'Password' is the most common password. Yep, we're in big trouble.
Starting our fourth decade: Al Fasoldt's reviews and commentaries, continuously online for 30 years


Password? No way! Use a passphrase instead

February 10, 2013

By Al Fasoldt
Copyright © 2013, Al Fasoldt
Copyright © 2013, The Post-Standard

What's a good password? You might be surprised.

Let's start by agreeing on what a good password is not. It's not "123456" or "12345678."

Don't laugh. Those are the No. 2 and No. 3 most common passwords, according to companies that track password usage.

Nor is a good password the word "password" itself. Um, you guessed it. That's the No. 1 most common password.

Why does this matter? Because those passwords (and others like them) let even the dumbest crook break into your Facebook account, your email system or your financial records. (By the way, in many cases the thief does one more thing before leaving your account. He changes your password so that you can't get back into it. This delays your reaction to the theft, since you're stuck wondering what the problem is.)

And why would any of us create such easy-to-guess passwords? My guess: It's not that we're dumb. We're simply misunderstanding the purpose of a password. As I see it, most of us think the presence of any password is what counts. In other words, the "lock on the door" is what keeps us safe, by forcing the bad guys to move on.

But of course that's not the idea at all. The "lock on the door" is no help at all if a thief in the night can jimmy it. And a password that can be guessed within three tries is no help, either. In fact, I think you'll agree that it's worse than no password at all, because you end up with a false sense of security.

Obviously, passwords should be hard to guess. But I have a further suggestion. I think passwords shouldn't be words at all, not in the sense of words like you'd find in the dictionary. They should be random characters that simply can't be guessed. If we play a game and you're trying to guess the word I'm thinking of, you might guess "horse" or "hamburger." But you'd never guess "#7s.h,4b."

Here's another suggestion. Passwords shouldn't be just words, no matter how random and crazy they are. They should be phrases -- groups of crazy random characters, with spaces between each group. They should be passphrases, in other words.

And they should be humongously long -- with as many characters as the password field allows. Really long passphrases are much harder to crack than short ones.

You'll have to experiment a bit to see what the limit is for the services you use. Some have a generous limit. Facebook, for example, will let you use a passphrase hundreds of characters long, and Gmail apparently allows 200 characters. But some services have limits that I think are too low. Hotmail, for example, limits password length to 16 characters.

As for the randomness of your passphrases, you can use a random-character generator (Google that phrase for help getting a free program) or just bang on your keyboard randomly and see what shows up on your screen. Be sure to insert spaces -- they make guessing very difficult -- and use odd punctuation here and there, too.

Next: The easy way to keep bad guys out of your home network.