The Password Puzzle

Passsword Header How many phone numbers do you remember? I remember 10, I think if I exclude the ones that I remember correctly but are no longer used [landline numbers of childhood friends :)]. I think ours was the last generation that even bothered about remembering phone numbers. Anyone born after the landline era doesn't "need" to remember a phone number anyway. Heck, even we don't bother to remember numbers now. It's all there saved on the phone. Always available to us at the touch of a single button.
Who remembers landlines
One would think that this would free up a lot of memory in our brains. Unfortunately, that's not the case. The bandwidth that we freed by not remembering different phone numbers is now being invested in remembering all the different passwords. AND SO MANY PASSWORDS. It would be hard to find a site/app today which does not want you to register with them. Most will go to the extent that they will severely hamper your experience if you do not log in. Facebook will not let you view anyone's public post, which they have shared with everyone in the world if you are not logged in. Facebook is still a big player, I once downloaded a wallpaper app that wanted me to register.

Every single website or app that you visit today wants you to register and remember a new password for them. It is practically impossible for us to remember all these passwords so we naturally resort to just remembering one and using the shit out of it everywhere. And to make sure that we don’t overburden our brain with remembering a difficult password we choose a nice, easy one like ‘password’. Job well done. Off to the next mission.

Try all passwords

A couple of weeks ago I was reading an AMA by Aubrey Cottle, the founder of Anonymous; the famous hacker collective, and the top-ranked question there was “What do you consider the most common internet security mistake that people make to be? and the response from Aubrey was “Weak and re-used passwords”. Now I don’t think that you and I don’t know that we should not be using easy passwords and on top of that reusing them. Everyone knows that yet somehow if you see this nice list shared by NordPass of the ‘Top 200 most common passwords of the year 2020‘ you will find just how many people use way too simple to crack passwords and how truly simple passwords these are. Feel free to check your password there and I want you to feel bad if you do find it there.

Anonymous

But Akhil! Coming up with so many different passwords is hard! And it’s even harder to then remember them. And who is even going to bother to “hack” someone like me? Why would anyone even target me?

Well. All of these are valid points and let me answer them starting with the last one. One a minuscule amount of all the hacking that takes place in the world is actually targetted at any particular individual. The absolute majority of hacking is done by bots, dedicated programs written to find weak points on the internet and exploit them however they can. At scale. They don’t care who you are. If there is some weakness in any system that you use which they can exploit, they will use that. This is why whenever a business faces a breach of data, it becomes a big deal. With every breach, the information saved by that business, your information, your IDENTIFYING INFORMATION goes out there ready to be used by anyone who can pay the hacker and buy it. Imagine that the database of TOMATO, your favorite food delivery app is leaked somehow. If you were using a weak password there the hacker will be able to figure it out sooner or later (refer to the Nord list again, most passwords took less than a second to crack). Watch this nice 5 min video to figure out how actually passwords are cracked - https://www.youtube.com/watch?v=RtUvMJFP_IE . Now if you were reusing this password as the password for your bank login - my friend, you are in trouble. To summarize, no one is targeting you specifically but you are still the target.

Data Breach

Now let’s talk about my recommendations about having unique, uncrackable passwords.

The first and probably the easiest way is to have no password at all. If a site or app that you want to register with has the ability to log in using Gmail, Facebook, Github, or anything like that, prefer to use those options. This way you get to register without having to bother with yet another password. You will only need to remember your Gmail/Facebook password and that takes care of all the sites. This option is safe because even if the data from such a site gets leaked they will only gain some tokens which are not as valuable as the password. They will never be able to access your passwords using those tokens.

Anonymous

On similar lines, if you have the option of using OTPs - prefer those. The idea again is to have no password in the system which can be leaked in the future. Use mobile/email-based OTPs to login/register which will send you an expiring token to your phone or email which you can use to login.

Register and forget. This is one of my own techniques which I use quite frequently, especially for services I don’t have to use that frequently. What I do is that I will register to the site/app with a password which I generate randomly using tools like this and not even bother to save or remember it. The next time I have to use that same site, it’s pretty likely that if I am using the same browser or app I would be still logged in and I can use it. If I am somehow logged out or am using a separate device, I simply use the “Forgot Password” option and login into the system with a new password. I have basically turned the old style password system into an OTP kind of a system which works pretty well for me. Every site gets an absolutely unique and hard-to-crack password. Win-Win.

Now we are only left with the unavoidable sites where you have to set a password and then remember it too. Now your prime goal here is to have a unique password. If you watched the YouTube video I linked above you will know that hackers mostly rely on pre cracked passwords to match with new data leaks to figure out your credentials. So uniqueness is the only goal here. Most people try to come up with convoluted hard to remember passwords with so many numbers and symbols and everything assuming that the difficulty that they are facing with remembering this password would be the same difficulty a computer would face. This is my trick - For uniqueness, aim for length over complexity. Have a long-ass password. And it doesn’t have to be random letters and numbers. Use proper words and spaces. Most of us don’t even know this but the space character is a valid character to be used in a password. With this knowledge, you can easily find unique passwords. “I have a very strong password” - this is a perfectly valid password. Very easy to remember and practically unhackable. You can check for yourself at any of the password strength checks here, here or here.

So the process is pretty simple - choose a passphrase. Your favorite song or a quote from a book like - “A little less conversation“. Append to it the name of the site you are registering with like “A little less conversation Amazon”. If the site requires you to have numbers and special characters you can put them right there at the end. So the new password is “A little less conversation Amazon0!”. Here you have a very easy to remember and practically uncrackable password. As long as you are appending the site name at the end, you do not need to worry about using the same starting song/quote as well. This approach would cover almost every single use case you might come up with. Just don’t start telling your password to people who might reverse engineer your technique. This method is resistant to supercomputers and hacking but not human stupidity.

A little less conversation

Finally, if you think you want a little more protection and are not entirely convinced with the song password methodology - Use a password manager. A password manager is a nifty tool either installed on your machine or a web-based tool that saves all your passwords for you and you just need to remember 1 master password to access all passwords from the password manager. If you use a password manager you can choose as exotic and complicated passwords as your heart desires because you no longer have to remember them. It is very much like how chrome or firefox prompt to save your passwords and autofill them when you visit the site with the added benefit of you owning your own data. The password managers recommended by Aubrey the Anonymous founder are Keepass and 1password.

Try all passwords

I’ll be honest. Internet security is mostly quite easy to take care of. And it’s not that we all don’t know the importance of online security. It’s just that we all are all kinds of lazy and simply wait for a disaster to strike before we take any actions. It’s less about being technically knowledgeable and more about always following simple processes.

Found this post helpful! Subscribe to my newsletter here !

I have helped many startups in building their products and I would be happy to have a chat with you about your idea. Catch me on twitter at @akhilrex

Comments: