I know, the Twitter hack is old news, but poor passwords are still common. It is a pity because it really is so easy to make a password much better and still be easy to remember. According to the press, an admin used the password “happiness” and that is how a hacker gained access to her account. This password is all lowercase letters, which means it can be brute force cracked with only a pool of 26 characters. In practice, most cracking tools will use at least 52, so as to include upper and lower case. Of course, since it is a word, a more efficient attack of dictionary words cracked it quite quickly. At 9 characters long, there were only about 5.4 trillion combinations that the password could possibly be. Since the password is an English word, there were only about a million possibilities. The first thing to notice is that a single word, no matter how obscure, is a terribly weak password. If the password had been “happinessis” then it would not be a word, it would still be easy to remember, and there would have been about 3,670 trillion possible combinations of lower case letters for an eleven character password. This is more than 650 times better than any 9 character lower case password.
With a 9 character password that contains upper and lower case letters, numbers, and special characters there are almost 630,250 trillion combinations. Now for something really interesting… If the admin had used the password “happinessisgood” there would have been over 1.6 billion trillion combinations possible with only lowercase letters. Yes, 1,677,259,342,285,730,000,000 possibilities with a 15 character lower case password. That means it takes a long time to crack the password. This also means that a 15 character, all lowercase password, that is not a single word, is much stronger than any 9 character password no matter what special characters you use! Is it really that much harder to remember “happinessisgood” than happiness? Simply changing the password to “Happinessis2good!” makes an incredibly strong password.
Remember, size does matter more than complexity as long as you do not use just one long word. The longest word in the English language is still only one in about a million words and very easy for a computer to guess.
You can also use things like your dog’s name or your birthday if you are a smart about it.
“Rover loves 2 run” is a fine password. “On 4/17/60 I entered the world” is a very strong password that contains my birthday!
The admin at Twitter will find much more happiness and security using a simple password with only a tiny bit more complexity and a few more characters, and so will you!
Director of Technical Education
Author ESET Research, ESET