and probably added to a password list!

Just think of a random passphrase, not a password. That will make things much more secure for you. Or, better yet, get a password manager, as there is no substitute for randomly generated, long passwords.

But still use a passphrase to access your password manager!

I'll leave you with this XKCD cartoon that makes my point succinctly. Maybe I should have saved myself the trouble and just shared this cartoon instead. :)

password_strength

Are you using obfuscated passwords? If so, please stop. Or, feel free to justify your reason(s) in the comments below.