A good password is one you can remember and nobody else can figure out.
While this sounds like a statement firmly grounded in common sense, like the advice to “Look both ways before you cross the street”, the #1 ranked most breached password in 2022 according to NordPass was….wait for it….. password. Unbelievably, #2 was 123456. (1) You can draw your own conclusions about what this says about common sense. Sure, these are easy to remember, but also quite easy to figure out by ordinary humans using little more than a notepad, pencil, a method and enough time for systematically working through combinations of numbers, letters, and other symbols. Hackers using high speed computers and specialized programs are at a competitive advantage and need less than a second to crack each of these top two choices. The technology is well worth the investment for bad actors because information that is valuable enough for people to feel the need to restrict access to can lead to easy money and big paydays for the crooks in some cases. Let’s take a look at the steps we can take to make their jobs more difficult.
Taking a closer look at the two examples of bad passwords, password and 123456, we can see that the first is an 8-lowercase-letter word that can be found in a dictionary, and the second is a sequence of six numbers. The 2022 edition of the Oxford English Dictionary is perhaps the most complete list of words of the English language, with about 600K entries, and “password” just happens to be one of them. Hackers can do a Brute Force attack by trying each of these 600K words, first all lower-case, then all upper case, then first letter capitalized, and so on. The computing power they bring to the job determines just how fast they will find their prize. Turning to the second so-called password, 123456, look at this chart showing the amazingly brief time it takes to brute force this sequence as well as combinations of letters, numbers, and other symbols. These times will only get shorter as computers get faster.
There’s a reason telephone numbers are seven-digits long, not counting the area code, the estimated limit of human working memory capacity. Working memory is the information of immediate use that we keep in mind while carrying out our daily activities. It disappears after about 30 seconds.(2) Given the limitations of the hardware between our ears, let’s review some of the steps we can take to create secure passwords that we can remember.