Month: September 2022

Security vs Complexity – How to set a secure password.

It’s not as hard as you may think.

-She

Security vs Complexity

There is a major difference between an easy to remember password and one that is secure…or is there? Can’t you have both? Shouldn’t you have both?

There is a thought that adding spaces to your password to make a pass phrase is more secure because it enables you to have longer passwords that can be easier to remember. The true test of security is length and amount of randomness. Since we truly can’t be actually random, we need to include all types of characters allowed for a password. I am going to use password to encompass pass phrases as well because whether a password has spaces or not it doesn’t change what it is. A space in a password is still just a symbol character, so it’s just a password with spaces. I would argue you should have another symbol(s) besides spaces.

I wrote a previous post about passwords and security here, titled Secure Password is Not Secure. In this posting I highly suggested you use a password manager like LastPass and a Password Generator (LastPass offers this for free). The password generator is easy to get to if you are in Chrome or any browser with the LastPass extension installed by hitting ALT + G on your keyboard. You can also check your keyboard shortcut settings in the extension manager. chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/tabDialog.html?dialog=preferences&cmd=open. This link might not work, and you may have to right click your LastPass extension and click on Options.

Right click the LastPass extension, left click Options.
Left menu for Hotkeys, See Generate Secure Password at the top and see the default keyboard shortcut.

So if you don’t like LastPass or think they are evil then BitWarden is another company that offers all the same features.

Whatever you do, DO NOT use the same password on two different websites. I can’t stress this enough. Once you have a compromised password on one site, it is VERY likely the hacker will use automated tools very quickly to attempt that same password on many other sites.

You may not have anything to hide or want to keep super secure, but I bet you don’t want to be locked out of your email, Facebook, Instagram, etc. accounts?

So how do I create a secure and complex password?

A very simple way to come up with a more secure and more complex would be a “pass phrase” as discussed above. You can make it as random as you like.

EXAMPLE 1: The 3 brown dogs ran FAST!
EXAMPLE 2: 1Jason is a really big NERD!

The above examples both have 163 bits of entropy which is the amount of randomness including all the characters. (5 uppercase, 14-16 lowercase, 1 number, 6 symbols)

https://www.omnicalculator.com/other/password-entropy

If you go to howsecureismypassword.net then you see this, 2 decillion years to crack this password.

https://www.security.org/how-secure-is-my-password/ (FKA howsecureismypassword.net)

If you want to know how many possibilities for a password then you take the total number character types to the power of total number of digits.
total password possibilities = possible characters ^ number of digits
Example: A bank card PIN has 10k possibilities because 0,1,2,3,4,5,6,7,8,9 is 10 possible character types ^ 4 digits (generally) so 10^4=10,000

This password The 3 brown dogs ran FAST! has:

1,515,502,518,418,473,418,851,336,545,154,803,393,228,349,015,457,449

possibilities if you use all possible characters on my keyboard.

[email protected]#$%^&*()_+`1234567890-=qwertyuiop[]\asdfghjkl;'zxcvbnm,./QWERTYUIOP{}ASDFGHJKL:"ZXCVBNM<>?

If a computer can attempt 10,000 passwords every second then, per my calculation it would take 2.40116884430133E+39 or 2,401,168,844,301,330,000,000,000,000,000,000,000,000 or 2.4 duodecillion years. I am even dividing the probability in half because generally it takes half as many guesses than possibilities, when referring to statistics. I don’t know how the website above is calculating it’s 2 decillion years. I would have to know how many characters they are including and how many iterations per second. I am figuring 10k/second…

My Math

The iPhone and iOS now offer a great feature to suggest random passwords and even allows you to store them.

TOP 10,000 PASSWORDS!

Go to this website and make sure you don’t use any of these passwords. This list represents the topmost common used 10k passwords gathered from a list of 10 million passwords.

https://en.wikipedia.org/wiki/Wikipedia:10,000_most_common_passwords

This is an image of the top 100 from the Wikipedia link above. This screenshot is from 9/21/22 and the actual website is subject to change and show different top 100. I have also blurred out and curse words or words deemed to derogatory to displace on my website.

Great, but what do YOU do?

This blog is not sponsored by any of the websites mentioned above. I have personally paid for LastPass since 2010 and have thousands of passwords in my vault. For 99% of those passwords, I don’t even know them. I only know my master password. I don’t have to remember any of them. With the Chrome/Firefox/Edge browser extensions and the app on my iPhone I have very easy access to all my passwords. I also store other important information in my vault like credit card numbers, banking info, tax info, Wi-Fi information.

At stated above, I do not know any of my main passwords for any of my accounts. I generally use a password that looks like this: [email protected]$H*&xw96#zRg3fXjY$Y (automatically generated from LastPass which is free $0.00)

LastPass
Bitwarden

Have a safe and secure day and make better password decisions.

If you like this or agree, then leave a comment and let me know. If you don’t like this or think I am wrong, then leave a comment and let me know.

~ Thank you Jeremy for proofreading this. ~