It’s not surprising that Colin Powell, retired general and former Secretary of State, thinks that Donald Trump is a disgrace. That was one of the unsurprising revelations of the leak of his e-mails after hacking.
I don’t think his password was cracked by a dictionary attack or anything like that. Still, it’s a good idea to review passwords, especially considering that a lot of people are still using ridiculously simple passwords like “password” or “drowssap.”
Four years ago, I wrote some password tips for the WSU College of Engineering. Some of what I wrote back then is still true today. But back then I did not know one thing that makes passwords a lot better than anything I could think of at the time. I will get to that later.
Back then, I think I knew about howsecureismypassword.net, which rates passwords by how much time it would take a computer to crack them. I will now run some of the examples of passwords I gave four years ago through that password strength meter:
Some sample terrible passwords and how long to crack them
drowssap |
Instantly cracked, in top 660 common passwords |
7ujm6yhn5tgb |
4 years to crack, provided no one thinks to look at a QWERTY keyboard |
321654987 |
25 milliseconds |
1332211185 |
3 hundred milliseconds, probably about the same for the protagonist of The Da Vinci Code |
235711131719 |
25 seconds |
roysterer |
2 minutes |
foshizzle |
2 minutes also |
[expletive]you |
Instantly cracked, in the top 30 common passwords |
nieghbor |
5 seconds, the same as if it was spelled correctly |
n31ghb0r |
A minute |
ashley |
Instantly cracked, in the top 65 common passwords |
tomato7 |
2 seconds |
2corinthians |
4 years, provided no one thinks you’re terribly religious |
clawson& |
3 minutes |
Schwindler |
A month, assuming no one thinks to try using a German dictionary |
Tomato |
Instantly cracked, in the top 2,725 common passwords |
Not bad for the Corinthians, huh? To make matters more difficult, security experts recommend having a different password for each website. For example, you have one password for Twitter and an entirely different password for your credit union online banking.
The solution I came up with back then involves coming up with a base password and then varying it for different websites. This leaves a lot to be desired, but it does look impressive when put through the password strength meter:
Some password variations
WSU Access ID |
wMaewsutl8#hoj |
204 million years |
Michigan First Credit Union online banking |
wMaetl8#hmfcuoj |
16 billion years |
Facebook |
wMafacebooketl8#hoj |
552 quadrillion years |
USAJobs application website |
wMaetluSa8#hoj |
204 million years |
Amazon.com |
wMaetlamaZon8#hoj |
93 trillion years |
Blogger |
wMaetl8#hobloggerj |
7 quadrillion years |
Pandora Radio |
wMaPandoraetl8#hoj |
7 quadrillion years also |
But these are worthless if you can't remember them. You might forget the shift, and erroneously enter “wMaetl8#mfcuhoj” or “wMaetl8mfcu#hoj” at the Michigan First website, and run out of tries before getting locked out.
Back then I even suggested choosing password strength according to the importance of the website. You might use “passwordy1” (crackable in one day) for Pandora but “xqJh8^wrugYz7” (crackable in 3 million years) for online banking, for example.
The threat of phishing
The futility of cracking a password by dictionary attack is irrelevant if scammers can trick you into giving them your password of your own free will. They've gotten very sophisticated, and combined with spoofing, phishing can be devastating. Even I have fallen for it.
A few weeks ago, Elliot Moore, Director of the Detroit Medical Orchestra, sent me a document through Dropbox. It seemed very strange, since he should very know very well that I will never join his entourage of sycophants, and I should know he’s never going to want to conduct any of my music with any orchestra whatsoever.
Since he’s the one contacting me, I should listen to what he has to say. So I clicked on the link to Dropbox and was greeted by the password entry page. Instead of checking that it was a real Dropbox page, I fretted that I would probably have to reset my Dropbox password because I couldn’t remember the damn thing on account of not having used it in months.
I hit Enter and was faced by a document from California state laws. Why the hell would Elliot Moore send me this document? The answer is that he wouldn’t. That’s when I realized I had been had.
Let's say I thought my Dropbox password was “wMaedropboxtl8#hoj.” To be clear, none of the passwords shown on this page are passwords I have actually ever used.
If my online banking password was ““wMaeMichigan1sttl8#hoj,” then I would have to consider that one compromised as well. At least I could have the hope that the scammers would not be able to figure out the answers to the security questions.
A better way
Charles R. Greathouse IV, one of the Editors-in-Chief of the On-Line Encyclopedia of Integer Sequences (OEIS), pointed me to a much better way, complete with XKCD cartoon. Simply string together a few random words and put them in all in lowercase.
However, many websites require passwords to include at least one uppercase letter, at least one number, and some, much to my annoyance, at least one non-alphanumeric character (like “#” or “]”).
Some strong passwords that are easy to remember
correcthorsebatterystaple |
Instantly cracked, but only because it appears in the XKCD cartoon |
pilotsmallowstonetemple |
277 trillion years |
horsewomen4oftheApocalypse |
32 octillion years |
0kids&3moneywishIhad |
43 quintillion years |
peatearGriffinfastizio |
45 quintillion years |
Despite the terrible result for “correcthorsebatterystaple,” I’m still including it because it helps make the point that you should not use passwords given as examples in essays such as these, even the examples of great passwords. What you take are the general principles embodied by the sample passwords.
I believe that the password strength meter website was originally meant as a service to the online public. But now it’s definitely an advertisement for Dashlane, a password manager.
And sure, Dashlane has its testimonials from computer gurus like Missing Manuals author David Pogue. I’m not yet ready to trust a password manager, I’m still skeptical. Though it certainly would be nice all those times when I have to do something in a website I haven’t used in months.
The moral of the story here is one that certain federal agencies (and some organization closely allied to the federal government, like FedLoan) need to hear and heed.
Short passwords with numbers and special characters, like “xqJh8^wrugYz7,” may take thousands of years to crack but can easily be forgotten. Simpler (though longer) passwords like “horsewomen4oftheApocalypse” take millions of years to crack yet are easier for the authorized user to remember.