November 8th, 2011 at 15:19 UTC by Joseph Bonneau
Google recently launched a major advertising campaign around its “Good to Know” guides to online safety and privacy. Google’s password advice has appeared on billboards in the London underground and a full-page ad in The Economist. Their example of a “very strong password” is ‘2bon2btitq’, taken from the famous Hamlet quote “To be or not to be, that is the question”.
Empirically though, this is not a strong password-it’s almost exactly average!
In the leaked 2009 RockYou dataset, 4 people out of 32,603,387 picked ‘2bon2btitq’ and 5 picked ‘2bon2b.’ The roughly one-in-a-million probability sounds impressive, but it only puts people using these passwords in the 50th and 48th percentiles of security. In other words, Google’s advised password is more common than what half of users choose. There are about 500,000 more common passwords in the RockYou set-enough that ‘2bon2btitq’ is unlikely to come up in an online guessing attack but not nearly enough to prevent instant cracking if leaked in hashed form. More thorough research by Cynthia Kuo et al. at CMU found mnemonic-phrase passwords are a bit better than the alternative, but many people still pick things which are easy to guess.
Given a sentence to give password advice on a billboard, I’d instead say:
A really strong password is one that nobody else has ever used.
That’s all you need. More complicated advice about password length or using numbers and punctuation just leads to ‘Password1!’ if its not motivated by finding something unusual enough to be globally unique. Other aspects of password management like not using your webmail password at low-security sites and having a strong backup procedure are more important, and Google gets those right. But for picking a strong password, I’d recommend xkcd’s advice and tools like Diceware for generating something easy to memorize and nearly-guaranteed be unique.