Don’t close the magazine just yet: Jon Honeyball wants you to do one last thing for him
We need to talk about passwords. I know they’re boring, they get in the way, and surely something is just around the corner that will cast them into the dim recesses of computing history? I hate to disappoint you, dear reader, but passwords will be around for a long time. Which makes it all the more essential that you’re on top of them.
Let’s jump past the obvious advice of using password managers. I suspect 99% of you use one. But I also suspect many of you keep usernames and passwords stored in your web browser, which is not something I’d recommend, if only because it’s an obvious target for a piece of malware to attack if it gets onto your computer. Far better to use a third-party password manager.
My manager of choice is Bitwarden. This comes in two flavours, free and paid for; you may be surprised to hear that the free version does everything I need. The paid-for version adds useful capabilities such as hardware one-timesecurity key support, including
Yubico keys, and authenticator services. But I have that covered by Authy, another (so far!) high-quality product for managing two-factor authentication login tokens.
But let’s talk about those pesky passwords, because you still need one to protect your password manager after all. There are numerous ways passwords can be broken, from brute force attacks to social engineering stings and dictionary attacks.
There’s another category, of course, which we could call laziness, stupidity or ostrich (as in, it won’t happen to me). Just do a web search for “most common passwords 2022” and the list will make you quite depressed. According to NordPass, makers of the well-known VPN provider NordVPN, the number one entry is “password” followed by “123456”. Then
“123456789”, as if this is going to be more secure than its shorter brother.
At this point, you should be asking how easy is it to check the strength of your own password. Well, the good folks at Bitwarden have a free tool at pcpro.link/343strength. It’s safe to use to check your super-secret password, as it isn’t transmitted to Bitwarden for checking. All the work is done locally using a tool called “zxcvbn”, which runs in your browser session.
Estimates about the strength of a password will make a few assumptions. No single tool will be perfect. Based on my own experiments, adding a mix of upper- and lower-case letters makes the password stronger, but it’s best if the letters aren’t in the usual capitalisation points. Numbers and other symbols help considerably.
But at the end of the day, it has to be something you’ll remember, and that you can build up muscle memory to type quickly and accurately. If someone is watching over your shoulder, or there’s a high-quality security camera watching your keyboard, then speed is a help, too.
Given these caveats, it’s worth considering how quickly Bitwarden’s tool thinks a given password can be broken. It rated “Tesco” as very weak, with an estimated crack time of two seconds. “TescoFinest” is good at five hours, “TescoFinestFood” strong at two years. It gave “Tesc0F1nestF00d” a 13-year life, while “Tesc0FInestF00d” (where I replaced the number 1 with a capital “I”) adds another 55 years.
How long, you ask, for “The Cat Sat On The Mat”? That earns an estimated time of “centuries”.
Bitwarden is not the only game in town. At passwordmonster.com, “The Cat Sat On The Mat” is rated as 873 billion years and “Tesc0F1nestF00d” is given a shelf life of 331 years, much longer than Bitwarden. The site also rates “TescoFinest” at ten days rather than five hours.
Both agree that adding complexity really helps. So adding “1%” to the end of “TescoFinest” takes the rating from ten days to 12 years according to Password Monster, and from five hours to two months for Bitwarden.
Then there’s the issue of frequently used words. Kaspersky has a checker tool ( pcpro.link/343kasp) that thinks “Tesc0FInestF00d” is easy to crack because of the word combinations. It was far happier with “Mary had a L1ttle Lamb!”, rating it at more than 1,000 centuries, although Bitwarden was more pessimistic and suggested it would be a handful of centuries.
And no, before you ask, none of these passwords is used by me. Although my master password is rated as “1,000+ centuries” too.
Given that these tools exist, it’s obvious that you really should check out the master passwords you use. In no way does this remove the need for 2FA, nor for hardware encryption keys for the most sensitive data. Having that third level of defence is critical, especially if you’re the target of a sting operation. But given how easy it is to check, and how it takes a few seconds, only the truly mad would ignore a simple check.
After all, Y0u d1nt wAnt y0uR Pa$swordZ 2 b% EaZy To GeZZ.
Do a web search for ‘most common passwords 2022’ and the list will make you quite depressed. The number one entry is ‘password’, followed by ‘123456’