Ars Technica recently wrote a great article on how easy it is for password crackers to guess your clever password. Let’s say you want to create a password based on your dog, Sparky. Just using “sparky” would probably be easy to guess, of course, so you decide to replace the S with a $ and the A with an @ to get $p@rky. That’s not bad, but it’s a little short. So you come up with the idea to add Sparky’s birthday to the end and you get $p@rky2006. “No one’s ever going to guess that!” you say, but just to be extra safe, you even make a few of the letters uppercase. Your final result is: $p@RkY2006
It doesn’t get any more secure than that, right? Wrong. If you were targeted by a hacker, or if the site the password was stored on was hacked, this password would be cracked in a few hours tops. That’s because hackers run special programs that guess thousands of passwords per second. It would still take way too long for them to try every possible combination, but in this case they wouldn’t have to.
Unfortunately for you, your clever password used common patterns that plenty of other people use as well. Letters at the beginning, numbers at the end, replacing letters with symbols… hackers know people use these tricks and take advantage of this knowledge when running their brute-force attacks. By focusing on different variations of these commonly used patterns, a hacker greatly reduces the total number of passwords they would need to guess before finding $p@RkY2006.
So the password you came up with wasn’t so secure after all, but it gets worse! Not only is your password easy for a hacker to guess, it’s also incredibly difficult for you to remember! Was that a capital K or was it lowercase? When was Sparky born, again? Which symbols replace which letters? As if you didn’t have enough stuff to remember already, now you’ve got to remember all these little details as well. What if you don’t have to login to the site everyday? Will you really be able to remember your clever password 3 months later?
Luckily, there’s a solution to the madness. Instead of trying to come up with (and remember) your own passwords, use a “password manager” to generate and remember passwords for you. These wonderful pieces of software generate long, completely random passwords that are virtually impossible for hackers to guess in a reasonable amount of time. They then store them on your computer (or in the cloud) and protect them with a master password that you create. Make sure to use a long master password that you’ll be able to remember. In fact, many people use an entire sentence for their master password–complete with punctuation.
When you want to login to your site, you simply enter your master password into your password manager to retrieve the random password it had generated for that particular site. This way, your passwords are secure and you don’t need to remember them.
As an extra security benefit, using a password manager will also let you have a different random password for each site you visit. This way, if your password on one site were to get hacked somehow, the passwords on all of the other sites you visit will still be perfectly safe.
Checkout Ars Technica’s article Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” to learn more about how easy it is for hackers to crack clever passwords. More importantly, though, stop using anything other than truly random passwords, and make sure they’re at least 12 characters long. The easiest way to do this is by using a password manager such as LastPass or 1Password. Stay safe out there!