Is a ‘safe’ password even possible? We ask an expert

have i been pwned owner uncovers 13 million plaintext passwords leaked from free webhost is a safe password even possible we
guteksk7/Shutterstock
In the modern world, there’s no escaping the need for a password. Whether you’re logging into your work computer, keeping up with friends on social media, or checking your bank balance online, you’ll need a password to gain entry. Every password is supposed to be long, complex, and unique.

In a relatively short number of years, we’ve allowed passwords to become the core of our computer authentication process — it is the only thing protecting your bank accounts, email, everything you do online — but do ordinary, non-techie folks really know how vital a good password is, or how to make one? More importantly, is it possible for an ordinary person to remember a truly safe password in this day and age?

Understanding the strength of a password

It’s easy to point out a ‘bad’ password — the often-released lists of clangers like ‘password123’ and the ever popular ‘111111’ have given just about every active Internet user a glance at the worst of the worst. It’s more difficult to define a ‘good’ password.

Password strength is typically illustrated by a small bar presented during various account creation processes: green means you’re safe and red means you’re on thin ice. Those colors are typically an illustration of the various password rules that individual sites and services enforce.

It’s easy to point out a ‘bad’ password, but it’s more difficult to define a ‘good’ password.

Things get more complicated when you think about what these individual rules mean. Consider an average password that’s six letters long, which permits only the 26 letters of the alphabet to be used and is not case sensitive. There’s a 1 in 26 chance that you might guess each of the six letters — that makes the chances of guessing the password 1 in 308,915,776, or 26^6.

Now, consider that numbers are also allowed. That adds another 10 possibilities for each character, so we’re looking at 36^6 — which results in a huge change to the overall probability of guessing the string, putting the odds at 1 in 2,176,782,336.

However, most modern websites and services would not only allow for case-sensitive passwords, but necessitate the use of at least one capital letter. Those 26 letters are effectively completely separate from the lower case alphabet, so there’s now a 1 in 62 chance that someone could guess an individual character, and a whopping 1 in 56,800,235,584 chance that they could happen upon the entire password.

Remember, these are the calculations for a six-character password. Adding just one more character to the string would bump the chances up to a thoroughly gargantuan 1 in 3,521,614,600,000.

Password Comic

The sheer heft of these figures might be reassuring to anyone who worries about online identity theft. Unfortunately, it’s not at all accurate to say that there’s only a 1 in 3,521,614,600,000 chance that your password could be cracked by a hacker. The problem? There’s a human component to the password.

How humans ruin passwords

It’s all well and good to say that a six-character password might have 3,521,614,600,000 possible combinations, but that supposes that the person selecting the password makes full use of the building blocks at their disposal. This is almost never the case.

I spoke to Joseph Bonneau, a Technology Fellow at the Electronic Frontier Foundation and a bona fide password expert. He told Digital Trends that the typical password is ‘very easily crackable’ — and what’s more, regular folks don’t seem to be more cautious when they’re creating passwords for the things that really matter.

Passwords are here to stay, at least for the immediate future, but many of us aren’t safely using them.

“It appears people are not able to choose strong passwords even when it seems to be in their interest to do so,” said Bonneau. We have to create a password for almost everything these days, but we’re terrible at picking them.

So, will we retire passwords in favor of something a little more secure?

“Their demise has been predicted many, many times,” Joseph replies, noting that he sees passwords retaining their dominance for at least the next five years. “As I have written about, I predict we will continue to evolve slowly, with passwords playing a smaller role but not being phases out completely for a very long time.”

Passwords are here to stay, at least for the immediate future, but many of us aren’t safely using them. The problem is the disconnect between human thinking and machine thinking. While the statistics might illustrate a wide open field of possible passwords, the average person is likely to fall into certain patterns.

While prominent password advice once stipulated that special characters were among the best forms of defence, that guidance has now largely been reconsidered. “Humans are not very clever adding these special characters — they usually just add a 1 or ! at the end — so they don’t add very much security but are very irritating to users.”

I asked Joseph about the much-shared comic above, and he thought it was rather close to the mark: “I think the dictionary words in that comic are a good example that something can be only very slightly harder to remember, or not at all, and yet be virtually impossible for a computer to guess.”

Just as quickly as probabilities can shrink when more more specificity and extra characters are mandatory, the traps we fall into making passwords make our authenticators much easier for a machine to guess — and machines are certainly the biggest threat. “Human attackers are amateurs,” Joseph said. “Any serious attacker will be using a computer so there is no real difference.”

Going purely by the numbers, passwords should be a lot more secure than they are. It’s the human factor that makes them more easily cracked by wrongdoers — but there are certain steps that you can take to stay a little safer.

How to create a safer password

As the above comic suggests, there’s some advantage to using a longer password filled with dictionary words. You can figure out your own method for remembering it, and it’ll take a lot more processor power and time for a computer to crack it.

It’s the combination of several words that makes this type of password powerful — as demonstrated earlier, an extra character can make a huge difference in terms of the overall amount of possible combinations.

However, it bears repeating that a lone dictionary word is a huge no-no when it comes to passwords. Anyone looking to crack your code will likely be using a piece of software that reels off words in the hopes one will be the answer, taking advantage of the fact that many people stick to the dictionary for their chosen password.

“For the few really important passwords, like your webmail, try to use randomly-generated passwords,” Joseph advises. “They are surprisingly easy to memorize.” The key is to avoid patterns, so try and keep that in mind.

Because you enter our password every day, this is a strong advantage over a computer, which only tries to access it once. A random selection of letters and numbers might be completely unfamiliar at first — but you’ll know it like the back of your hand if you use it frequently enough.

The next time you’re faced with coming up with a new password, try and think about it from the perspective of someone trying to crack your code. Choosing your cat’s name over a random stream of characters might be convenient at the time, but it could prove rather inconvenient if you fall foul of a breach later on.

Computing

‘When In Rome’ is a board game you play with Alexa, when she wants to cooperate

When in Rome is a board game you play with an Amazon Alexa device. The voice assistant is your guide to a travel-themed trivia game, where locals ask you multiple-choice questions about their cities.
Product Review

'Far Cry 5' trades palm trees for pines, but it's still the same old game

Far Cry 5 has all the pieces of a lighthearted open-world romp and a dark, fascinating narrative-driven game. Unfortunately, the two are incompatible.
Computing

Facebook wants to own your face. Here’s why that’s a privacy disaster

(in)Secure is a weekly column that dives into the rapidly escalating topic of cybersecurity. Scanning your face is easier than remembering a password, that’s for sure. But while facial recognition technology has gone mainstream with…
Movies & TV

The best shows on Netflix in July, from ‘Arrested Development’ to ‘Mad Men’

Looking for a new show to binge? Lucky for you, we've curated a list of the best shows on Netflix, whether you're a fan of outlandish anime, dramatic period pieces, or shows that leave you questioning what lies beyond.
Home Theater

AT&T wants to make HBO more like Netflix, and it could be a disaster

After acquiring HBO parent company Time Warner, AT&T is pushing HBO to become more like Netflix, but for all of Netflix’s success, this plan might not be great for either HBO or its customers.
Mobile

Apple fixes its battery drain issue with iOS 11.4.1 update

Apple's iOS 11 is the latest version of the company's mobile operating system, but it still has some issues to be worked out. We've searched the internet to find the biggest iOS 11 problems, along with some potential solutions.
Mobile

Only Google should be mad about having to change Android

Google has been hit with a massive fine in a landmark antitrust case in Europe, and has been told to change the way it manages its Android operating system, or face a heavier financial hit.
Movies & TV

First poster for 'Aquaman' accompanies news of when we'll see the first trailer

Jason Momoa will bring Aquaman back to the big screen for a solo feature in December 2018. Here's everything we know so far about the aquatic superhero's live-action adventure in the DC Extended Universe.
Movies & TV

First photos from 'Star Trek: Discovery' season 2 debut during Comic-Con

The crew of the U.S.S. Discovery will return for more adventures on CBS All Access in the near future. Here's everything we know about Star Trek: Discovery season 2, from the cast and themes to the season premiere.
Computing

Microsoft is digging itself a hole by giving away free Surface Docks

Microsoft is giving away a free Surface Dock with the purchase of a Surface Book 2 or a Surface Laptop. If you have a Surface Book 2 15-inch, however, that free gift might turn you off.
Computing

Lost your router? Here's how to find its IP address to help track it down

Changing the login information for your router isn't always easy, that's why so many have that little card on the back. But in order to use it, you need to know where to go. Here's how to find the IP address of your router.
Product Review

Putting on the grits with the Instant Pot pressure cooker

If you want to dip your toe into the low-temperature waters of sous vide, the Anova precision cooker is a good way to start. It has a robust app and an easy-to-use interface that just may convert you to a whole new way of cooking.
Emerging Tech

Awesome Tech You Can’t Buy Yet: Laptop screen extenders and self-healing tents

Check out our roundup of the best new crowdfunding projects and product announcements that hit the Web this week. You can't buy this stuff yet, but it sure is fun to gawk!
Computing

Microsoft's foldable Andromeda device may debut this year. Here's what we know

Microsoft was reportedly working on a pocket-sized clamshell device code-named 'Andromeda' sporting two touchscreens. Meant to disrupt the mobile market, it's now put on hold. Here's everything we know about the Surface Phone.
Computing

How to install Windows on a Chromebook

If you want to push the functionality of your new Chromebook to another level, and Linux isn't really your deal, you can try installing Windows on a Chromebook. Here's how to do so, just in case you're looking to nab some Windows-only…
Computing

VR is in a tailspin, and the sales numbers prove it

VR is the future! Except if you look at the data. Sales of the biggest VR headsets, including the HTC Vive, PlayStation VR, and Oculus Go, are all declining. What does it mean for the state of VR, and where do we go from here?
Computing

The launch of the new MacBook Pro has been a complete disaster

Apple has flubbed what should've been a simple processor bump for the MacBook Pro. From issues with pricing and CPU throttling to the keyboard, the MacBook Pro is in an even worse position than before the update.
Computing

Installing fonts in Windows 10 is quick and easy -- just follow these steps

Want to know how to install fonts in Windows 10? Here's our guide on two easy ways to get the job done, no matter how many you want to add to your existing catalog, plus instructions for deleting fonts in the process.
Computing

Millions of health records may be at stake in ransomware attack

LabCorps revealed that it was a victim of a data breach, and the FBI confirmed it was notified of a ransomware attack. With millions of health records at stake, it's still unclear what information, if any, the attackers accessed.
Computing

Congressman says we should be banned from mining, using cryptocurrency

Congressman Brad Sherman believes the government should prohibit U.S. citizens from mining and using cryptocurrency. As a medium of exchange, cryptocurrencies facilitate narcotics trafficking, terrorism, and tax evasion.
Computing

Apple quietly confirms 2018 MacBook Pro keyboard ships with anti-debris design

Apple appears to have a permanent fix in place to address the MacBook Pro's sticky key problem when it announced the 2018 refresh. But the fix won't be coming to the company's older notebooks, leaving existing owners out in the cold.
Computing

Tired of choosing between Windows and Mac? Check out these Chromebooks instead

We've compiled a list of the best Chromebooks -- laptops that combine great battery life, comfortable keyboards, and the performance it takes to run Google's lightweight Chrome OS. From Samsung to Acer, these are the Chromebooks that really…
Mobile

Fuchsia could eventually replace Android, but it's years away from doing so

Details have emerged about a new operating system Google's developers are working on dubbed Fuchsia OS. Here's everything we know about Google's mysterious new operating system so far.