Recently, I read this article on the Internet: How a Password Changed My Life.
If you don’t want to read it, let me resume it for you: essentially this guy is tired of changing (and of remembering) his password every 30 days (he has to do so for his work), so he decides to use meaningful passwords (like [email protected]) with the idea in mind that not only they will be easier to remember, but that typing them over and over each day will help him achieving the goal they represent. Apparently, this stuff works, and I congratulate the author for his personal accomplishments, I’m happy for him.
Using passwords like the ones suggested in the post is a hell of a bad idea.
If you look at the password of the article, you will notice that:
1) – They contain only letters, single digits (rarely in groups of two), and the symbol ‘@’ (only once we have ‘!’)
2) – The words always have meaning: either they are straight (simple!) English words, or they have substitution like ’4′ instead of ‘A’, ’4′ instead of “for”, and so on.
3) – They are embarassingly short, i.e. they are made only of a few tokens (a token being one of the components described above).
Knowing these rules, an attacker could easily write a program to guess a password that followed them; he would only need an English dictionary (not even a full one, only the most used words apparently) and some rules for replacements like “to” to ’2′ (no pun intended).
This means that the password strenght is low compared to an optimal choice. In some cases it might still cause trouble to an attacker, and I’m not going to analyze that here, but the point is that it could be (much) better, and that there really is no reason to take this kind of risk.
Sure, if the password protects an online service it may still be hard to carry such an attack in short time without alerting firewalls, but if it is used to restrict access to a local resource, well… it simply wouldn’t fully serve its purpose. Since someone seems to have forgotten what that is, let me remind it:
Passwords are meant to be used for protecting secrets, not for reminding important stuff you have to do in your life.
So, to wrap it up, my advice is to use passwords that are truly hard to guess. Google will tell you lots of tips for generating them and storing them safely.
Please, do not follow the author’s post literally. If you really have to use a password to change your life, make sure that
- your substitutions are more clever than his
- you use longer passwords than “[email protected]!”
- keep in mind that there are other “special characters” besides ‘@’