My Take on Passwords

I’ve been wanting to write about this for quite some time now. There is a lot of effort that is put into making systems secure, and it all goes to waste when you choose a weak password. “123456789” is a weak password, “password” is a weak password, “god” is a weak password, your pet’s name is a weak password. A weak password is anything that can be easy to guess by someone that knows you well, or by a computer. A password that is only a few characters long is a weak password no matter how many symbols or strange characters you use because it can be easily guessed by a computer. Nonetheless, websites all over the web want you to choose a password that is at least N number of character or at most M number of characters; a password that contains symbols, but does not contain you name, or part of your email, or your user name, and the list goes on. This is damn stupid.

Over the years, we’ve been trained to chose really bad passwords. We’ve been lead to believe that “m00Npi3” is a strong password because it is over 4 characters long, and has weird characters. Sure, your friends may not be able to guess it, but a computer could do it rather easily. However, we go on about our lives believing that is a good password, and then we use it for everything. Websites all over the web warn us not to use the same password everywhere, but who wants to remember a hundred passwords? Sure, you can use a plugin on your browser that remembers the passwords for you, but what about when you need to access your email from the public library, or from your friend’s house? Good luck!

Yet, we’ve been lead to believe this is all for our own good.

I mentioned I’ve been wanting to write about this for a long time, but today paypal was the last load of crap that I was willing to take before hitting the keyboard. I logged into my account, and paypal kindly suggests that I should change my password. I started changing my passwords last week, so I thought “hey, perfect timing!”. I clicked the link they provided, and I was taken to a page that asked me to confirm that I was who I said I was by providing either my bank account number, my credit card number, or my debit card number. WTF? Why? I’m already in my account! But OK, lets just pretend that this actually makes any sense, because after all I could be an attacker trying to hijack someone else’s account. So I filled out my information, and I’m taken to another page that asks me for my current password, my new password, and a confirmation of my new password. I go on and enter my new password. Paypal tells me that my password is too weak because so far I’ve entered only letters, but I don’t mind, I know the juicy stuff comes in a little bit, but then, all the sudden paypal says that I’ve entered all the allowed characters, which are not many (20). WTF? Why? Why can’t I have a long password, Why?!? Paypal just made me less secure by limiting the amount of characters I can use for my password. Are they going to start charging for extra characters now? I would pay 1 cent a piece, no kidding, as long as I could get a longer password, but then that would be something really bad wouldn’t it? Imagine a company that charges you to let you choose the password you want. Wouldn’t that be something?

Anyway, I decided to leave my current password as it is. Thanks PayPal!

What is the Big Deal

Twenty characters are enough for a password, aren’t they? After all, people want to get 4-letter passwords so they don’t forget them, but that is just stupid. I can see a valid reason to set a minimum amount of characters, but why limit the maximum amount?

You may be wondering why it is such a big deal for me. Let me explain how I set my passwords.

Chosing Long-A** Passwords that You Can Remember

I start buy choosing something memorable to me, for example, I really like the movie V, so I may want to use a base for my password like:

Remember remember the fifth of november

The first problem I see is that there are spaces, and for some stupid reason a lot of websites don’t want you to use spaces in your password, so let’s fix that:

Rememberrememberthefifthofnovember

There you have it, 34 freaking characters, and this is just the base of my password. I should note that by removing the spaces I just made it harder to type it, which is a bad thing, I’ll explain why later.

Now that we have a strong base, lets add a little bit of other characters. I will use a memorable date, for example. Note that I’m just choosing a random date here in this article, but in real life I would choose a really memorable date, but that few people know, such as the date of your first kiss, if you remember that.

Rememberrememberthefifthofnovember+12092000+

We are now at 44 characters, our password has uppercase letters, numbers, and non-alphanumeric characters. Now this base is easy to remember because I’m using a memorable phrase, and a memorable date, and the stragne characters are just separator. In fact, you could use them in the phrase as well:

Remember+remember+the+fifth+of+november+12092000+

49 characters so far. Now, lets make it unique for each site:

Twitter:

Remember+remember+the+fifth+of+november+12092000+bluebird

Facebook

Remember+remember+the+fifth+of+november+12092000+oldfirends

Email

Remember+remember+the+fifth+of+november+12092000+spamspam

Computer

Remember+remember+the+fifth+of+november+12092000+stupidmachine

Good luck trying to guess those passwords, even with a computer. However, Paypal won’t let me use any of that, what a stingy website. They will only give me 20 characters. What am I supposed to do with that?

Following this recipe makes it easy to create long passwords that are easy to remember, and extremely hard to guess. Not only that, but it makes it easy to change them too. For example, if I wanted to update my twitter password, I could just add something to it, which makes it even stronger:

Remember+remember+the+fifth+of+november+12092000+bluebird+new+fing+password!

That is 76 characters long, and I can guarantee you that I will remember it tomorrow without having to memorize it, because it is made up of stuff that I already know. But I sure won’t remember this:

“SIgz@OHis4!,Erw”

Which is a password generated by a random password generator, which by the way, says that it is “easy” to remember as:

“SIERRA INDIA golf zulu @ OSCAR HOTEL india sierra 4 ! , ECHO romeo whiskey”

WTF?

But a lot of websites recommend that you use one of those random password generators.

Hard to Write, Hard to Remember; Bad Combo

I mentioned before that by not letting me use spaces, websites make passwords harder to write, and that is not good. The reason is that if my password is hard to write I will have to either write it slowly, or attempt to write it a few times. This is bad because it gives people time to see what you type. You should be able to type your long-a** password at lighting speed. I don’t care if your system doesn’t take spaces for some stupid reason, fix that on your end. Get rid of my spaces before sending my password, or even better, fix your stupid system! I should be able to use as many characters as I want, and any of them. The password needs to be easy for me to remember, but harder for people and computers to guess. However, a lot of websites force me to create passwords that are easy for computers to guess and hard for me to remember, and type.

I don’t think there is any need to mention this, but if my password is hard to remember, then I’m already in a bad situation because I will have to write it down somewhere.

Why are We Using Passwords Anyway?

Seriously, why haven’t we come up with a better way? Oh, right we have. There is Open ID, and Mozilla Persona, to mention a couple, but event those are not the perfect solution. There has to be a better way, and if we look hard enough we will find it. But we’ve settled for less. We have accepted password as the one way to do authentication, and to make it worst, we have made it hard for people to use passwords, and we have misguided them to believe that a good password should be hard for them to remember, type, and guess. That is why people think that a random number is a good password, even if it consists of only 5 digits.

There is a lot more I can write about passwords, but the ultimate thought would be that we need to get rid of them. However, as bad as it is, we have to stick to passwords for now, but I wish websites would at lease make that easy, and safe.

Finally, you should check out this comic by XKCD:
http://xkcd.com/936/