We all know that password selection is important, but it seems like there should be an easier way of doing it. Instead of racking your brain to come up with passwords that you may forget next week, wouldn’t it be better to come up with a password system that will allow you to create an unlimited number of unique passwords that are virtually hacker-proof and will be easier to remember?
Is there really such a thing as “hacker-proof”? Lots of people think so, and then the next Heartbleed comes around. But at the very least, you can lengthen the odds that anyone would get access to your email, your bank account, your credit card information, and your social media accounts.
First, a Little Hash
To understand the reasoning behind the best practices for hack-resistant passwords, it’s helpful to understand how your login credentials are stored in the databases used by the sites you visit regularly. First of all, your bank, your credit card company, and other sites don’t actually know your password. In fact, they don’t even want to know your password. What they store in their database is essentially your password’s digital thumbprint. That’s safer for you and safer for them. Just as it’s impossible to know what a person looks like by looking at the person’s thumbprint, it’s equally impossible to know what your password might be by looking at its digital thumbprint, or “hash.”
As an example, when you set up online banking, your bank’s server takes the password you provide and runs it through what’s called a “hash algorithm.” The result looks something like this:
5f4dcc3b5aa765d61d8327deb882cf99
It’s this gobbledygook—and not the password itself—that gets stored in the bank server’s database. When you log in the next time, the site takes the password you provide, runs it through the same hash algorithm and then compares that gobbledygook to the gobbledygook stored in the database. Sometimes they do some additional voodoo, “salting” the password (by appending some random characters) and then creating a “salted hash.” It’s easy to see why system administrators are always hungry.
So here’s the thing: the algorithms used to create hashes aren’t a secret. In fact, they’re well known. But there’s safety in numbers. According to super-smart people who know what they’re talking about, the total possible combinations of a standard MD5 hash is 2 to the 128th, which factors out to this unimaginably big number:
340,282,366,900,000,000,000,000,000,000,000,000,000
To get an idea of how large it is, consider this: scientists tell us that our universe is roughly 13.7 billion years old. That works out to something like 432,329,886,000,000,000 seconds. If (somehow) you started calculating all of the possible MD5 hashes roughly half a minute after the Big Bang, and if (somehow) you had enough computing power to calculate a trillion passwords per second, right about now you would have managed to calculate 0.000000127% of the total password/hash combinations.
Current computer technology allows for anywhere between 100,000 to a billion password calculations per second. And it’s getting better all the time. But hackers have already calculated every possible hash for every known dictionary word in every language, for every first and last name in every country, for the name of every character in existing literature. They’ve also factored all of the obvious combinations and variations. So if your password is a dictionary word (like “password” or “goober”), some hacker probably already owns you. The same is true if your password is a variation on a dictionary word (“password123,” “p@s5w0rd,” “g0Ob3r” or “666gOoBeR”), or if you’ve used a variation of a common phrase (“l3tm31n” or “1L0v3y0u”).
How to Create a Really Bad Password
Let’s lay down a few obvious facts about bad passwords:
1. There are bajillions of possible password combinations, but because random combinations of letters and numbers are difficult to remember, only a fraction of those possible possibilities are ever used by actual human beings.
2. Because a password must be remembered to be used, people often resort to sneaky tricks that they think are incredibly clever, but actually are well known to hackers.
FUN FACT: According to a study conducted in 2013, the most common passwords currently in use are…
123456, password, 12345678, qwerty, abc123, 123456789, 111111, 1234567, Iloveyou, adobe123, 123123, Admin, 1234567890, letmein, photoshop, 1234, monkey, shadow, sunshine, and 12345
Follow-up question: Really, people?
Just for fun, let’s assume that you want your password (and consequently your bank account, PayPal account, credit card information, and social media profiles) to be hacked, and all of your sensitive personal information posted on some offshore hacker site. If that’s your goal, here are some of the very best things you can do:
- Use any person’s name (your name or the name of your spouse, child, parent, pet, close friend or co-worker)
- Use a place name, such as the city or state you live in, or the street where you grew up.
- Use any word that’s in any dictionary, in any language (even Klingon)
- Use the name of any character in any movie, video game or work of fiction currently in existence
- Use a common phrase, like “iloveyou” or “letmein”
- Use any of the above, with common number/special character substitutions (“G@nda1f” or “p@S5w0rd”)
- Use repeated characters or well-known patterns (“aaaaaaaaaaa” or “1234567890” or “qwertyuiop”)
- Use any of the above, with a single number or character added (“1234567890a” or “qwertyuiop!”)
- Use any of the above, with the letters reversed
If you use any of the strategies above, you’re pretty much assured that anyone who wants to rip you off can do so at any time. On the other hand, if you want to create hacker-proof passwords, read on for some good strategies.
Best Practices for the Best Passwords
If you want to create passwords that aren’t likely to be cracked in the next couple trillion years, you have to follow two simple rules:
1. The longer and the more random, the better.
2. Use a different password for every account or website.
Many people will see this and think, “There’s no possible way that I can remember a separate super-long password for every website or account I use!” And that’s absolutely correct. The trick is creating a system that will allow you to remember parts of passwords, and combine them in ways that make sense only to you. This means creating a sort of “formula” that you use to build passwords. If you can remember the formula and how to build the various pieces, you can create some really long, really unique passwords.
Remember back in second grade when you learned about how words were constructed? You might recall that many words have a “root” with “prefixes” and “suffixes” that change the meaning. For example, you can take the verb “establish” and tack on the suffix “-ment” onto the end, coming up with the noun “establishment.” If you know the rules of prefixes and suffixes, it’s relatively simple to break “antidisestablishmentarianism” into individual pieces and figure out what the heck it means.
In the same way, you can create password “roots” and “prefixes” and “suffixes” and arrange them to create a multitude of very long, very unique passwords for multiple sites. Here are some of the building blocks you might consider:
→ Pick a base that you won’t forget. [BASE]
Here’s where it’s okay to have a system. Maybe you like Disney movies, so you want to use the names of the Seven Dwarfs in rotating order. By themselves, “Dopey” and “Grumpy” and especially “Doc” would be downright awful passwords. But we’re not done yet—not by a long shot.
→ Use a random word, broken into pieces. [RAN] and [DOM]
The word “jentacular,” according to my dictionary, means “of or pertaining to breakfast.” It’s not a common word, but since it’s actually in the dictionary it would make a remarkably lousy password. However, when broken in half and combined with some other stuff, it would be a great addition to a password algorithm.
→ Use words that change with the times. [TIMEWORD]
“They” say we’re supposed to change passwords every couple of months or so. What if you chose a different 10-letter word for each quarter of the year? For example, you could use “squeezable” from January to March, then switch to “unmuzzling” for April through June, leaving “skyjacking” and “complexify” for the third and fourth quarters. Just for fun, let’s assume that you’ll capitalize the last letter of these words.
→ Use some letters from the name of the website or service. [URLSNIPPET]
Though it’s never a good idea to use a website URL as your entire password, you can use some letters from a website as a way to make each of your passwords unique to each site. You might take the first five letters, the first five consonants, or even the first five vowels. If you go that route, be sure to create a rule to account for short URLs. For example, if you’re logging in to “go.com” and your pattern calls for five consonants, you might end up with “gbcdf.”
→ Throw in a random number that you won’t forget. [RANDNUM]
A memorable number, by itself, makes a lousy password. But a number that you won’t forget can be a great addition to a password algorithm. You might choose 1066 (the year of the Norman Conquest) or 1989 (the year the Berlin Wall fell) or 753BC (the year Rome was founded) or perhaps 1905 (the year Einstein published his special theory of relativity).
→ Glue the elements together in a way you’ll remember.
Note that you don’t have to use all of the strategies above. But let’s assume that you wanted to. There are lots of ways we could put together the elements of your password:
- [RAN] + [BASE] + [TIMEWORD] + [RANDNUM] + [URLSNIPPET] + [DOM]
- [TIMEWORD] + [RAN] + [BASE] + [URLSNIPPET] + [RANDNUM] + [DOM]
- [RAN] + [RANDNUM] + [BASE] + [URLSNIPPET] + [DOM] + [TIMEWORD]
- [RAN] + [URLSNIPPET] + [DOM] + [BASE] + [TIMEWORD] + [RANDNUM]
- [BASE] + [RAN] + [TIMEWORD] + [DOM] + [RANDNUM] + [URLSNIPPET]
Say you’re using “Happy” as your dwarf-inspired base, “jentacular” as your random split word, “squeezable” as your changeable time word, and “1776” for your random number. Suppose that your “URL snippet” strategy involves taking the whole domain and putting the first letter (capitalized) at the end. Let’s also assume that you’re trying to come up with passwords for Gmail, Yahoo and Paypal. Assuming you’re using the first algorithm above, you’d end up with the following passwords:
- Gmail: jentHappysqueezable1776mailGacular
- Yahoo: jentHappysqueezable1776ahooYacular
- PayPal: jentHappysqueezable1776aypalPacula
You’ll note that the MD5 hashes for these similarly constructed passwords don’t bear even the slightest resemblance to each other:
- Gmail: d41d8cd98f00b204e9800998ecf8427e
- Yahoo: 1afc3b42caea02867ed5c849f8f42722
- PayPal: 57137c6a635767c2f0bfe70c65e0dfcd
Now, you might be thinking, “Whoa—34 is a lot of characters!” That’s true. You don’t necessarily need all of those elements in your password. Pare it down to [RAN] + [BASE] + [URLSNIPPET] + [DOM] and you still get a password for your Gmail account that’s both longer and more random than most people would ever even think of using: jentHappymailGacular.
According to the website howsecureismypassword.net, it would take a desktop PC 165 quadrillion years to crack the password “jentHappymailGacular.” Of course, “jentHappysqueezable1776mailGacular” would take even longer: 69 tredecillion years. In technical terms, 165 quadrillion and 69 tredecillion are both exactly a “boatload.” In practical terms, though, 165 quadrillion years and 69 tredecillion years both equal “never.”
Just One Sample Strategy
This is just one possible way to put together good passwords for all of the sites you use. Whatever strategy you choose, make sure the resulting passwords are as long as possible and unique to each site or account. If you follow those two simple rules you should end up with login credentials that should keep hackers out of your data—at least for the next trillion trillion years.
Resources:
You can hash any string here: http://www.md5hashgenerator.com/
Test your passwords here: https://howsecureismypassword.net/
Another password tester: http://www.passwordmeter.com/
