I recently acquired some files containing over 78,000 username/password combinations. I won’t say where or how I got them, but I broke no laws in the process and simply possessing these files are perfectly legal. After all, they’re nothing but lists of words and numbers. Sadly, there is no additional information. I don’t know the source of this data. Facebook’s servers? Yahoo’s? Google’s? I have no clue. I loaded them into a mySQL server and have been having some fun looking them over.
Unfortunately, most people who connect to the internet still haven’t gotten the memo about good username/password selection. So without further ado:
A good password does NOT contain words that can be found in dictionaries (of any language), nor should they contain proper nouns (i.e. Steve, Wyoming, Korea, Google, etc.). This is because the first technique used by password-cracking software is a dictionary check. What language are you using? English? Great. English language dictionary loaded. Now, let’s guess every word in the dictionary in combination with some random numbers. This method is called brute-forcing and is very effective because people use passwords such as these (from the actual database):
This is a random sampling of 26 passwords people have actually used on the internet. I literally copied/pasted this form my database. Only ONE is relatively secure. Did you see it? Go look at the list again, the answer is given in the next paragraph.
It’s the last one. But even it sucks because it contains no upper-case characters. This is important because it all comes down to mathematics. The more potential characters that have to be tried, the longer it takes and the harder it is to crack your password. If you use only lower-case letters, I only need to guess with 26 characters. If you use both lower and upper-case, I need to guess with 52 characters. Simply mixing lower and upper-case letters makes our passwords twice as hard to crack.
The most staunch password enforcer will insist upon your use of the special character, such as punctuation ($, %, &, *, !, @, etc.). This is indeed harder to crack. However, their use makes them difficult to remember.
A method I developed over 10 years ago creates a secure password that obeys the above rules AND is easy to use. This method works because it’s based on memorizing a phrase, rather than random letters and numbers.
Most web-based services such as Yahoo!, eBay, Hotmail, etc. require your password be at least 6-8 characters in length. Most everyone recommends at least one or more numbers and some letters should be capitalized. Don’t go over 10 characters for most services. These are the key ingredients to keep in mind.
Next, I come up with an 8-word phrase that consists of at least one capital letter and one or more numbers. A very old example that I’m willing to share publicly is the phrase “my daughter Alex is 12 years old”. Take the first letter of each word to make up the password. This translates to mdAi12yo. There you have it: a more secure password that contains letters, numbers, and no words from any dictionary. It contains no proper nouns. It can be strengthened by inserting punctuation and/or making it longer. I have one such password that is 32 characters long. I can remember it because it’s a longer phrase I memorized.
And of course, never forget, change the password every so often.
The moral of the story is this: If you don’t want your email, bank account, or other services hacked, quit using easy-to-guess passwords! As I have stated previously, my method is not perfect. However, I’ve found it to be quite effective. I’ve been using the internet since its (public) birth in 1995 and have been hacked only twice: on Twitter and Hotmail. I have no idea who or how they got in, but when I was made aware of those hacks, I closed those accounts and changed my passwords everywhere else, immediately. So far, so good