Why Multi-Word Phrases Make Better Passwords Than Gibberish

We've always argued that the most secure password is one you don't even know and is basically incomprehensible. Security expert Thomas Baekdal argues that these incomprehensible passwords — while secure — are not as secure as a more memorable and simple phrase. In other words, this is fun is a more secure password than s$yK0d*p!r3l09ls. Here's why.Baekdal outlines that using the three most common methods of cracking passwords — brute-force, common word and dictionary attacks — are really only useful if a password can be cracked in a reasonable amount of time. If a password can be cracked in a few minutes, it's not a terribly secure password. If it can be cracked in about a month, that's still a while but not entirely secure. A year is where you can start feeling secure, but the best passwords take a lifetime to crack. Baekdal states that a gibberish password, like J4fS<2, will take about 219 years to crack using a brute-force attack (the fastest method). That's secure for life, but it's not terribly easy to remember. On the other hand, a phrase like "this is fun" would take about 2537 years to crack using a brute-force attack. It's not only more secure, but also easier to remember.

This happens because of the spaces, which are special characters (you could use - or ! instead of spaces, if you wanted to). Uncommon words also increase the complexity, so if you want your password to outlive the human race you could use something like fluffy is puffy.

Baekdal's article spurred a lot of debate and plenty of questions, many of which he's answered. While you are certainly more secure if nobody — not even you — know your passwords, you still need a master password that you have to remember. If you want a password that's remarkably easy to remember, this is a great way to get one.

The Usibility of Passwords [Baekdal]


Comments

    Interesting choice for Lifehacker to run this only a month after "The Only Secure Password Is The One You Can’t Remember"!

    It makes a good headline, but unfortunately this one makes numerous assumptions that are wrong by an order of magnitude. Here's the disambiguation: http://troy.hn/h26HSC

      I quite enjoyed your piece, you managed to put into words the main point I disagree with: It's assuming that you're using this password for a web interface and that an attacker must use the same web interface to find your password. In those scenarios, almost all (decent) web services have a max-password limit or forced timeouts after a small number of tries, and any password even mildly complex will be acceptably secure.

      However, as soon as the attacker isn't using the web interface - it's your password for your local computer or phone, or he gets his hand on the hash - the problem is completely different, and and password can be broken several orders of magnitude faster.

      For the web, password reuse is a much bigger problem than password complexity. At some point, one of your passwords will be compromised - by phishing, by the password hashes for the site being stolen, or by plain carelessness (you needed your friend to check facebook for an address, you had the password in a text on your phone and then lost it). When somebody eventually gets your password, make sure they can't own your life.

    Thomas Baekdal is in no way a 'Security expert' as this article suggests, not even Thomas himself makes this claim.

    Really bad advice Adam!!

      How is it bad advice if it works? My Facebook password is a seven word phrase, which would take about a decillion years to crack (according to that cool website whose URL I've forgotten). Of course, you could accidentally say the password to someone else, but then it wouldn't be a flaw in the password would it?

        How can you claim it works if no hacking tools have ever been used against your password yet? I agree with Steve.

    theres aso the assumption that you dont change your password. Changing a password will effectively force someone to restart a brute force attack.

    Article writer means well and makes a few good basic points but this is a case where a little knowledge can be a dangerous thing, esp when presented to
    "everyday people" in the guise of an "expert" in the field.

    For starters... this article was written some YEARS ago... BEFORE things like LastPass existed... that have since SOLVED the problems the author is trying to "fix".

    If you are interested in the analysis of the article, and it's premise by a real security expert... listen to (or read transcript of Ep #297 of Security Now! podcast.

    Once more... LastPass has since SOLVED this problem of having to generate, record, remember, write down or re-type insanely long, random and SECURE passwords (and other information)...

      Tim,

      but what would happen if someone gets the access to your LastPass account - that would compromise not just one or two paswords - but ALL OF THEM!

        Only if the master password is also exposed. So it's a trade-off to be made: reused, weak passwords passwords that you can easily remember versus strongly encrypted centralised passwords with a single master password. The former is far more likely to be exploited and due to the prevalence of reuse, potentially take other accounts with it. The latter is far less likely to be exploited, but if it is, it takes all your passwords.

    acrording to http://howsecureismypassword.net/ 'this is fun' would take 169 days to crack.

      and it would take

      About 3 minutes

      for a desktop PC to crack the J4fS<2 password according to the same website

        that's because the website in question only rates the passwords based on a brute-force attack. 'this is fun' is the perfect target for a multi-word dictionary attack, while 'J4fS<2' is pretty much brute force or nothing.

        (Yes yes, rainbow tables etc)

      Yeah, I'm not too sure how accurate that website is. Apparently it would take 8 thousand years to crack a password consisting of only 14 letter a's. I'm pretty sure that's one of the first things a brute-force attack does.

        Not necessarily, as the attack could start with a lower number of characters (e.g. 8), cycle through the lot, then start on a group of 9, etc.

        Still, I have to agree 8 thousand years seems a wee bit rich.

      Uhh I hope no one is stupid enough to attempt to test their real passwords on this website... hello people... it's probably a scam to create a database to compile the most commonly used passwords in real life!

    This was basically completely debunked in the Security Now podcast #297

    http://twit.tv/sn297

    Transcript: http://www.grc.com/sn/sn-297.pdf

    The article is fairly misleading is that it suggests that making a group of common words is actually more secure than a "jibberish" password. The reason the "this is fun" password has a longer time to bruteforce than jibberish password in their example is purely because of the relative length of the passwords; "this is fun" is 11 characters vs. the 6 character "J4fS<2" password.

    If someone selects an 11 character password containing uppercase, lowercase, numbers & symbols it would be more secure than the "this is fun" password.

    According to the website
    WTF is this would take 952 years
    adding a ? increases it to 720 Thousand years

    Henceforth my password will be 'setec astronomy'. I'd rather boycott password entirely but this is as close as I'm going to get. I hope all those l33t hackers enjoy being me.

    Umm, does not whitespace fail most password validations? I don't know if you could have spaces in passwords?

      Some sites don't allow white spaces. Then again, some sites don't allow (or at least recognise) changes in case and others won't even allow characters that aren't numbers. There's a bunch of examples of similar lousy password practices here: http://troy.hn/dJbdTU

    +1 for Lastpass being an actual usable solution.

    I agree this is a very disappointing article from Lifehacker.

    It doesn’t seem like the author has a grasp of why a longer password takes longer to brute force open.

    If you use the entire password space, then a random string of characters should theoretically take longer to brute force open than a string of equivalent length of prose.

    Each digit in length adds a factor to the number of combinations needed to brute force it open.

    Number of combinations = number of valid characters ^ password length

    For example:
    Valid characters = 0 or 1 (yay binary)
    Yields…
    2^1=2 combinations for a one digit password.
    2^2=4
    2^3=8
    2^6=64
    2^8=256
    2^11=2’048

    Lets assume that the correct password is always the last one so that each combination set has to be fully tried, this is the worst possible case for someone trying to brute force your password (but the best for you).

    So if you could try one password a second, it would take you just over a minute to try all combinations for a 6 digit length / 2 valid character password. This is equivalent to the first example “J4fS<2”.

    Trying one password a second for an 11 digit length would take 34 minutes. This is the second example “this is fun”

    There are 95 printable characters in the standard ANSII set so lets do the numbers again.
    95^1=95
    95^2=9’025 wow already 4 times more than the 11 digit binary password!
    95^3=857’375
    95^6=735’091’890’625
    95^8=6’634’204’312’890’625
    95^11= 5’688’000’922’764’599’609’375 (5.68 sextillion. Ha Ha… notation)

    The 11 digit length is 7’737’809’375 (7.73 Billion) times larger than the 6 digit length.

    Trying 1’000’000 combinations per second would take 180’245’723 Years to brute force an 11 digit length password, for the 6 digit one only 8.5 Days.

    Lets not forget bypassing your password altogether, *ahem* PSN.

    Unless you're someone of high profile, have a tenancy to piss of the wrong people, or are gullible enough to punch in a fine amount of your details into a site you have not researched into it's legitimacy. Your account(s)/Personal Information will mainly be compromised from the other end, and you along with potentially thousands of others will have their information stolen.

    You may have the most longest and secure password in the world but if it's stored in plain text on a server that gets compromised it's a wasted effort.

    Remember longer passwords are always better then complex ones an attacker does not know what your password contains and will probably try dictionary and alphanumeric attacks first, if you can manage to memorise both a complex and long password, even better. If a website has a password length limit, use it all (My bank has a password limit, of all places to have a bad security policy).

    A lot of people seem to think multi-word dictionary attacks would be so much faster than brute force.

    I would love to see the math for that, please...

    I think a multiword password, even with a number or two, would take eons to crack.

    The only problem is that if someone sees you type it, it's easy to remember....only pitfall.

    Much easier to just use a finalkey or other password-manager.. I'm pretty sure 16 byte gibberish is more secure than "this is fun", which, while difficult to brute-force on a byte basis, could be brute-forced easily on a word-basis-

Join the discussion!

Trending Stories Right Now