The week of August 9, 2015

Everything you need to know about password security, explained by 19th century slang

By Aaron Sankin

Hackers can use two fundamental types of attacks to get your personal information. There are attacks on the computer systems of the companies you entrust with your most sensitive information—looking at you, Ashley Madison. There are also attacks directed against end users. That’s you.

There are a number of ways to keep yourself safe from these so-called client-side attacks. You can make sure all your software has had the most recent updates applied, many of which are aimed at closing security holes. You can install antivirus software to detect malware that steals your passwords or compromises your systems. You can enable two-factor authentication everywhere it’s offered.

All these things are important, but one of the most important ways of keeping yourself safe online is to practice good password hygiene.

It’s 2015, so you’re probably well aware that you shouldn’t use the word “password” as your password. Weak passwords, of which “password” is easily the weakest, leave your accounts vulnerable to what are called “brute-force attacks.” That’s when a hacker uses a computer program to guess your password. These programs can make a litany of guesses every second; the weakest passwords can be shredded almost instantly. That’s why selecting a good, strong password is crucial.

Don’t just put an exclamation point at the end of your password and think you’re safe—stick it in the middle, where the brute-force program won’t expect it.

However, the advice you’ve probably been given—to use a long string of random letters, numbers, and symbols—is problematic in that the ensuing combinations are virtually impossible to remember. Even a lot of hackers have a tough time picking good passwords—and if anyone should instinctively understand the benefits of having a strong password, it’s hackers. When a trove of some 2,000 passwords of computer hackers were leaked last year, Avast Security researcher Antonín Hýža compiled a list. The most common password? “Hack.” Seriously, “hack.”

As a helpful guide, here’s something that’s a little easier to remember: 19th century slang terms for vaginas and penises, as compiled by TimeGlider and using Green’s Dictionary of Slang. I ran all of the following terms through HowSecureIsMyPassword.net, which shows how long it would take the average desktop PC to crack a given password. Inside these two infographics is virtually everything you need to know about crafting a good password.


So, what did we learn?

1) People in the 19th century were filthy.

We’re not just talking about public sanitation here.

2) The longer the password, the harder it is to crack.

3) A passphrase consisting of multiple words is much better than a single word.

It’s also easier to remember than a garble of random characters.

4) The more varied the characters in your password, the stronger it is.

Use a combination of uppercase and lowercase letters, along with numbers, and symbols like ?!$%. Don’t just put an exclamation point at the end of your password and think you’re safe—stick it in the middle, where the brute-force program won’t expect it.

5) Avoid common tropes.

You wouldn’t name your junk after your beloved childhood pet or your brother’s birthday—that would be creepy. Don’t do that for your passwords either. While unique to the individual, those ideas are common password tropes and are easily guessed by anyone with a little information about you.

The most common password used by hackers? “Hack.” Seriously, “hack.”

6) Context matters.

Just as you might refer to your penis as a “stuffed eel-skin” in front of your buddies, it might not be as appropriate for your co-workers, even when everyone at the office goes out to happy hour. That’s when you might want to use “Sir John.” Likewise, regardless of your password strength, it’s a bad idea to use the same one everywhere, because if you use the same password for your email account as you do for your Facebook account, a hacker who gains access to one could easily gain access to the other. So switch things up. Maybe replace the second-to-last letter of your passphrase with the first letter of the site you’re signing into, or use some other substitution scheme; whatever works for you.

7) Juvenile humor gets old fast.

Calling your lady bits “Jack-nasty-face” is funny for a while but will quickly lose its novelty. That’s why you have to switch it up every so often. Keeping the same password for a long time allows an attacker who has compromised your security to eavesdrop until they discover something good. Cybersecurity greybeard Bruce Schneier argues that changing all of your passwords all the time isn’t necessary. Someone who gets your bank account information isn’t going to wait around and monitor your transactions; that person is immediately going to steal all your money—and then you’re going to notice. The most important passwords to keep fresh are those for email and messaging systems.

8) Get a password manager.

Just as you probably had no idea “Miss Laycock” was how people used to refer to vaginas, you shouldn’t necessarily be expected to keep a handle on all your passwords yourself. Password-manager software can automatically generate complex passwords for each site you log in to, and then save them in a central location. It’s a great way to outsource a lot of password management. The only problem is when a password manager gets hacked, as happened to the popular LastPass tool earlier this year.

Illustration and infographic by J. Longo