Biggest myths about safe passwords.

Warning: That text was intended to be understandable by as many people as possible, not only for Project HOPE community.

During last years, people have became more aware about security issues.
I believe that there is no person who reads as good site as Medium and uses passwors 123456.
However, for hackers, password “ahjurw” or “YPFCXV” is not harder than “123456”. Hacker don’t write separetely “12345”, “123456”, “qwerty” etc. They have small program searching all “chains” on keyboards. Even I have enough skill to write such program in Python or Rust. It will run through all chains in a blink of an eye.
Therefore, websites and applications are forcing as to use more complicated passwords. However, in my opinion they do it in a bad way.

Let’s open webpage:
https://www.security.org/how-secure-is-my-password/
and write some of Your passwords.
You should notice one thing — it is a length of the password that makes bigger progress, not its complication.

This is my research:
password with 12 characters where 1 is big letter, 3 are ziphers, 2 are special characters and 6 are small letters, takes from a few years up to xyz years to break.
password with 16 characters where all of they are small letters, takes circa“thousands of years” to break, which is bigger value
Practically, password with 16 letters is always safer than password with 12 characters, no matter how many characters of each type You use in the password of length 12, as long as password with 16 characters is not a chain on keyboard or long word from vocabulary.
The mathematical intuition is that exponential function x^y grows faster when enlarging y when x is constant, than when enlarging x when y is constant. You can check it by counting the derivatives of functions f(x)=x^y for constant y, and g(y)=x^y for constant x. There is no magic, just math.

Password with 18 small letters needs millions of years, as security.org says.
Of course that page says how safe is our password only with respect to vocabulary attack, meaning that hacker wrote a program which checks all password of given length, with small letters, big letters, ziphers and special characters which are on standard keyboard.
Password 123123123123123123 is probably not secure although long.

The problem is, that webpages and applications usually require from us not long password, but password with characters of all 4 types. I even now an example of page which requires password with all 4 types, but it can be.. length 6 (and length 8 is not much better, and still very popular requirement). Therefore, that requirement gives only an illusion of security, whereas it changes nothing.

Moreover, let’s be true - You don’t think about password before registration somewhere. You register on webpage to buy something, to read something, to see something, and when You decide to register, You want to start as fast as possible. You don’t want to think 10 minutes about which password to choose. And often we don’t have pencil and paper to write complicated password to remember, so we choose password which is easy to remember. For example, when page requires 10 characters password with small letters, big letters and numbers, Robert born in 1984 will be likely to choose sth like: “Robert1984”. That password is not safe if somebody gets into his personal data and knows he uses given website or application.
And when people are focusing by these websites only about putting these special characters in reasonable way, they don’t care about length of password.

Thirdly, if You don’t have too long tongue, the hacker DOES NOT KNOW that You created password with only small characters. He has to run dictionary program with all possibilities with also big letters, specials and ziphers. And even if he writes separate program to search only among small letters firstly, it will still take him too long if Your password is 16 characters long.

Fourthly, some domains require as to change password for example every month, which is completely idiotic. What has changing password related with security? That requirement only forces people to create weaker passwords, which can be changed every month in an easy way. For example, my mother has password with phrase “01” in January, “03” in March and “12” in December. All of them are at the same level of security but maybe my mother were to make one stronger password if she were not required to change it so often. Remembering 12 strong passwords is harder than remembering 1 strong password.

So, what You should remember after that text:

length of password is more important than number of types of characters used (of course password with 16 letters “a”, chain on keyboard or one word from dictionary of length 16 is not safe)
creating such password can be done easily by gluing 4–6 short words, for example password “onetwothreefourfivesix” is very safe (maybe that one is not safe anymore because I published it, but try doing something similar. Relate it with something You like and think about often, but don’t relate it with names of people around You).
For example, if You like one specific movie, make 30 character pasword with phrase from that movie, e. g. if You like LotR, password “gobacktotheshadowsyoushallnotpass” was very safe before I wrote that article. And is extremely easy to remember.
I’m personally not into passwords managers, I prefer writing physically and keep ar home. Again, the hacker DOES NOT KNOW that You keep Your password at home, as long as You don’t speak too much. If You are afraid, You should encrypt them, but it is story for another text. Especially if You are journalist or politician in authoritarian country, then passwords managers are better than physical copies. But for casual people, I encourage to keep them written at home.
Photos are free for commercial use, from pixabay.com

Read also at Medium.com: https://maciej-ficek.medium.com/biggest-myths-about-safe-passwords-f5aa09111ce9
Read also at HIVE: https://hive.blog/hive-175254/@maciejficek/biggest-myths-about-safe-passwords

Thanks for reading,
Stay cool!