Your passwords should be long, and doesn’t need those symbols

Was taught by a friend about how symbols actually make your password harder to remember compared to longer length alphabetical ones. It’s best summed up in this xkcd comic:

Okay, I have no idea what that comic was about.

For the less tech-savvy, a few common ways of breaching into an online accounts are dictionary-based attacks (possibly via the use of rainbow tables), or getting your password via social engineering or keyloggers. The latter methods are more specific when you are being targeted by some organization, so we’ll be focusing on the former here.

Typically, dictionary-based attacks work by constructing a pre-determined list of ‘simple’ passwords – that is, passwords that are often used, like football or iloveyou, and use them in a brute-force attack on the website. This is coupled often with rainbow tables, which generates a cryptographically irreversible hash of such common passwords to perform the attack (because many websites stores the hashed version of passwords instead of the actual password, in an attempt to protect your privacy).

Wikipedia’s example of a rainbow table with three reduction functions

The common misconception comes as websites nowadays force your passwords to contain special symbols like @#*(%&#@. (Yeah, I’m really scolding vulgarities here because that’s how illogical this advice is.) Then, most of us would have the idea of converting symbol-like alphabets to those symbols and numbers, for example:

iloveyou becomes 1l0v3y0u!

Surprise! The hackers know how to do this too! And their dictionary for the attack will most probably contain these words too, making you an easier prey for them.

Damn! I’m gonna change my passwords now! But what makes a good password?

The general guideline for a good password, both in terms of security and usefulness, is that it should be long and easy to remember. (No point having a password like KJdlf2i3f9wueolfkJHLK when you can’t recall it.) Instead, the comic above suggests chaining English words together.

The key thing to note is that for a login attempt, there is no partial match – it’s either your password is correct or incorrect. That makes a brute force attempt take ages to reach your account when it has a really long password. So if my password is waddup my awesome mates yo, hackers essentially need to choose from a pool of 26^26 = 6.156 * 10^36 passwords, assuming they know my password length. And I’m pretty sure that comes to mind easily.

Compare this with the commonly misbelief of a good password: w@ddupy0, which takes 46^8 = 2.004 * 10^13 attempts to crack. Now that’s much lesser!

Long story short? Use long English passwords. (But of course, do use a different password per site. One method is to include the site’s feature or name into the password. It probably can be easy to remember if you’re using the English method.)

Thanks Shopee dev team for the heads up!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s