Did you fake your password?

It’s an evergreen news story in the tech world: the top 25 idiotic passwords we use. Every tech magazine reports it and trumpets our global stupidity in the face of hackers. The articles usually beseech us to think about security, to batten down our virtual hatches, to make sure we use a good strong password like 6z!!jciBAOdGEy5EHE&6 or something equally unmemorable.

spoof-login
The surveys and roundups of passwords usually show that simple alphanumeric strings are in widespread use purportedly protecting our Hotmail, GMail, Facebook, Twitter, Xbox, Sony and every other online account, even our bank and credit card accounts. Among the apparently silliest and simplest are things like “password” and “passw0rd”, “123456”, “ILoveYou”, “qwerty”, “abc123”, “111111” and many others besides. All equally crackable and/or guessable. Indeed, any short alphanumeric string, no matter how seemingly random can be cracked by so-called bruteforce means within seconds by a powerful enough computer, or an array of hijacked machines running malware.

Recent revelations about an alleged 5 million GMail passwords being published online revealed once again that the users of those accounts were particularly foolish with their password use. Security blogs suggested that 9 out of 10 of the passwords leaked could have been bruteforce attacked easily because they were so simple.

But, a twitter discussion with Michael Horak @fatmike182 and Benedikt Malleolus @BMalleolus has got me thinking about those silly statistics. Horak pointed out that of any bunch of leaked GMails there is a likelihood that a fair proportion will be either fake (accounts set up for spam and other malicious purposes) or else created for one-time use as a disposable account with which to register on a particular site. We have no easy way to determine what percentage of any list of username/password logins, from whatever hacked source, are genuine users and what proportion are fake, spam, disposable logins.

In other words, the shouty tech blogs that discuss password complexity and how inept most of use supposedly are at using decent passwords may be basing their proclamations on skewed data. Maybe many of us use really strong passwords and two-factor authentication, maybe more than they care to admit aren’t really so dumb as to use “password” as a password for our mission critical logins.

But, here’s a little puzzle, which of these two imaginary passwords would take the longest to crack?

“iSK6%3U6Gt” or “Password……..”

The answer, given the leading question may not surprise you, but is surprising nevertheless. It’s all about making the haystack in which your password needle might be found much bigger than everyone else’s. The mixed character password would be crackable in about a week assuming some kind of Massive Cracking Array Scenario carrying out one hundred trillion guesses per second. The latter password would take the same Array slightly longer, about 2 billion years. Of course, if everyone starts simply adding full stops to the ends of their passwords, the hackers will soon learn and add that pattern to their search algorithms. Maybe we need to be even a little cleverer than they give us credit for.