UPDATE: The Dropbox password strength meter explained in this post is added to WordPress 3.7. You can read an article about it on WP Tavern.
Which password looks more secure to you?
If you thought the first one was more secure, think again. As is turns out the first can be cracked within 7 seconds. The latter will take centuries.
TL;DR – skip to the how to fix it part
Leetspeak bad m’kay?
The thing is, we’ve gotten used to password suggestion systems. For example quite a few websites suggest to use at least one or more Capitals, a number, etc. In reality what happens is that people start to replace letters for numbers. “safepassword” becomes “5af3passW0RD”. Again, most people think of “5af3passW0RD” as a safe password. The substitution of letters with numbers is called leetspeak. It looks pretty difficult for most people but is extremely simple for computers to crack. Using leetspeak in passwords is a bad idea.
So why is a password like “myneighbourscateatsdogfood” so much more harder to crack?
To explain I’m quoting from Dan Wheeler’s research on this topic:
Strength is best measured as entropy, in bits: it’s the number of times a space of possible passwords can be cut in half. A naive strength estimation goes like this:
# n: password length # c: password cardinality: the size of the symbol space # (26 for lowercase letters only, 62 for a mix of lower+upper+numbers) entropy = n * lg(c) # base 2 log
This brute-force analysis is accurate for people who choose random sequences of letters, numbers and symbols. But with few exceptions (shoutout to 1Password / KeePass), people of course choose patterns — dictionary words, spatial patterns like qwerty, asdf or zxcvbn, repeats like aaaaaaa, sequences like abcdef or 654321, or some combination of the above. For passwords with uppercase letters, odds are it’s the first letter that’s uppercase. Numbers and symbols are often predictable as well: l33t speak (3 for e, 0 for o, @ or 4 for a), years, dates, zip codes, and so on.
As a result, simplistic strength estimation gives bad advice. Without checking for common patterns, the practice of encouraging numbers and symbols means encouraging passwords that might only be slightly harder for a computer to crack, and yet frustratingly harder for a human to remember. xkcd nailed it:
How to fix it?
Secure password methods
Method 1 – High entropy through multiple (common) words
If you need secure passwords (who doesn’t?), don’t use difficult to remember leetspeak but concatenate several easy to remember words. Random unrelated words work best. To be certain you could test your passwords. Check out this password test page, also by Dan Wheeler:
Method 2 – Random high entropy
If you need even better passwords for high security situations you can use https://entima.net/random/ to generate a password with extremely high entropy for you. The generated passwords aren’t easy to remember but do get generated out of entropy gathered from random mouse movement. This method is regarded as top of the line by security experts.
For most people I would recommend the first method.
Final advice: Always test your passwords before using them!
Michiel Heijmans says
I really wonder what l33t speak and non-english (like dutch) words do for this. I can imagine that to be a whole different ballgame – what do you think, Daan?
Daan Kortenbach says
With dictionary attacks it’s easy for computers to substitute letters for leetspeak equivalents.
A becomes 4 or @
E becomes 3
S becomes $
And so on… It doesn’t matter which language.
Maybe some obscure oriental language gives better protection but it’s easier to just use a safer – and easier to remember – password 😉
James Dunn says
Why no ASCI (spelling?)?
So, a “random” password that is nine digits long with capital letters, numbers, and asci would be stronger or weaker than three random words?
(No, that isn’t a password I use. haha)
Daan Kortenbach says
ASCII is fine to add of course. Just don’t substitute characters.