Want to create a really strong password? Don’t ask Google

Google recently launched a major advertising campaign around its “Good to Know” guides to online safety and privacy. Google’s password advice has appeared on billboards in the London underground and a full-page ad in The Economist. Their example of a “very strong password” is ‘2bon2btitq’, taken from the famous Hamlet quote “To be or not to be, that is the question”.
Empirically though, this is not a strong password-it’s almost exactly average!

The ad appearing in the Oct 29, 2011 Economist

In the leaked 2009 RockYou dataset, 4 people out of 32,603,387 picked ‘2bon2btitq’ and 5 picked ‘2bon2b.’ The roughly one-in-a-million probability sounds impressive, but it only puts people using these passwords in the 50th and 48th percentiles of security. In other words, Google’s advised password is more common than what half of users choose. There are about 500,000 more common passwords in the RockYou set-enough that ‘2bon2btitq’ is unlikely to come up in an online guessing attack but not nearly enough to prevent instant cracking if leaked in hashed form. More thorough research by Cynthia Kuo et al. at CMU found  mnemonic-phrase passwords are a bit better than the alternative, but many people still pick things which are easy to guess.

Given a sentence to give password advice on a billboard, I’d instead say:

A really strong password is one that nobody else has ever used.

That’s all you need. More complicated advice about password length or using numbers and punctuation just leads to ‘Password1!’ if its not motivated by finding something unusual enough to be globally unique. Other aspects of password management like not using your webmail password at low-security sites and having a strong backup procedure are more important, and Google gets those right. But for picking a strong password, I’d recommend xkcd’s advice and tools like Diceware for generating something easy to memorize and nearly-guaranteed be unique.

44 thoughts on “Want to create a really strong password? Don’t ask Google

  1. The problem is, it’s hard to conjure up a threat model for password on web sites which doesn’t include the risk of either hashed or plaintext passwords being obtained by the attacker. And the only response to that is per-website passwords, to contain the problem to a single compromised domain at a time. And in turn, that means that the only workable solution is some sort of password safe.

    If you’re using a password safe, then the passwords for the individual websites need not be memorable and can, indeed should, be randomly generated. The rules from various sites about length, strength and character set mean that you can’t use a single generation strategy, sadly, and often eight characters alphanumeric is the upper bound (which isn’t good), but other sites will permit sixteen characters or more, and often those are the more important sites.

    Once a user has moved to a password safe with unique passwords for each site — I did, although setting new passwords on 150 sites proved something of a chore — then their main security issue is the selection of the master passphrase for the vault itself, which is a rather different security analysis.

  2. … then their main security issue is the selection of the master passphrase for the vault itself, which is a rather different security analysis.

    Just use a 10-word Diceware passphrase for your master password. At 129 bits of entropy, it should be safe for a very long time, for anything short of the application of rubberhose cryptography.

  3. Google’s method goes one step too far in my opinion. The phrase “To be or not to be, that is the question” is a perfectly fine pass phrase that can be used without shortening it down to the initials.

    That said, the “x random words” approach is very interesting. I’m using it currently for two different passwords, and have no trouble recalling both from memory. As Arvind said, I wish we could do some empirical test, because whilst I can recall my “xkcd” based passwords now (after having used them multiple times), it did take me a while to get used to them.

    Another problem with using random english words is that some (though not many) websites enforce “complex” password policies, meaning you have to adjust the memorable words by changing letters to numbers, etc. anyway.

  4. What ever “memorable” system you use for passwords it’s going to be a bust sooner or later.

    The reason that lump of fat between your ears that looks like three pounds of cold poridge is actually fairly usless at remembering even close to random information at the best of times.

    The best advice I’ve seen is,

    “generate a real random password, write it down on a piece of paper, and put that in your wallet” along with those other “pieces of paper humans appear to be good at keeping”.

    The simple fact is the password was known to be fairly usless back in the 1960’s but back then there with just teletypes for entry in secure areas they were about as good as was required.

  5. I’d append something to Bruce’s advice:

    A really strong password is one that nobody else has ever used, which you’ll remember without having to write on a Post-It note, and which you’ll never forget and need to have the IT department reset your password so that you can log back in.

    Unfortunately, it seems that most IT professionals who set guidelines on “strong” passwords forget everything after “used.”

    Also, I was thinking about this the other day – I have at least (i.e. I lost count and was still naming more) 30 or 40 different computer accounts, each of which has its own username and password. Each of those has its own, often mutually exclusive, restrictions (how many characters, which usernames have already been taken, whether it needs a capital letter, a symbol, which symbols it allows, how many letters in a row, whether it has to start with a letter or number, etc.). I use a few of them very frequently, but there are others I only use once per month, or a few times per year.

    And the more ‘secure’ they make passwords by putting more and more restrictions on, the more necessary they make it for us to write them all down on Post-it notes, or simply forget the password and have to reset it every time I log in, or use the old “what street did you grow up on” method to bypass it.

    I think passwords have become less secure as a result of all this meddling.

  6. I agree. “A really strong password is one that nobody else has ever used.” is a fine, strong password.

  7. @Arvind: I’ve had surprisingly good success with diceware-style passwords. I don’t have a bizarre mental image like XKCD suggests, but after typing the 4 random words a few times they just stick. I’ve done 10-digit random numbers too and concluded they’re harder to remember for the same search space. The big caveat is that this doesn’t scale-but you can keep a strong password or two for your important accounts.

    I challenge the usability claim that people can’t remember random passwords-we used to remember dozens of phone numbers pre-cell phone. It is certainly tough to have externally valid usability experiments on this though, most of the academic literature involves artificial accounts and I don’t know that it applies to real password use very well.

    @Tom: respectfully, I think the haystacks link you posted is boneheaded. Password cracking tools will eventually try ‘D0g…………………’ but a random password the length of ‘PrXyc.N(n4k77#L!eVdAfp9’ will never be attempted in the lifetime of the universe. To claim that the first is more secure is dangerously wrong.

  8. Ugh, I’m really tired of people focusing on password entropy as the Holy Grail of security.

    Cracking passwords is seldom the most efficient way to compromise an account. Most efficient means are beyond an individual user’s control. The value of p0wning a single account (or even many cracked accounts) is vastly less than the value of p0wning an entire server. If I can get access to the hashed password file in order to do an offline password-guessing attack, I probably already own the server — why bother cracking individual accounts?

    This is not to say you shouldn’t have a secure, unguessable password. But remember that having “a password that no one has ever used before” doesn’t have much of an effect on the security of any given login — you’re still beholden to the security policies of the company running the server.

  9. I was setting up an account on a prestigious news site and I had the pleasant surprise to see that my password length was limited to 16 characters. Moreover, I was not allowed to use characters other than numbers and letters. How funny is that?

  10. Okay, let me say this in an even more provocative way: Your password security barely matters. No one is even going to attempt to guess it, let alone mount a brute-force or rainbow attack against it. Unless you’re Ashton Kutcher, no one cares about hacking your account. 2bon2btitq is a perfectly secure password for almost all intents and purposes.

    Does anyone else see the irony in analyzing the 1,000,000 plaintext passwords that were taken from Sony’s servers when they were obtained without knowing, guessing, or rainbow-attacking *a single password*? It was a SQLi attack. No passwords guessed, or even used. Most security attacks don’t use password guessing; they’re a waste of time and resources.

    It’s cute how we all like to compute the entropy (and thus, assumed security) of passwords, because it’s computable and results in statements like “…in 10^35 years…”. But it’s just cute, not particularly meaningful.

    Unless you’re a system administrator (and even then only if you have data worth stealing or a system worth compromising), your password barely matters. In fact, it probably doesn’t matter at all.

  11. “Your password security barely matters. No one is even going to attempt to guess it, let alone mount a brute-force or rainbow attack against it”

    Funny, we see trolling attacks that hit our applications several times a day. We lock after a certain number of failed attempts, but given the huge user base numbers we have even the few tries that an attacker gets would be effective on at least some percentage of users if we did not also have some password rules. Then again, we aren’t talking fucking twitter accounts here. They actually contain content and functionality of value even at the individual level.

    Also, if you are using password entropy to figure out how long it will take to break into an account you are doing it wrong. Password entroy is a means of figuring out the probability of successful attack given the breadth of protections (permutation rules, lockout rules, etc). You then apply that probability to the size of your userbase and decide if that percentage of compromised accounts is acceptable or not. It is a means of engineering to your risk tolerances, and the point is to be within tolerance, not to protect an individual account for 10 million years.

  12. egrep ‘^[a-z]{0,6}$’ /usr/share/dict/words | rl -c -5

    … gives reasonable passwords, I believe, provided the dictionary is big enough and rl does a good enough job of randomizing.

    You should check the first by running
    egrep ‘^[a-z]{0,6}$’ /usr/share/dict/words | wc -l

    which on my system gives 15007.

    Calling this number x, the number of bits of entropy in these passwords is

    lg(x!/(x-5)!)

    which here works out to about 69.

    If this is too low (either because you have a different /usr/share/dict/words, or because you have a threat model where 69 bits is too weak) you can up it by either increasing the number of words, allowing longer words, or (for a few extra bits) replacing some letters with capitals or punctuation (but that quickly becomes harder to remember, compared to what it buys you).

  13. The above calculations, of course, assume someone *knows* your method of picking passwords – which is the appropriate assumption.

  14. The problem with passwords is the vast number we are required to generate and remember.

    In practice this drives many of us to use tools like Keepass with 20-character generated random passwords for everything, all encrypted with a single long passphrase.

  15. Eric L: It’s simply wrong to say that “no-one is even going to guess it”.

    There have been many successful password-guessing attacks against large webmail providers like Hotmail, for the purposes of sending spam.

    There are also millions of password-guessing attacks against internet-facing SSH servers every day, a proportion of which are successful.

  16. Hah. I remember the last time someone was saying that no one is going to try to guess your password, so you shouldn’t worry about it. It happened in a web forum and he was a moderator. The guy’s account was hacked by yours truly and deleted a lot of posts.

    oopsie.

  17. “A really strong password is one that nobody else has ever used.” is a fine, strong password.

    I’ve been looking for one for a while, but that’s too long to type. I’ll use “1tneheu” from now on.

  18. @ Eric L,

    Ugh, I’m really tired of people focusing on password entropy as the Holy Grai of security.

    I can understand why if you just regard it as the password to some low/no value Internet account requirment that is mainly there to protect the site owner from litigation not the user.

    As I noted further up,

  19. @ Eric L,

    Ugh, I’m really tired of people focusing on password entropy as the Holy Grai of security.

    I can understand why if you just regard it as the password to some low/no value Internet account requirment that is mainly there to protect the site owner from litigation not the user.

    As I noted further up,

    The reason that lump of fat between your ears that looks like three pounds of cold poridge is actually fairly usless at remembering even close to random information at the best of times

    The way the human brain/ lump of fat finds to memorize information with any degree of accuracy is actually important in security. And it also makes measuring “entropy” the traditional way relativly unimportant. Because a list of random words is as difficult to remember as a list of numbers or letters, and the human mind prefers to remember things that are related in a way it can give meaning. It’s why we can remember “The owl and the pussy cat went to sea in a…” much more accuratly for it’s length than we can the same words listed in alphabetical order.

    The reason it’s important to security is not “passwords to internet accounts” but the more generalised case of “human access to resources” in the form of technology.

    We talk about “multifactor authentication” quite glibley in security but ignore the fact that no mater how secure a system is at the end of the day it needs to be managed and often used by a human for the purposes of work usefully abstracted as individual transactions. Thus no matter how long and tortuous the chain of authentication at one end is the technology resource that needs to be managed or used and towards the other a human. And with increasing frequency the value of a transaction on a resource exceeds by some considerable degree the value of the resource the user shares.

    With multifactor authentication we talk of “something you are”, “something you own” and “something you know”. But we know that in general “something you are” is not a very usefull due to false/negative positives, user roles and time factor. Likewise “something you own” is abstracted out as some kind of token device that in order to prevent the theft and usage of the token by others is reliant on “something you know”. Worse invariably the token is clearly identifiable to anyone who sees it and is thus is an easy target for theft.

    So currently and I suspect for some considerable time into the future the security of authentication will be reliant on the “something you know”.

    Which as I mentioned is limited by the lump of fat between peoples ears and it’s myriad of imperfections and failings two of which are the inability to remember with accuracy without a good deal of practice and that it is lazy and does not want to practice.

    But there is another asspect, the knowledge of peoples passwords is as you indicated not that difficult to obtain currently due to the lack of other technical security in systems. Whilst the technical issues can be solved by say moving passwords onto the tokens what won’t change is the way people remember “what they know” so analysis of this current glut of available password data will still be paying off for some considerable period of time into the future.

    So as long as authentication boils down to “what you know” in the form of passwords or pass phrases systems will be vulnerable to attack. And the level of resources devoted to such an attack will in many cases be dependent on the percieved value of the transactions, be they financial or otherwise.

  20. But if you include the punctuation, it becomes

    2bon2b,titq.

    NOBODY uses that as a password ==> strong.

  21. To give yourself a unique password for every domain, use a HMAC:

    key <- "2bon2btitq" (make sure this is actually a half decent passphrase)
    domain <- "google.com"
    domain_password <- base64(HMAC(key, domain))

    Use a nice hash function like SWIFFTX and even the Chinese government (and their shiny new quantum computers) can't see your menial emails to your spouse asking her to pick up some potatoes on her way home.

  22. Why not use different ‘tiers’ of passwords.

    Obviously, have a secure, unique password for your banking, paypal, email, server logins or whatever else you deem important.

    But just use the same password for the myriad of internet sites that you have to sign up to just to post 1 comment.

    My process for passwords is to simply randomly generate a 16 char (fully punctuated upper lower case) password then just make up a rhyme or melody to help me memorise it.

  23. I just think how many will still use 2bon2btitq’ and ‘2bon2b’ and will be using ,cause it does look like an impressive password on paper.

  24. @Eric L:

    That sounds suspiciously like an economic decision. I mean, I don’t know the exact numbers and I’m not managing any particular company, but I imagine a web applications startup will think about it roughly like this:

    “It would take us hiring a couple people for ~10 weeks to come up with a better system which we could implement across the board; maybe 800 hours of solid work. On the other hand, if an account is lost, our existing audit trails can be used to reverse the damage in about 15 minutes of work, plus an administrative overhead of task switching of maybe about an hour. (Because software developers are not as productive on their main project when they switch to a new project.) 800 hours / 1.25 hours = 640, so we would have to have about 640 separate password loss incidents before it made sense to switch to a better system. We’ll have about 10,000 users using our system, we can handle 5% of accounts being compromised before we try to raise standards.”

    What’s more important to me is the idea that you can choose, at sign up, to send someone an email containing a password. “Your password is ‘executable breezing whiskey’, without the quote marks, you can change it on this page…”. Suddenly most of the problems of password reuse can be solved, while a quasi-secure password storage system is implemented quite generally in the form of your email inbox — which, if compromised, compromises most of your accounts through ‘password reset’ emails anyway.

  25. Some of you folks seem to have a good knowledge of this subject. Any comments on downloadable programs like PWgen (2.06)? It purports to generate an open ended no. of entropy bits (depending on how long it runs). After 5 minutes it’s 1400/256. It then gives passwords or phrases of any length. I understand some crypto, but am not sure what this means and just how random the algorithm is.

  26. Let me to point your attention to something real and “normal”. You have keys of apartment/house, car, etc. on one or more keyrings. You don’t remember key structure, just somehow the key (shape) (if not, you try a few). Maybe you use plastic color gadget, maybe something similar. So, what is principal – you don’t remember “key” (aka password). And if you loose/miss your key(ring) you are in troubles to replace (all) potentially compromised lock(s) ASAP (if it is not too late). I can continue, but I hope I told enough to let you understand my opinion – basic password philosophy is misconcept. Has to be abandoned and replaced by something similar to real life. Fortunately it already exists – no need to re-discover wheel. Password safes capable to work like real keyring. There are some, some of them better, some not as good. So, let’s accept trivial facts – strong passwords must have high entropy and they are not possible to remember. I am not friend of idea, that passwords are not as important as OS bugs. Weak passwords are one of means attackers are using. But not only, unfortunately.

  27. The analysis in this article is confusing the concept of how to pick a password with an example.

    Taking the ad Google printed to the literal point of using that particular password is absurd. Of course that’s a very popular well known phrase and likely someone has already used it. They even point out to use something more obscure.

    At first I thought the author was being sarcastic, but towards the end I got the feeling they are being serious.

    What a fail in analytical writing and the application of statistics.

  28. For us older people who forget a lot more often than the general public I have come up with a real simple system to remember my password. I print it out on paper in letters about 1/3 of an inch in hight but mix it up with other letters/number etc. so that my10 letter password is hidden in a 21 letter group and I stick it to the bottom of my screen where I can see it all the time.
    Example = @QZf~`O0″6bc!;!/]=,$
    My 10 letter password would be /]=,$ the last 6 letters of the 21 printed out letters plus the first 4 letter @QZf or /]=,$@QZf
    If I think I need a new password I can still use the same 21 letters on the edge of the screen and create another group of letters like $@QZf~`O0″ starting with the last letter $ and the first 9 letters of the 21 group. The combinations are endless and it is so easy to see your password but no one else will know what it is.

  29. @ArianBB: Actually, if I know that’s the method you’re using, your 21-character post-it gets me down to less than 441 possible passwords (21*21, but less since you’re probably not using all 21 and there’s probably a minimum length). If I listen closely from the cube next door to get the length, I can break it while you’re getting coffee by just trying the 21 possibilities.

  30. If I may be permitted to ask a question, is this a strong password?

    2y+3X-5v*7T/11p

    If you can figure out the logic behind its construction, it clearly it not. Anybody care to figure out how it is constructed?

  31. Come-on Steve. You can do better than that. My dog could figure it out.(numbers for a reversed alphabet).

  32. Create a sentences like =

    I bought $ 7 worth of Chickens & 5 Apples at # 10 Downing St at 9 % off.

    It’s relatively easy to remember.

    The Password looks like this >

    Ib$7woC&5A@#1DS@9%o.

    20 characters long

Leave a Reply to Joseph Bonneau Cancel reply

Your email address will not be published. Required fields are marked *