Nearly 20 years ago, the tech site xkcd.com released the following comic strip to make the point that a short password with a complex appearance would actually be easier to hack than a longer password that was easier to remember. With any dated technical advice, it is important to ask “is this still valid today”.

A copy of the comic is below, and, in a nutshell, it calculates “entropy” as “randomness” which means “harder to guess”.

While there’s truth in the statement: a longer password is more secure than a shorter one, this is no longer entirely true. Enough so that most security conscious individuals would not recommend this approach in itself.

As an example, let’s consider one of my coworker’s passwords (at a ministry) that I accidentally saw part of as she mistakenly typed it into the visible username field. I saw “icandoallthi” before I turned away from the screen and heard 3 more regular keystrokes followed by a another slightly louder keystroke. I didn’t have to see the last 3 characters to know they were “ngs” followed by the return key.

As a result of the the xkcd comic, hackers are now using strings of dictionary words and phrases from popular lyrics, poetry, etc. to try to guess passwords on various systems. This is why the letters “ect” can be expected to follow “corr” and reduce the randomness of the string. FYI, the entropy calculator built into KeePass for windows appears to take this into account, though you do need to be looking for a lot higher entropy number than 44 now if you are using that tool. And please don’t fool yourself into thinking that a “$” is a secure replacement for an “s”, a “0” can replace an “o” or a “1” can replace an “i”. The hackers have already gone there too.

What To Do Instead

At this time, my best advise (for a password that you need to remember) is to take a long phrase, ideally from a verse in the Bible or possibly a less popular song that you like and use the first letter of every word. Let’s take John 3:16 as an example (and don’t use this one!):

FgsltwthghobstwsbihwhelJ3:16

For God so loved… Plus the reference. The colon is there as an example, but use a different character or maybe no character at all. Or maybe hold down the shift during part or all of the reference so “316” becomes “#!^” Put some capitalization in there too. You get the idea. The total length should be 16 characters or longer.

I don’t know about you, but I have always had trouble remembering the scripture reference with verses. Typing it in a few hundred times certainly helps.

Use “The Hobby Lobby Rule”

Like I said, don’t use that example, or anything other verse or song lyrics that you might find in wall art in Hobby Lobby. Those are just too popular. This holds true for anything shown on or worn at televised sporting events. Some password checkers look for words, but none of them seem to check Bible terms. You may think “Philippians4:13” is a good password, but it was on the 10,000 most common password list a few years ago. So stick with the less known verses and have a memorable and secure password.

And if you don’t need to remember a password…

Generate a random password in KeePass, LastPass, BitWarden, etc. and store it there where it can be retrieved on the times when you need it.

Happy Passwording!

Leave a comment

Your email address will not be published. Required fields are marked *