Jacob Bergdahl over at Towards Data Science has an article discussing what makes a good password. His advice is not entirely wrong but has some problems. His main point is that greenelephantswithtophat
is a better password than jK8v!ge4D
. That’s probably correct but only because jK8v!ge4D
is fairly short while greenelephantswithtophat
is reasonably long. He’s not wrong that longer is better than shorter but it’s a little more complicated.
One of the main problems with jK8v!ge4D
, according to Bergdahl, is that you can brute force it reasonably quickly. That’s true but ignores how passwords are cracked. If a site has robust password processing, the password isn’t just hashed—let alone left in plain text—it’s salted and then run through a hash function many times so that the time to arrive at the hash is non-trivial. And, of course, no one is trying to crack just your password. They typically have a list of hashes stolen with an exploit and are running the brute force attempts against the entire list. All of that means that jK8v!ge4D
isn’t as vulnerable as Bergdahl makes out.
Still, it’s not a strong password. Bergdahl’s other main point is that even as it stands, it’s difficult to memorize while greenelephantswithtophat
is both more secure and much easier to remember. To make jK8v!ge4D
a strong password it would have to be much longer making it effectively impossible to remember.
On the other hand, passwords like greenelephantswithtophat
aren’t as secure as you might think because humans will always pick words in a predictable way. Back in 2013 I wrote about how hackers recovered the seemingly impossible password Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1
, a line from Lovecraft’s The Call of Cthulhu. In order for correct horse battery staple to work, the words have to be chosen at random so they form no pattern. Even then, they’re a lot easier to remember but not if you have one or two hundred.
Bergdahl dismisses password managers as something for power users but
- Modern password managers like 1password are easy to use, even for the relatively unsophisticated.
- Password managers are the only robust method I know of for dealing with passwords
With a password manager you can have a long random password like nD34$@ckwS.-33SBx!+4.gsac4
that you don’t have to remember and a single password of the correct horse battery staple
sort to protect your password database.
You may not like it. Bergdahl may not like it. But the only secure way of managing your passwords is with a password manager.