Your Password Sucks. Sincerely, Edward.

November 10, 2016

Let’s play a game.

If somehow I got access to the password to your Amazon account, on a scale from 1 to 10 how screwed would you be?

1 – Not screwed because your Amazon password is different from every other site and you have second factor authentication enabled.

10 – Totally screwed because your Amazon password is the same one you use for your bank, and you don’t have second factor enabled anywhere.

My guess is that most of you are around a 6 or 7 on the screwed-ness scale.

So, let me tell you something:


And by the way, this is not really a guess. According to a new report, 3 in 4 users use the same password across sites. 40% of users have had their password hacked or were asked by the websites they frequent to change their password due to unauthorized access.

But no need to worry. Edward is here to fix all that for you.

Did you know that with minimal effort, you can reduce your password screwed-ness level from a 7 to a 1?

Before I get into the weeds of how you can can create an almost bulletproof password, let’s talk about the 2 biggest myths regarding password management.

Two Common Myths about Passwords:

  1. Complicated passwords are more secure than longer passwords
  2. You have to create a password that is complicated, but simple enough that you can remember it.

Why does this matter? Because unless you want to become fodder for the recreational sigint community, it’s in your best interest to ensure your passwords are sufficiently secure.

MYTH #1 – Complicated passwords are more secure than longer passwords


Your online security is predicated on the strength of your password. A longer password is significantly stronger than a complicated password. The justification of this statement is covered further into this article.

Despite this, more and more websites come up with password requirements that include capital letters, lower case letter numbers and symbols, and very few requirements are implemented around the length of the password.

Another thing –  if you can memorize your password, there’s a good chance it is not strong enough.

To have a sufficiently strong password, ensure it complies with the following recommendations:

  1. Your passwords should have a minimum length of 12 characters
  2. Your passwords should include at least one character of each type:
    • Lowercase letter
    • Uppercase letter
    • Numeral
    • Symbol
  3. Your password should be random (i.e., no discernible pattern)
  4. You should not reuse passwords across the web

A 12-character password that complies with the above recommendation will take 1.74 centuries to crack, assuming 100 trillion guesses per second.

MYTH #2 – You have to create a password that is complicated but simple enough that you can remember.

I have two words for you.

Password. Manager.

Password Managers do exactly what you expect them to do. They store your passwords securely. They remember your passwords so you don’t have to. The question is not whether you should look into password managers. Instead, the question, which PCMag provocatively asks, is Why Aren’t You Using a Password Manager Yet?

These applications generate strong passwords, store them securely, and inject them into a website’s login forms. Since they remove the need to remember and type in your passwords, you can use the longest and most complex passwords supported by the website.

Still not convinced? You can use a simple tool like How Secure Is My Password to see how secure your password is when compared to a randomly-generated password from a password manager. I promise you — it will really change your perspective on the security of your passwords.

Note: it is safer to use a long random password written on a Post-It note stuck to your computer than it is to use a memorized short password.

There are multiple inexpensive password manager tools out there that do a very good job of generating and maintaining your passwords across all platforms. If you want you can take a look at LastPass, 1Password or Dashlane among others to embark on the path to real password security. These applications come with Safari support, meaning they can inject passwords into your Apple browser both on the web and on your iPhone.

What you need to know about passwords


Passwords are the first line of defense for securing information and access to services. As a safeguard mechanism, they are an excellent compromise between security and convenience. However, they are nothing more than a compromise. Due to advances in hardware and cryptography, passwords that were once considered secure are crumbling under modern password-cracking attacks. All is not lost with passwords as a security mechanism; shoring up this line of defense can be accomplished by using stronger passwords.

To make a password stronger, we need to understand the characteristics that affect a password’s strength. Knowing this, we can select passwords that are secure enough to  safeguard our information and services.

Determining a password’s strength

Which of the following passwords do you believe is stronger?

1. D0g…………………

2. Sh,2*6L/BjVW5.G2u%@-rNz

Admit it.

You thought “of course the second one is the strongest password.

Actually, the first password stronger. It will take 95 times longer to crack the  first password than the second. Why? Because it is one character longer. The strength of a randomly selected password is related to how many attempts (at worst) it will take to guess it.

There are two password strength concepts represented above: length and complexity. Length is the number of characters comprising a password. Complexity is the variety of character types (e.g., numbers, alphabetic, symbols, and punctuation) and the number of such characters within the password. For example, the password “a3b2c1” consists of six characters from two of the four character types. The more complicated a password, the greater the number of possible characters available for each slot in the password.

Together, a password’s length and its complexity determine its strength.

One way to crack a password is to use a brute-force attack.

This type of an attack is a trial-and-error method that performs an exhaustive search through every permutation of characters until a guess is either successful or the attacker gives up. To increase the difficulty of such attacks, one must increase the number of permutations an attacker must consider.

Let’s look at what it will take to brute-force attack a password that relies on complexity. If we assume that a password comprises a single lowercase letter, then it would take 26 guesses to crack the password. If we include numeric digits in the legal character set, then it would take 36 attempts to determine the password. Similarly, including uppercase letters raises the worst case for a brute-force attack to 62 guesses.

Now let’s consider a one-character password consisting of a numeric digit. At most, it will take 10 guesses to obtain the password. If we double the password length to two digits, it will take 110 (10 one-digit and 100 two-digit passwords) guess to uncover the password. Likewise, a three-character numeric password will take 1,110 (10^3 + 10^2 + 10^1 ) guess to reveal it. Therefore, we can conclude that a two-character numeric password is stronger than a single-character alphanumeric password even though the single-character password is more complex than the two-character numeric password.

So what’s going on here?

Increasing the complexity of a password has a linear effect on the number of guesses it will take to crack the password. Increasing the password length, however, has an exponential effect.

Given the choice of password complexity versus length, one should choose longer passwords over more complex ones.

For a given password length and complexity, the number of possible passwords is provided by the equation:


Given enough time, a brute-force attack can crack any password. The question is how much time will be required and would the protected information still be valuable at that point in the future. Using four off-the-shelf AMD hd 5970 graphics cards, someone has created a system capable of cracking 33.1 billion passwords per second.

If your password is not sufficiently strong, this type of system will crack it in relatively short order. The “D0g…………………” password introduced above is a sufficiently strong password because it would take longer than the age of the known universe to guess the password using a brute-force attack.

Password Search Space

Password length and complexity define the maximum number of possible passwords. Alternatively, from an attacker’s point of view, it’s the search space required for cracking passwords. The larger the search space, the more time-consuming it will be to crack a password. The following Search Space Table provides examples of the size of the search space for different password length and complexity combination.


Now that we have an understanding of how password length and complexity defines the search space, how does this apply to the strength of a password? In other words, how long will it take to crack a password? Let’s assume we could guess one hundred trillion passwords per second; the Durations table lists the amount of time required to crack a random password.


Bottom line –  a 15-character random password is a great password; it could be used to safeguard information for at least a few years. Over time, hardware advances necessitate the strengthening of passwords to ensure the desired information or services are safeguarded. In other words, your passwords need to get longer over time.

What are Dictionary Attacks?

A Dictionary Attack is a variant of the brute-force attack: instead of systematically attempting every permutation of possible characters, a dictionary attack considers words from a pre-determined list of passwords. Such a list is strategically constructed and may include:

  • Language dictionaries (e.g., English, Russian, etc.), Leetspeak of various languages
  • Known passwords
  • Common patterns of passwords

Dictionaries are significantly smaller than the search space of brute-force attacks. If the dictionary is constructed using common consumer passwords, dictionary attacks are highly effective, efficient and, sadly, successful.

Why are dictionary attacks so effective?

Because of consumer behavior.

In the analysis of compromised passwords from website breaches, it was found that:

  1. Passwords often have personal significance, such as the name of a person or place.
  2. Attempts to obfuscate or strengthen passwords follow predictable  patterns.
  3. Truly random passwords are rare.
  4. Passwords were commonly reused across Web services.
  5. A standard obfuscation technique was to either to make the first or last character of the password an uppercase letter, numeral, or symbol.

How easy is it to come up with such dictionaries? A simple Google search yields a password dictionary with over 2.15 million passwords. Larger dictionaries are available for purchase on the web.

One takeaway message from this discussion is that passwords that are easy to remember are not necessarily secure. Conversely, strong passwords are difficult to remember.

In conclusion

As we saw in this article on password security, in this day and age users must take extra steps towards effectively managing their passwords online.

This is not a “nice-to-have.” It is a must have.

Despite the severe repercussions that come with hackers taking over someone’s identity, most people don’t really pay much attention to the passwords they use. Once most people set it up, they never look back. One can only look (and laugh!) at the list of the most common 1000 passwords in America to see how predictable people are with their online password management.

One thing is certain. Every company that offers a logged-in experience is susceptible to hacking. Every single one. And reusing the same password again and again increases the risk of your identity and account info being stolen.

As we saw in this article, in order to avoid this dire predicament users need to understand what impacts the overall strength of a password — namely, that using longer passwords is statistically more secure than using complicated passwords. In addition, users should not save passwords that are tied to life events, family members or other information that is publically available. Passwords should also be at least 12 characters in length and it is our strong suggestion that users invest in a cheap – but significantly more secure – password manager.

The question now is: how important is your online security to you?

We hope this article has convinced you to take the necessary steps towards improving your password security. Spending a little time and money on this will provide one of the best possible returns on investment.

Please leave this field empty.


Thank You

Welcome to the YML family!