• Jack Royle

Why D3nt4l and Buffalo1 are NOT OK passwords!

Updated: Apr 16



If you want to test quite how bad your password is, check out this site: https://password.kaspersky.com

As you can see, a lot of the passwords commonly used in the dental market - pa$$word, D3nt4l, Buffalo1, Letmein1, etc, are truly terrible passwords that can be cracked in minutes if not seconds. The problem is, no-one trains us how to make a good password. Yes, you probably have a vague idea that it has to be complex - but complex passwords are hard to remember aren't they? Well actually, they don't need to be. It is possible to create a password that is both easy to remember AND is complex enough to withstand even the most skilled Russian hacker. And I'm going to share these skills with you!



Technique 1 - The multiple word approach Having a single word (usually appended with some numbers or characters) is BAD - don't do it. Buffalo1970 is just as bad as Buffalo1, and even Buffalo1! isn't that great. You think you can change some character to numbers? Buff4l01? Nope - that's not much better either. But think of 2 unrelated words, or even three, and put them together. Great password! There are very good technical reasons for this (based on the way password cracking works - see reference * below if you want to understand this), but suffice it to say that using 2 or 3 unrelated words in your password will make it virtually uncrackable, or at least so hard to crack that the assailant will move on to someone else. Look around and what do you see? Some scissors? A church spire? A Cadbury's Crème egg? Whatever! Put them together like this: scissors-spire-egg and you get a password that Kaspersky estimate will take 208 centuries to crack. And it's not that hard to remember is it? Even a 2 word one - scissors-spire - is an unusual combination and would take 7 months to crack. Add on a number and symbol and make one character upper case so the password checkers are happy - e.g. Scissors-spire1$ and you have a 5 century strength password. Not bad! And if you are really lacking creativity today and need someone else to come up with the words, try this site: Correct Horse Battery Staple | Generate Secure Memorable Passwords. Change "min words" to "2" and "minimum letters" to "10" and you will still end up with a very good password. NB do not use any of the above now I've mentioned them - although if you are that daft you probably shouldn't be let near a computer at all.

Technique 2 -The first characters approach If you thought that technique will change your life, then you're going to really love this one. Think of one line of a song you like. Let's take as an example the great lines "Cause after all, he's just a man. Stand by your man!". Take the first set of characters which is Caahjamsbym. Kaspersky gives this a rating of 33 years to crack. Not bad at all! Now add a number and symbol to keep the password checkers happy, and you will push that up even more. And despite how crazily complex that password looks, it will be remarkably easy for you to remember - just sing the song to yourself each time you type it out. This type of password creation technique is my personal favourite, and I have built my personal passwords like this for years. Using either of the above password techniques, this doesn't have to be anything like the pain it can be! A few other password notes whilst I'm on the subject:

  1. Password expiry is pointless and stupid. If you get users to reset their passwords every (say) 90 days, they will just start writing them down and/or using the same passwords but amended slightly. Either just creates issues for the users, or actually less security. Research now backs this up, and no less a company as Microsoft now recommend you don't set password expiry and force users to reset passwords. See: https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf

  2. Is it OK to use the same password for everything? Well. Not really. The reason this is recommended is in case the password "files" at a company, or bank etc is stolen, the passwords are hacked then that database is put online (or shared on the dark web etc). If your password is hard to crack (see above) then it is still highly unlikely that even if that database is shared, that the password will be cracked (unless the company was negligent in how they processed and stored the password in the first place). But, to be on the safe side, you might want to keep a few passwords in "clusters". 1 for your bank maybe, but other ones for online shopping, another for work, another for your email - this kind of thing. That way, you don't have to manage a lot of passwords, but you are keeping some separation between the different places the password is used.

  3. What about password manager software? Roboform, LastPass, Chrome browser, iPhone keychain etc. I have no issues with these, and they can be very helpful. As long as you trust the company providing the manager software, then that's fine. They are certainly convenient, as you only authenticate once then the password manager does the rest. But, there is a degree of trust here, so you are compromising your overall security somewhat - whether you consider that is an acceptable risk or not is up to you.


Finally, that reference I promised. * Why multiple word passwords are hard to crack: xkcd: Password Strength


© Liam McNaughton, Dental IT, February 2021


230 views0 comments