Computer Science

Share this article:

Computer Science

  • Join our comunity:

Why We Choose Terrible Passwords, and How to Fix Them

By: , Posted on: June 5, 2017

How secure are you? via

The first Thursday in May is World Password Day, but don’t buy a cake or send cards. Computer chip maker Intel created the event as an annual reminder that, for most of us, our password habits are nothing to celebrate. Instead, they – and computer professionals like me – hope we will use this day to say our final goodbyes to “qwerty” and “123456,” which are still the most popular passwords.

The problem with short, predictable passwords

The purpose of a password is to limit access to information. Having a very common or simple one like “abcdef” or “letmein,” or even normal words like “password” or “dragon,” is barely any security at all, like closing a door but not actually locking it.

Hackers’ password cracking tools take advantage of this lack of creativity. When hackers find – or buy – stolen credentials, they will likely find that the passwords have been stored not as the text of the passwords themselves but as unique fingerprints, called “hashes,” of the actual passwords. A hash function mathematically transforms each password into an encoded, fixed-size version of itself. Hashing the same original password will give the same result every time, but it’s computationally nearly impossible to reverse the process, to derive a plaintext password from a specific hash.

Instead, the cracking software computes the hash values for large numbers of possible passwords and compares the results to the hashed passwords in the stolen file. If any match, the hacker’s in. The first place these programs start is with known hash values for popular passwords.

More savvy users who choose a less common password might still fall prey to what is called a “dictionary attack.” The cracking software tries each of the 171,000 words in the English dictionary. Then the program tries combined words (such as “qwertypassword”), doubled sequences (“qwertyqwerty”), and words followed by numbers (“qwerty123”).

Moving on to blind guessing

Only if the dictionary attack fails will the attacker reluctantly move to what is called a “brute-force attack,” guessing arbitrary sequences of numbers, letters and characters over and over until one matches.

Mathematics tells us that a longer password is less guessable than a shorter password. That’s true even if the shorter password is made from a larger set of possible characters.

For example, a six-character password made up of the 95 different symbols on a standard American keyboard yields 956, or 735 billion, possible combinations. That sounds like a lot, but a 10-character password made from only lowercase English characters yields 2610, 141 trillion, options. Of course, a 10-character password from the 95 symbols gives 9510, or 59 quintillion, possibilities.

That’s why some websites require passwords of certain lengths and with certain numbers of digits and special characters – they’re designed to thwart the most common dictionary and brute-force attacks. Given enough time and computing power, though, any password is crackable.

And in any case, humans are terrible at memorizing long, unpredictable sequences. We sometimes use mnemonics to help, like the way “Every Good Boy Does Fine” reminds us of the notes indicated by the lines on sheet music. They can also help us remember a password like “freQ!9tY!juNC,” which at first appears very mixed up.

Splitting the password into three chunks, “freQ!,” “9tY!” and “juNC,” reveals what might be remembered as three short, pronounceable words: “freak,” “ninety” and “junk.” People are better at memorizing passwords that can be chunked, either because they find meaning in the chunks or because they can more easily add their own meaning through mnemonics.

Don’t reuse passwords

Suppose we take all this advice to heart and resolve to make all our passwords at least 15 characters long and full of random numbers and letters. We invent clever mnemonic devices, commit a few of our favorites to memory, and start using those same passwords over and over on every website and application.

At first, this might seem harmless enough. But password-thieving hackers are everywhere. Recently, big companies including Yahoo, Adobe and LinkedIn have all been breached. Each of these breaches revealed the usernames and passwords for hundreds of millions of accounts. Hackers know that people commonly reuse passwords, so a cracked password on one site could make the same person vulnerable on a different site.

No! Don’t do this! designer491 via

Beyond the password

Not only do we need long, unpredictable passwords, but we need different passwords for every site and program we use. The average internet user has 19 different passwords. It’s easy to see why people write them down on sticky notes or just click the “I forgot my password” link.

Software can help! The job of password management software is to take care of generating and remembering unique, hard-to-crack passwords for each website and application.

Sometimes these programs themselves have vulnerabilities that can be exploited by attackers. And some websites block password managers from functioning. And of course, an attacker could peek at the keyboard as we type in our passwords.

Multi-factor authentication was invented to solve these problems. This involves a code sent to a mobile phone, a fingerprint scan or a special USB hardware token. However, even though users know the multi-factor authentication is probably safer, they worry it might be more inconvenient or difficult. To make it easier, sites like provide straightforward guides for enabling multi-factor authentication on popular websites.

So no more excuses. Let’s put on our party hats and start changing those passwords. World Password Day would be a great time to ditch “qwerty” for good, try out a password manager and turn on multi-factor authentication. Once you’re done, go ahead and have that cake, because you’ll deserve it.

This article was originally published in The Conversation under a Creative Commons Attribution No Derivatives license. Read the original article here.

If you found this article interesting, you may also be interested in the article “Usernames, Passwords, and Secret Stuff, Oh My!” from the book Google Hacking for Penetration Testers, Third Edition.

View the free chapter “Usernames, Passwords, and Secret Stuff, Oh My!” here.

You can access the book and additional chapters on ScienceDirect or purchase a print or e-copy online via the Elsevier website.

Connect with us on social media and stay up to date on new articles

  • cousteau

    An article about passwords and no mention of “salt”?
    An easy way to difficult attackers from using pre-computed hashes is adding a random string (“salt”) to the password, storing both the salt and the hash of the salted password in the password file (or in separate files). Although this does not prevent easy passwords from being cracked, it does increase the computational complexity of such attacks.
    I wonder how often passwords are stored in the clear, hashed, or hashed+salted; I think the latter is the only sensible method but I’m afraid it’s not as common as one would expect.

  • sabrinaweb

    Very interesting. Just one thing about multi-factor authentication, it usually requires to give our mobile phone number to the web sites that use it. Am I the only one who feels uncomfortable with this?

    • Depends by the “reliability” of the web site who requires your mobile phone.
      By instance if it is required by, Google or Amazon it is still fine (imho).
      Of course I won’t give it to ‘unknown’ web sites where there are no references to physical person and I do not have enough experience.
      If they want to send me “tokens” I will just give them an e-mail address specifically designed
      ( kind of garbage collector ).

  • I’m afraid that many of the efforts to impose secure passwords are probably actually counterproductive. One sight where I have important financial information forces me to change my password on every visit. (This is a bug, not a feature. The site’s managers seem unaware of the problem, despite my complaints.) Even worse, it remembers every password I have used and prevents me from re-using them, so I have to make up a new password every time I log in. So it ends up being a one-stop shopping site for password thieves, where they can get a long list of my old passwords and figure out the patterns.

    I think requirements to change passwords frequently are ridiculous unless you have reason to believe foreign intelligence services might be trying to crack your account. There is no way any human can remember that many passwords, so they have to be recorded somewhere, somehow. A recorded password is not secure – especially if it is stored electronically on your computer.

Computer Science

Computing functionality is ubiquitous. Today this logic is built into almost any machine you can think of, from home electronics and appliances to motor vehicles, and it governs the infrastructures we depend on daily — telecommunication, public utilities, transportation. Maintaining it all and driving it forward are professionals and researchers in computer science, across disciplines including:

  • Computer Architecture and Computer Organization and Design
  • Data Management, Big Data, Data Warehousing, Data Mining, and Business Intelligence (BI)
  • Human Computer Interaction (HCI), User Experience (UX), User Interface (UI), Interaction Design and Usability
  • Artificial intelligence (AI)
Morgan Kaufmann companion resources can be found here You can also access companion materials and instructor’s resources for all our new books on the Elsevier Store. Search by author, title or ISBN, then look for the “Resources” tab on any book page. Looking for companion materials or instructor’s resources for these titles? Connect below:

Social Media Auto Publish Powered By :