Passwords and bad habbits...

Everyone hates passwords, but they're not going anywhere anytime soon, so here's some decent background info on password requirements and why your password is probably more predictable than you think...

Heads up, I'm going to bore you with some technical stuff...

When someone tries to crack your password, or hack your account and they're starting from scratch, they'll fail to a point where your provider will suspend your account, you'll find out in short order, get angry, unblock and maybe reset your password. On the rare occasion that they're successful, its usually because a password you've used before has been stolen as a hash, then cracked, and you've been slack in implemented the arbitrary password complexity requirements in an ENTIRELY predictable fashion.

Word Lists and Dictionary Attacks

OK, some boring stuff - most places you log into don't store your password in plain text - they store it at a one-way hash. What this means is that when you create your password, a very complicated algorithm takes the input, and generates a looooooooong fixed length alpha-numeric string. You might enter "sunshine" (don't use this, I'll explain later) and the hashing algorithm might spit out "29b49e96207675ad3d7723021b6c0960c47b0d9a2918b7eda89c1b047017ba53" and that's what it stores.

Every time you authenticate, it hashes what you put in, compares it against the stored hash and, if it matches, authenticates you.

Usually when there's a security breach on a massive scale - hackers have stolen the hashes assigned to accounts, this is why it's a big thing when someone reports "...that were stored in plain text" and computer people the world over collectively face-palm. This is where word lists, dictionaries and bad habbits come into play. There exists lists of commonly used words, we jokingly talk about the common ones like "god", "sex", "iloveyou", etc., but the actual word lists contain millions of common passwords. That might sound like a lot, but it's really not, not to a computer. ("sunshine" exists in the word list, so don't use it please...) So the words we use are predictable. So are our habbits. If we're asked to include a number and special character, invariably, we don't 'include' it, we 'add' it, and 'it' is usually '1!' or '1$' So our 'more complex' password of "sunshine" is now a no-more-complex "sunshine1!" it's an easy thing for a hacker to create a piece of code that asks their computer to go through each word of a wordlist or dictionary and add 2 numbers or 1 number and 1 special character, then just sit back and wait for any hash matches.

The take away from this is that you shouldn't use a single word and probably not two words that commonly go together or in correct order:

"blackshirt"? "shirtblack" is better...

"shirtblack"? "sh1rtbl4ck" is better... (although 'leet speak' is a little more common these days, it's not in a dictionary).

"sh1rtbl4ck"? "sh1rtbl4c&k" is better. The hacker will go for the low hanging fruit - stuff they can crack with simpler attacks. If they have to brute force your password (try every possible combination of character for every possible space) - THAT takes an incredibly long time and they're liable to give up or not even try in the first place

Something else to take away from this is that those word lists don't just generate themselves - hackers are very good at harvesting information. Everytime you see a facebook post about "A dragon attacks and you have to defend yourself with the first thing to your right, how screwed are you?" - they're gathering words. "Name 5 things kids of today don't know about" - they're gathering a list of the first words that come to mind and a vague age of the user. Everytime you engage with these social media posts, you're helping to re-calibrate the tools hackers can use against us. Stop it. Well... that was longer than expected....