A semi-serious comic about strong passwords, or lack thereof [Comic]

What makes a password stronger, complexity or length? Should you use a short password that mixes special characters with numbers and the alphabet or should you have long, simple passwords? Based on my knowledge, a longer, simple password that is made up of random words or phrases is more secure than a shorter password consisting of special characters and the like. Apparently the artist from xkcd agrees with me:

[via xkcd]

Related Posts

  • Eric989

    Lots of great ideas, everyone. For an article titled “Semi Serious Comic” we have had a pretty heavy discussion.

  • mistered

    @Eric989: Valid concern. Maybe using an answer that includes something specific to that particular website, such as, with a banking site like Wells Fargo: “ewchevyog” or “ewnewyorkog” (first 2 and last 2 letters of site, backwards with real answer in middle-maybe even that backwards). That would be easy to remember and customized for each site.

    Many sites are not case sensitive or do not allow special characters…at least for now. If an online attack, this example would be extremely difficult to crack. Off line, as in stolen, it would be easy, but useless at other websites. If special characters were allowed, as well as upper & lower case, it would be very difficult to crack even off line.

    Can we stay ahead of the onslaught?

  • AFPhys

    You are exactly right about my being wrong about the security questions. The reason is that somewhere on the host’s computer, those answers are stored, so if that file is compromised, you are hosed in many places. I’ll be adding two site-specific characters. I will maintain that such a complex password and single answer IS fairly impervious to on-line attack, though. In addition, though, bear in mind that those security questions typically are “password recovery” only – and send an EMail to you to help you recall or change the password. Therefore, as long as your EMail password is different, the hacker still has much work to do.

    I have been a fan of Gibson and SpinRite for, what is it, over 20 years now? Great company; great tool. My version is long out of date, but I still use it for my “old computer” work. Thank you both for pointing me to his website. I love the “big number calculator” he has there, as well as the “haystack” calculator, though that needs to be updates to allow Unicode characters in passwords. My visit there, and to other articles about “HashCat” and other password-guessing programs and recent advances in password breaking, has convinced me that it is time to update both my passwords and password algorithm somewhat. At least I now have some comfort in that my own passwords don’t seem to be in the databases! My last password update had in mind cracking speeds in the billions/second. Now I am convinced that it is time to go to something more like tens of trillions/second, which means I need to add 2-3 character passwords, or simply go to Unicode character set where available.

    I will be doing that sometime in the next few months.

  • Eric989

    @mistered: @AFPhys: One problem. It seems that using the same answer to all security questions on all sites would be nearly the same as using the same password on all sites. Maybe this answer is uncrackable, but if it ever gets stolen then you are really in trouble. Maybe a better solution would be to put the real answer inside of a base.
    Example: First car? Answer fgCamryB4
    At least if this gets stolen, it can only be used on other sites that ask about your first car. Maybe we need to add site specific additions as well.

  • mistered

    @AFPhys: All true, what you said. Have you taken a look at Steve Gibson”s (one of the world’s leading computer security experts) “Needle in a Haystack” web site? If not, here it is again:


    Check it out, and you will see how EASY it is to make a great password yet use an easy to remember “needle” that is hidden in the “haystack,” and why it works.

    Check it out!

  • AFPhys

    Very good notes about password recovery questions. Due to those considerations (even my worst enemies can know certain things about me) I never use the “real” answers to those password recovery questions. Needless to say, I suppose, is that I can use even the weakest “base” in my password dictionary as answer to such questions with quite high confidence it will never be guessed since it has no bearing on the question asked. Eg., Q:”what high school did you attend?” – A:”1234″ …
    Well, that is a bit too weak actually, to hang out there, but “f4G^h<" (about 40 "bits of entropy") is easily strong enough. Using that to answer every "recovery" question is a pretty safe bet.

    Two things I want to add to my long post above:
    1. Unfortunately, too many places (still) limit the character set available for generating passwords ("only letters and numbers", etc). That has forced me to have a couple long alphanumeric-only "words" in my "base dictionary". I don't like using them, but such is life.
    2. Soon I will be adding two "words" to my "base dictionary" to use in locations that accept a full Unicode character set. Just as adding a "Q" in the 4th position of a password adds huge complications to a brute force attack, adding the full unicode character set ( http://www.ssec.wisc.edu/~tomw/java/unicode.html ) to the set of possible characters nearly doubles the "bits of entropy" in one fell swoop. I will probably use something like 0x2727 (white four pointed star ✧) or 0x210F (h-bar, planck's constant ℏ) though I realize it would be even smarter to use something like 0xA468 (YI Syllable XOX ꑨ).

  • AFPhys

    Betty, I realized an even better way to explain this, or perhaps it is simply a complimentary way. Here it is:

    In point of fact, I have augmented MY OWN dictionary with a few short but very strong sequences of characters that I now find it easy to recall and type, but that no one else on the planet has in their own dictionary. I then add a few characters to one of those for site-specific passwords, that I generate in my own, known way. This makes it easy for me to remember and type the passwords, but anyone who does not know those weird words in my own dictionary must resort to brute force (or theft).

    I am glad you found my explanation useful.

  • mistered

    @Eric989: Good point about password recovery questions. Since many of the answers to common recovery questions can be guessed or researched, the best answer to these type of questions is something that has nothing to do with the question. For instance, if the question is about your first car or city of birth, answer the question with “pluto” or some other easily remembered word.

  • Eric989

    Actually one of the best base passwords you can use are initials that stand for words. For example the lyrics of a song or a quote from a book or something. Add some gibberish somewhere in the middle of that and you have a password that is getting a little closer to random alphanumeric and can only be broken by brute force. Of course password managers allow the use of even better passwords because you don’t have remember them then.
    One thing to note is that the strongest password can sometimes be overcome by password recovery options. The questions they ask are ridiculous. There are likely hundreds of people, including my worst enemies, that know the model of my first car and the last name of my first grade teacher etc. Sometimes these are used in ways that you need to remember them but sometimes you can get away with typing gibberish in them so no one can guess the answer. Just be sure to differentiate between password recovery questions and account verification questions. You don’t want to get locked out of your account.

  • mistered

    I am amazed by how most people think that passwords are cracked. Fact is most are stolen and then cracked. Second, so many people think that the way the movies portray cracking passwords is the “real life” way. Steve Gibson of Gibson Research describes the “real life” process here:


    The truth is, when a cracking attempt is made, it is simply “Is this the password? No, then is this the password? No, then…and on and on. The attacker does not guess it letter or word at a time, they throw a guess, and if it is not the password, they throw another…and on and on. The only thing an attacker can know is whether a password guess was an exact match or not. The attacker doesn’t know how long the password is, or anything about what it might look like.

    That is why stolen passwords are much easier to crack. They are not trying to do it online, but off line, using a number of computers and various programs.

    Check out Steve Gibson’s “Needle in a Haystack” method at the website above.

  • Eric989

    I would recommend using something that sounded like a word but wasn’t actually a word as a base. Be creative.
    Interesting that you brought up typing passwords under observation. As far as I know, no one has ever made a program to try to specifically address this issue (of people watching you type), and it does not seem that difficult.
    I envision a portable onscreen keyboard that has as many cursors as buttons. It would have a choice of different colors, sizes and shapes of cursors that would all move together and wrap around when they reach the edge.
    At it’s simplest, you would choose, say, a small flashing red triangle as your cursor and only you would know that was the real one and not the large blue square etc. More complex setups could be a sequence of cursor changes that you could remember like red square then green circle then a “blank” cursor (no cursors are real, a click will simply fudge the length of your password but not input anything), followed by a white circle and then a red star that adds a shift as well, another blank and then repeat this in reverse.
    A compromise would be a three cursor sequence followed by a permanent cursor that you would finish your password with.
    The keys would need to be lined up square and not offset like on a real keyboard. There should also be additional “blank” keys that do nothing and option for spacebar to fire a blank as well. There would optionally be a box that shows asterisks for every click to help keep track. These would be recorded for all clicks even blanks and shifts.
    Also it would need a hotkey to identify current cursor if you lose track. It would do this by placing that cursor over a predefined key. Also, it would have a hotkey to fall back to a predefined cursor if you get confused and also a normal mode for when no one is around. There is more but that is the basic idea.
    This would be useful for typing passwords in public places like school, library, wifi hotspot. It is also a more graceful way to handle typing passwords around friends and acquaintances, to avoid having to tell them you don’t trust them and can they please turn away.
    If this was done right it would make it extremely difficult to pick off your passwords even if you were videotaped. What do you guys think? Maybe not to use all the time but would be handy in certain situations.

  • DrTszap


    Seems to me a dictionary attack wouldn’t be quite that simple unless you know the size and order of words, and once you add AFPhys’s suggestion of inserting extra characters into the middle of the password and adding a site-specific suffix…

  • Betty

    @AFPhys: Great tips! Your clear explanation makes so much sense. Following your suggestions will make my online life so much easier. Thank you!

  • AFPhys

    When I was a young computer user, I came up with a 7 character password to use nearly everywhere. About 15 years ago, I read an article about brute force hacking and realized I needed something much stronger. I decided to use four “levels” of passwords. The strongest will withstand years of attack, and I am not a bank so would not be a target of such interest.

    1 – a very weak password, similar to 1234, for BIOS password and such – just in case some child gets hold of my machine and tries to save a new configuration.
    2 – a reasonably strong 7-9 character password for data on my computer generated by characters from a long loved phrase plus substitutions. I occasionally change the substitutions, and is always evaluated as “very strong”.
    3 – a similar complexity password with 2 characters added for websites. Those characters are generated from the website’s name. For example: dottech org I would choose “dt”, but use the letters on the keyboard two to the right “gu”. The password is of course “very strong”, and different from site to site.
    4 – a super-strong password for sites like banking, investment, data/password storage sites which is again a strong random “base” password like that of #2 with 4 characters attached. I can keep those characters in a plain-text file since they are only addenda to the base, though they are usually obvious enough enough TO ME, eg: for HSBC bank something like #Sb3. Again, it is different from site-to-site. It would take years to brute-force break with a peta-flop computer.

    I do NOT use the same base password for lower value sites like websites as that which I use for high-value sites.

    Another couple of observations about password generation and use:
    1. It has been drummed into people NOT to use “sequences (asdf)” or “doubled characters (kk)” in passwords for so long that NO one seems to be using them, even “random” password generators. I therefore recommend using such as part of a password that may have to be typed under observation.
    2. Use capital letters in the middle of your password. Note that the “troubador” cartoon has the password cracker only imagining that the first letter might be capitalized.
    3. Again, using the cartoon, major complexity can be added in any password simply by inserting (say) “QW” in the middle of “troubador”. Make that your standard practice, and you won’t have trouble remembering, though no dictionary attack will pick it up.
    4. Using a semi-randomized “base” password of length 8 characters yields on the order of 6bits x 8 = 48 bits of complexity (higher than the cartoon example). Though it may seem difficult to type such a “base”, it will not be long before it flows out of your fingertips. Don’t forget to include something like “Z” or “K” etc., in the middle!

    So my practice is to use a relatively short, easy to remember “base” password, with unusual “internals” to thwart dictionary-style attacks, with simple website-specific addition to create passwords with well over 50 bits of “entropy”.

  • Stephen

    I’ve always wondered whether this is undermined by a dictionary attack viewing the four words as each being just one ‘symbol’? I guess I shouldn’t be lazy, and do the sums.

    Spaces between the words is the obvious default, so I won’t count those. So this reduces to 2 to the power four choices from a (large) dictionary, versus 2 to the power 11 choices from the (smaller) ASCII character set?

    So for the four words: say we have a dictionary of 20,000 words – you have selected common words, that’s 40000 to the power 4 = 2.56e+18. This is versus the easily typed ASCII characters, say 110, so 220 to the power 11, which is 5.84e+25.

    Now this assumed a RANDOM string of 11 ASCII characters, so to me the two examples don’t look very different.

    A further thing, as the ‘leet speak’ substitutions are so well known, aren’t these also ineffective?

    I gather one of the big issues is using the same password for many sites, so if it is compromised, you are truly lost. Has anyone any good ideas for this problem?