Passwords are not everyone’s most favorite thing in the world, unless you’re odd like me, and this unfavorableness leads people to come up with clever ways to make passwords.
One of the clever ways people come up with passwords is to use song lyrics, quotes from books, and common phrases.
In this post, I want to explain why using lyrics, quotes and common phrases is a bad idea when it comes to passwords and passphrases. Then I want to offer a better option that is also way easier too!
Why Song Lyrics, Quotes & Common Phrases Make Bad Passwords
The biggest reason you don’t want to use songs, quotes and common phrases for your passwords is that they’re NOT unique.
There is a common misconception that people think the most important factor when it comes to passwords is length, and this is not true. It’s the uniqueness or randomness of your password that is more important, then you worry about length.
A song, quote or even common phrases are long, but they’re not random. And no, taking the first letter of each word and using that to make the password doesn’t make it better.
Basically, if you can Google (without actually Googling) your password/passphrase and something come up, it’s not a good password.
All these songs, quotes and common phrases are in a list that hackers use to crack passwords. Even the first letter of each word is in there too, along with all the clever tricks you can think of!
The best examples of why this is a bad idea comes from Bitcoin Brain Wallets.
Cracking Bitcoin Brain Wallets
The best examples of why you should not use lyrics, quotes, and common phrases for passwords comes from cracking bitcoin brain wallets.
For those that don’t know, Bitcoin is a cryptocurrency and to own some Bitcoin you need a wallet. Normally, Bitcoin wallet addresses are long and random characters that hold your Bitcoin on what is called the blockchain. If you have this long and random set of characters, you can unlock the coin and move it.
Well, long and random characters are hard for people to remember, so brain wallets came along. With a brain wallet, you can use a phrase or any password and that be your wallet. If someone could figure out your brain wallet phrase, then they can steal your Bitcoin.
Since Bitcoins are worth money, it’s worth it for people to crack such things. A normal, long and random Bitcoin wallet address is too hard to crack and not worth trying, but a brain wallet is worth it because people are trying to be CLEVER. The clever part is why it all falls apart, and why doing the same for passwords is bad.
Cracking brain wallets that used lyrics, book quotes, and common phrases have tons of examples if you do a quick Google search. One I like was done by BitMex in their Call me Ishmael blog post.
Obscure & Different Languages Don’t Work Either
I know there are a few people who will say, “I used a different language or some obscure this or that”, and it’s NOT going to help you either.
For example, of why this won’t help, we can look at another Bitcoin brain wallet that used an obscure poem in Afrikaans. This person thought they were being clever in using some obscure poem in a different language, but even it was cracked… back in 2013! It’s only gotten worse as the cracking dictionaries keep getting bigger.
Bitcoin wallets are attacked because there is money behind them, and trying to be clever won’t help. Brain wallets are the best thing we have for testing passwords, and shows that being clever is just not worth it.
Length Vs Randomness?
For a while, experts say you need to use a long password; the longer the password, the harder to crack.
The problem with this saying is that it’s true and wrong at the same time.
Cracking stations are not going through each letter at a time, but instead understand people try to be clever and will try common words, phrases and more.
When you tell people that only length is the most important factor for passwords, it leads them to use song lyrics, quotes, and other common phrases. These things are long and also easy to remember, but that doesn’t make them a good password. To throw an example out, the phrase tobeornottobe (To Be Or Not To Be) has been in 3,740 known breaches at the time of writing this post.
Password crackers know the tricks, and their ability to crack passwords is amazing! To give you an idea, this DEFCON talk shows us password crackers cracking passwords longer than 15 characters at the 37:38 mark:
This video should scare many of you reading this post and help you understand length is not the most important factor.
Passwords Need To Be Random, First!
Just to be clear, when I say randomness of a password is the most important factor, I don’t mean it’s the only factor.
Randomness is first, then length, and as for complexity it’s not as important as covered in this post.
A password like p2YCfk maybe random, but it’s not a good password because length still matters. A good password is like on5xNDfffzocUh7T or even lyricist-strife-outmost-bulb. These passwords are random first, then long.
About the only factor that doesn’t matter is complexity, so adding a “?” to the end of the password or swapping the “a” for an “@” isn’t doing much. The problem is that many sites require you to have a special character because it’s a poor attempt to fix the password reuse problem, so you have to add them. Complexity is more likely to stop you than an attacker, so I don’t have people worry too much about it.
What Passwords Should You Pick?
Now that we know what passwords to not use, what passwords should you use?
A good password is one you did not create, so this means letting a computer or dice rolls determine your passwords.
This is easy to do with a password manager, as every password manager has a password generator. I’ve even created a password generator for people who like to write passwords in books, which is fine so long as you never reuse passwords.
For passwords you have to type or remember beyond the password manager, you can use a passphrase. When it comes to password manager’s master password, you can use 4 or 5 random diceware words, as shown by the calculator I’ve built using math from 1Password’s research. It’s fine to use 4 or 5 words for master passwords as password managers use key stretching, but for everything else you should use 7 or more words.
The best part of letting a password generator make your passwords is that there is no thinking required. Just press a button, and you’re done, way easier than coming up with something off the top of your head.
For those that don’t know or wonder, it’s okay to use dictionary words in your passwords.
Don’t Be Clever With Your Passwords
The biggest takeaway is that you need to avoid being clever with your passwords.
Don’t try to use an obscure thing, different language, using the first letter of each word, or whatever scheme you can think of.
When it comes to passwords, it’s best to assume the attacker knows how you made the password. Doing this means you need to trust the math, as cleverness can’t compete with the vastness of numbers.
I understand this creates new problems, a random and long master password is hard to remember, and that is true. But it’s also okay to write down your master password and keep it somewhere safe. Life is not like the movies, someone breaking into your home wants your TV and not the tiny slip of paper you have hidden in your home.
I suggest everyone have an emergency sheet for their password manager that they keep hidden in their home. Life happens, and you never want to be your own worse enemy.