Look at this character string closely: kl7cjnsb8fb162068.
To most people, that string looks like an error. It looks like a cat typed it, or it was created by a pocket dial. It is hard to read, hard to memorize at a glance, and has no meaning, no sentimental value like a favorite quote or a childhood pet.
However, a computerized randomness expert cannot say that this is a bad string. Random strings like this offer a digital good protection.
We are living through a shift in how we protect our digital lives from threats online. It has been taught in the past to create a password we will remember. It was once clever to change an E to a 3, or replace a word with a word with a number, and add an exclamation mark at the end. But all it did was make it easier to be a victim of cyber crime.
The rest of this article will explain how cyber criminals are creating and using technologies that transform the digital world. To do this, we will stop trying to create a clever password.
Is kl7cjnsb8fb162068 the Key to Your Digital Safety?
Unbreakable passwords do exist and using this example is a good start. It would be better if it was real. Lets examine the reasons how and why it is like a sturdy wall.
The length of this password is 17 characters, which is good for the length of the password. As we talked about in the last email, the most important part of any password is the length. This is not the only good part of this password; it’s also the entropy.
Entropy in terms of password security refers to the absence of predictability in the password.
1. Low Entropy: Password123 (Follows a predictability pattern)
2. Medium Entropy: MyDogSkip1985! (Still not good as it uses terms from the dictionary and dates)
3. High Entropy: kl7cjnsb8fb162068 (This is the ideal entropy password as it does not uses words from the dictionary, date, and also has no patterns to it as mentioned earlier).
Entropy uses a combination of lowercase letters and numbers, and does not use upper case letters or special characters. Its length and randomness contributes to it. There are also no patterns or words to find in a dictionary, the only way to crack the password is through a brute force, meaning the hacker needs to guess the password 100 times.
Beating the Brute Force Math
Now let's explain brute force attacks. A brute force attack is a way to bypass the security of an account. A computer runs a program to guess the password selected from a set of possible characters. The program is able to create and check billions of passwords in an incredibly small time.
If your password was Fido123, a brute force attack would crack it immediately. Such simple combinations appear on "common password lists" hackers dump into their programs.
Now, consider kl7cjnsb8fb162068.
- At 17 characters, it is a random assortment of 36 possible characters (26 lowercase letters + 10 digits).
- A computer brute forcing this password can't take any shortcuts. It can't use a "dictionary attack" since "kl7cjnsb" isn't a word in any language. The computer must check every possible combination, and a 17 character password with this character set has 36^17 combinations.
That is an incomprehensibly large number. With today's technology, guessing that specific string would take millions of years. The value of the data a hacker would be trying to obtain would be long obsolete by the time their computer finally guessed the correct string.
The Human Problem: Why We Hate Randomness
If random strings like this are so secure, why doesn't everyone use them?
The answer is in Human Psychology. Pattern recognition, narrative, and structure are all hardwired into the brain. When the brain is asked to reach for something like a password, it instinctively reaches for familiar things.
- For example, names of children or pets or significant years (birth years, marriage anniversaries, etc.).
- Examples of favorite sports teams.
- Examples of favorite keyboard patterns (QWERTY, ASDF).
This is often done out of fear of the unknown. The fear of being permanently locked out of a bank account causes people to use weak passwords. They choose insecure methods because they think it will make their lives easier.
This is predictable by hackers. They use a method called 'social engineering' which involve looking up all your passwords. Say your Facebook reveals you have a dog named Buster and you were born in '90. A hacker's software will suggest 'Buster1990' as the most likely username.
Strings like this are not related to your personal information. They will not relate to your favorite sports team or the color blue. It's just a random collection of numbers and letters. No one will guess the password from your social media profile, which is a good thing.
Managing the Unmanageable
The days of memorizing passwords are over. Out of all the possible passwords, the tougher a password is to remember, the more likely it is that someone is going to make an extremely poor choice in the first place, like using Buster1990. The only way to use these tough passwords and to keep your accounts safe is to use to download a password manager.
A password manager keeps passwords safe like a safe in a bank. All you have to remember is one master password like “PurpleTigerBakesPasta!” and everything else is taken care of for you.
- Generation: The manager creates and stores passwords like kl7cjnsb8fb162068 instantly.
- Storage: The password is saved in a secret database.
- Execution: When you visit the website, the manager fills in the box for you.
This creates a “Zero Knowledge” environment. For example, you use a password manager to store your Netflix password, and so you do not know your Netflix password. You also do not know your Gmail password, and this is how so many people rely on the tool. Instead of typing, you do not care how ugly a password is.
Let’s compare password strategies.
Let’s see how this string stacks up against other password strategies.
The “Complex” Short Password. Tr0ub4dor&3
- Strategy: Replacing letters with numbers and symbols.
- Verdict: Weak. This is a known pattern called “Leet Speak”. There is a hacker pattern written in the code designed to swap “o” for “0” and “a” for “4”. The computer sees right through this disguise.
The Common Phrase: ILoveCoffee
- Strategy: Combining dictionary words.
- Verdict: Very Weak. Dictionary attacks look for word combinations. “Love” and “Coffee” Will be cracked in just a couple of seconds.
The Random String: kl7cjnsb8fb162068
- Strategy: Total mathematical Randomeness.
- Verdict: Strong. It holds up to dictionary attacks, rule based attacks and social engineering.
Actionable Tips for High-Entropy Security
Get ready to fully embrace the randomness of far more security.
1. Generating, Not Typing
Completely avoid actually typing anything like a random password. It isn’t actually random. Tap is far too predictable. A random generator will give far more entropy than any human is capable of. Most password managers will have these built in, so use one.
2. Audit Your Most Important Accounts
Changing every single password isn’t necessary. Just start with the “Crown Jewels”
- Primary Email Account (The key to resetting all other passwords).
- Online Banking and Investments.
- Healthcare Portals.
- Government IDs.
Once these are high entropy random strings, the stress is gone.
3. No More Recycling Passwords
When creating an email address like this you should never use that for a bank account. If a site you use gets hacked and your password gets exposed, that string will be attempted on every site it could be. True safety is having a random string for every single login.
4: Use 'Salting' for Manual Entry
If you really have to memorize a password (like for your computer login screen), and cannot use a random string, then you should use a long passphrase, and 'salt' it with some randomness.
- Normal Passphrase: CorrectHorseBatteryStaple
- Salted Passphrase: CorrectHorseBatteryStaple8fb16
By just adding a few random characters to a phrase that is easy to remember, you make it a lot safer.
Final Thoughts
The example string 'kl7cjnsb8fb162068' is a password that also serves as a philosophy. It signifies the transition away from human-centric security that is flawed, and emotive to data-centric security that is rational and strong.
As more and more of our life goes online, and the threats become more automated and sophisticated, your defense also needs to be sophisticated. By adopting random strings and systems to manage it, you will protect yourself from almost all hacking tools.
It is okay if you think you will have a hard time saying this password. If you think you will have a hard time remembering it, we understand. Nevertheless, a password like this will be the digital bodyguard you need in 2025.
