Does your password requires at least the following?
- Must be a minimum of 8 characters
- Must contain at least 1 number
- Must contain at least one uppercase character
- Must contain at least one lowercase character
- Must contain at least one special character (!@#$%^&*)
Research recently showed this password is cracked in 39 minutes! Yes... you took a risk for brain damage in order to come up with a password like this or let your password manager did the job en still it can be cracked so so fast.
In 2020 this password was cracked in 8 hours. That's just 12 times slower then what it is now, imagine how fast it will be within the next 2 years from now.
Password on steroids
Best possible way to come up with a password is according to the Diceware-method https://diceware.dmuth.org/
Experts use this to add randomness to the words your password contains. Every 5 numbers you throw in a row belongs to a word. Repeat this process until you have at least 7 words and create a passphrase:
CannonVirtuousMovableUnnerveRectifiedCreasing
Safety vs userfriendly
One problem is this won't be acceptable by our minimal requirements like we said in the beginning. Of course we can add a number and exclamation mark or whatever, but this isn't the best solution.
Also this is pretty harshe to ask everyone to do for "just a password". This also depends on what the value is of what you are trying to secure. But since people are lazy, lets come up with a solution that works for everyone.
What we can do is higher the least minimal of characters used. If you go from 8 to 12, this means it can be cracked in 3000 years(!) in 2022. Still in 2020 this was 34000 years, so what will it be within the next 2 years? But this takes waaayyyy more time to crack so hopefully the hackers decides to target an easier victim.
Source: https://www.hivesystems.io/blog/are-your-passwords-in-the-green?utm_source=tabletext
Top comments (1)
Unique randomly generated keys of the same length are a lot more secure, but the argument for diceware-style word generators is that they are more memorable.
The problem that I have with this argument is that the claim just doesn't pass the smell test. Proponents of this method really memorize all their more-memorable passwords without reuse? That's just not credible for the average Internet user. My own password manager has hundreds of accounts.
Some people try to split the difference and reuse a password for "unimportant" accounts while creating unique memorable passwords for important accounts, but I still find this pretty questionable. I have still probably a hundred user accounts that have access to my credit card information for example, and the ones that don't I may decide to enter that information later. And even if some users have a lot fewer "important" accounts than me and can memorize their important passwords, they're still making a big security compromise with accounts that probably have more social engineering value than the users realize.
So you have to either use a password manager or do a lot of password reuse, and one of those options is VERY insecure. So you use a password manager to collect all your correct horse battery staples. But at that point... just use long randomly generated keys for everything.
There are a very few narrow use cases where I think the diceware approach makes sense. He gives the example of smart TVs with clunky screen keyboards and no password manager integration. (Personally I suck it up and spend 5 minutes entering my passwords before I can start using the service. It's a pain point but a rare one, but I'd understand someone avoiding it.) And of course your password manager itself will need a memorable password.
But saying this is the "Best possible way to come up with a password" just doesn't hold any water.