90.9 WBUR - Boston's NPR news station
Top Stories:
Here and Now with Robin Young
Public radio's live
midday news program
With sponsorship from
Mathworks - Accelerating the pace of engineering and science
Accelerating the pace
of engineering and science
Monday, October 17, 2011

Making A Secure Password–That You Won’t Forget

Computer security expert Steve Gibson says you can test your password strength at the GRC Haystack Calculator.

Computer security expert Steve Gibson says you can test your password strength at the GRC Haystack Calculator.

Last week, federal authorities arrested Christopher Chaney and charged him with hacking into the e-mail accounts of celebrities like Scarlett Johansson and Mila Kunis.

But, as many of us unfortunately know, celebrities aren’t the only targets of e-mail hackers. We need passwords for our e-mail, our banks, social media sites, photo sharing sites — and more. So how can you make sure your password is secure?

Computer security expert Steve Gibson told Here and Now‘s Robin Young that there are ways to make your password harder to hack but still easy to remember.

He says adding a pattern of symbols at the end can make a password much harder to crack. For instance, Robin tested some passwords on Steve Gibson’s Haystack calculator and found that the word “password” could be hacked in milliseconds, but “passwordH3!!!!!!” would take thousands of centuries to guess.

How To Make Password More Secure

  • Don’t use common passwords (See top 500 worst passwords of all time- language advisory)
  • Don’t use information from your life that can be found easily — birthdate, pet’s name, maiden name
  • Do pad your password with symbols: “Bubbles!!!!!!” or “Smile:):):):)” are more difficult to discover with the symbols
  • Do use different passwords for different websites
  • Do test password strength at the GRC Haystack Calculator by using a similar password — never enter your real password anywhere but the site you are logging into

Do We Need To Change Passwords Often?

Steve told Robin that, contrary to popular belief,  it’s not necessary to change a strong password. He writes:

“I see NO benefit, and only liabilities, associated with changing good strong passwords…There is no generally agreed upon security threat model that suggests any benefit from periodically changing a good solid and strong password… Periodically changing an already strong, safe and secure password does nothing other than create an opportunity for error during the change (which is why we’re always asked to re-enter a newly changed password), and further needlessly burdens the user with the need to ‘forget’ their old password in addition to remembering a new one.”

Note: Here & Now’s Twitter account recently fell victim to a common phishing scam after our social media editor clicked on a link from another phished account.

Please do not click on any links from our Twitter feed @hereandnow that have messages like “Found a funny picture of you!” or “I saw a real bad blog about you, you seen this?.”

As our social media director Robin Lubbock advises:

  • If you find yourself on a Twitter login page (or any login page) always check the url in the address line at the top of your browser.  Check that it matches the company whose page you are allegedly on.
  • Don’t click on links that could be phishing links.


Please follow our community rules when engaging in comment discussion on this site.
  • J Frog

    Limit on password length….Maybe because software is still programmed in COBOL?

  • Ainsd

    I think you mean fool proof, not full proof.

  • Guest

    Why include the XKCD comic on this page if the advice given by your “expert” during the segment directly contradicts it?

    • Guest

      The image has been changed to a screen shot of the Haystack calculator. It used to be: http://www.xkcd.com/936/

    • Jack Cheng

      The point is the same: longer is stronger; length trumps complexity.

      Steve and xkcd just go about increasing the length in different ways.

      • Guest

        The point of the comic is that entropy (size of search space) does *not* directly correspond to size of character set (“complexity”) times length. The Haystack calculator assumes that all characters are equally random, and if for example you add a symbol onto the end of a password that doesn’t contain any, all the preceding characters are suddenly *more* random.

        If you expect an attacker to try the top 500 most common passwords before trying the rest of the dictionary, you should also expect them to try the 500 most common easily-remembered ways of adding capitalization, numbers, or symbols to every dictionary words or combination before trying all other possible gibberish.

    • Eniacpx

      Wow, please tell me you didn’t just claim Steve Gibson was not an expert on security…

  • BHA in Vermont

    OK, so now that Mr. Gibson has told the world’s hackers that adding a bunch of repeated characters to the end of a password will make it very difficult to crack, how long before they start with a simple algorithm that stuffs repeated common punctuation characters to the end of the string they are trying? I would think it necessary to have at least a few different characters that repeat.

    • http://twitter.com/isitvegan Is It Vegan?

      @533c60fb9ed89af0e0831f69d4483898:disqus , every brute force algorithm to crack passwords is considered simple. But as the password is longer, the amount of characters to guess increases. Adding repeated punctuation, of any length, makes it more difficult to guess. Did you add two percent signs? 3 percent signs, 4??
      If your password was “abc” a brute force algorithm, one that just guesses every combination of characters, could guess it in (26+10+15)^3 guesses (26 alpha characters, 10 numerals and 15 weird characters — for simplicity sake). That’s not a lot of guesses for a computer. On the other hand, if your password was “abcabcabcabcabc” (26+10+15)^15, well, that’s a lot more guesses to make.

      Moral of the story: Longer passwords = better passwords.

      • Guest

        If your system for making something long is “take _____ and repeat it N times, adding a total of C characters”, then you’ve only increased the search space by a factor of N, not (26+10+15)^C.

        • Rebeccah

          But your cracking system doesn’t know in advance that that is what has been done.  I will grant that certain sorts of appended sequences are more common than others (such as taking a dictionary word and appending a number between 1 and 10), and those could easily be added to a dictionary for a dictionary attack.  But for a brute force attack, the search space is all possible permutations of characters of the length of your password/passphrase.

  • Jake009_2002002

    I run my fingers over the keyboard to generate a random string of text. I also have a password list with the associated sites stored under another name. I do not type anything, I copy and paste.

    for instance:

  • Nobbypeers

    Often Banks do not allow special characters.

  • Rebeccah

    All possible combinations of dictionary words plus easy-to-remember repeated sequences of characters appended makes for an awfully large extended dictionary, especially when the number of repeats is not known.  Longer is better.  No question about that.  Personally, I’m a fan of passphrases rather than passwords, if the application allows enough length for them.

  • http://www.pcfixcs.com.au/ Visit Website

    Nice post. Really you have mentioned some great points with us. Most of people are looking these types of valuable posts. Keep in touch with us.

Robin and Jeremy

Robin Young and Jeremy Hobson host Here & Now, a live two-hour production of NPR and WBUR Boston.

August 28 Comment

Catching Up With The Polyphonic Spree

The choral rock band out of Dallas, Texas, has been thrilling audiences with its live performances for over a decade.

August 28 5 Comments

‘Enormous’ Growth Of Ocean Garbage Patch

The oceanographer who discovered the floating island of trash in 1997 says he's shocked by how much it's grown.

August 27 Comment

Veteran Honored, But Struggles To Keep Business Open

Former Marine Matt Victoriano is being recognized as a "Champion of Change" at the White House.

August 27 40 Comments

In Defense Of Schlock Music: Why We Love/Hate It

Music critic Jody Rosen defends the kind of over-the-top, sentimental songs that Journey, Lionel Richie, Billy Joel and Prince made famous.