Understanding the Difference Between Weak and Strong Passwords

Most people understand that passwords with names or words in them are weak and shouldn't be used. But what people consider strong passwords are often weak passwords as well. Substituting numbers or special characters for letters, using dates, and combining words does not make a password strong. The only way to get truly strong passwords is to let the computer randomly generate them for you.

Video Transcript
Recently there's been a lot of talk online about what makes a good password. A lot of sites have been talking about people were given bad advice years ago about making good strong passwords that just isn't working out. People are breaking into these accounts. So, what is a weak password and what is a strong password?

Well, here's some examples of weak passwords. On the one column you see some that are obviously weak like using the word password or the numbers one through eight. But you also see some other ones there like just some keys on the keyboard that are easy to type like qwerty or a name like even a place name like colorado or any word out of the dictionary. A person's name, a pets' name, a sports team name. Even a set of words that's just strung together. These are all bad passwords and hopefully you know that they're all bad passwords.

The reason they're bad passwords is that they're easy to guess. There can be lists of thousands or even millions of these commonly used passwords and hackers or more likely robots will go and try to break into your account using these common passwords.

Now there's also some other passwords. These are the ones that people have been using for awhile and they're really weak passwords as well. But people think they're strong passwords. They're when you take some of these same type of ideas and you substitute characters. So maybe and at symbol instead of an a. Or a five instead of an s or a zero instead of an O. That kind if thing. Or using things like a string of numbers but the numbers are really dates like maybe your child's birthday. Maybe combining something like some different rows of the keyboard or taking a common word and putting a number after it. Or even somebody's initials and kind of abbreviating their birth date. That kind of thing.

These are all bad passwords because they're just as easy to break as the very simple passwords. They simply exist in databases and if you think you've thought of a clever one it's probably not true. There are billions of people in the world with passwords. Everybody has dozens of passwords so there are hundreds of billions of different passwords that people are using. A lot of them are weak. A lot of them have been found in databases of passwords that have been broken into and a lot of variations have been guessed and put in these databases that are then tried against your email address or ID to break into your bank account, your Amazon account, your iCloud account. All of that. So you don't want to use any of these.

Basically the rule is that if a password was though of by you or by any human brain it's a weak password. It's got some sort of pattern. As humans we love patterns. Our brains love to latch onto patterns, think of patterns, and all of that. Anything you think of in your head is going to come up with a pattern that can then be broken by some sort of bot that's just trying lots and lots of passwords.

The way to combat that is to use a truly strong password which is any password that's completely randomly generated by a computer. The good news is that Apple makes this easy because built into Mac OS and iOS is the keychain. The keychain will generate random passwords for you when you need them.

So whether you're changing a password on a current site or signing up for a new one like this you go to the password field and it's going to suggest a randomly generated password. This is generated by your Mac and the best thing is that if you use this password then it will save in the keychain. That means you don't have to remember it. Your Mac remembers it for you. It's encrypted by your user account password and if you use iCloud keychain, which you should under System Preferences iCloud Keychain, then it can be remembered and used across all your Macs and all your iOS devices as well. It's encrypted and protected by your iCloud password. That's the only one you really need to remember. The rest are stored in iCloud Keychain so when you go to login to the site later on it fills in the password for you automatically.

Comments: 23 Responses to “Understanding the Difference Between Weak and Strong Passwords”

    Tony B.
    8/23/17 @ 3:43 pm

    I understand the need for strong passwords. But companies could greatly help prevent hacking by implementing a “3 strikes and you’re out” password system, i.e., three wrong password tries and your account is suspended for 24 hours. No hacker or Bot would try just three passwords day after day after day …

    8/23/17 @ 3:47 pm

    Tony: That only prevents someone from breaking into a single, targeted account. But most of the time each attempt is a random ID (email) and random password. So if there are 100 million Apple IDs (iCloud email addresses) then the bot tries one Apple ID, one password. Then it moves to another Apple ID, another password. It keeps doing this until it gets 1,000 valid combinations and then sells those or whatever. So three strikes wouldn’t work as no one account would get more than a single strike in such an attack.

    Brenda Brooks
    8/24/17 @ 10:41 am

    A lot of sites have certain rules about passwords only being alpha numeric. Can I get KeyChain to supply random passwords in this format?

    8/24/17 @ 10:43 am

    Brenda: Hopefully, you don’t come across many of these sites anymore. Those kinds of restrictions only work to make passwords weaker. If you do find one you can always allow Safari to suggest a password, and then remove those characters yourself.

    8/24/17 @ 11:00 am

    Hi Gary, Where can I go to learn basic user understanding of Keychain? For example, how to retrieve a password from it. Iknow I can go to Apple but I like your step by step videos.

    Gordon Brown
    8/24/17 @ 11:25 am

    Hi Gary, most banks and credit card sites will not allow autofill or ask for specific letters or numbers form your password . How should we cope with this, please?

    8/24/17 @ 11:29 am

    Gordon: I hope that this kinda of thing is getting rarer as limiting what you can use in a password greatly weakens the password. But if you still find a site that insists on some nonsense like this, then you can try just using the autofill password and deleting the extra characters. That way it is still random, at least.

    G Ludington
    8/24/17 @ 12:26 pm

    You forgot to mention the utilization of 2 step verification if sites offer it

    8/24/17 @ 12:41 pm

    Interesting video. I like using Keychain Access – but how to make a secure Keychain Access password? That password I will have to remember…

    8/24/17 @ 1:43 pm

    G Ludington: Yes, there are lots of other aspects, but I wanted to deal strictly with this one topic here. I’ve got a free online course on Mac Security (see right sidebar here) and is a few hours long and covers those things.

    8/24/17 @ 1:43 pm

    Janus: In Keychain access you have the ability to generate passwords. You can use that to create a good random one to use for your user login.

    Gordon Brown
    8/24/17 @ 1:44 pm

    Thanks Gary.

    8/24/17 @ 5:53 pm

    One trick I use is to create (and remember) “nonsense” words within a password is the use the first letter of each word in a song title (or common saying):
    On The Road Again – otra
    Willie Nelson’s On The Road Again = wnotra
    Early To Bed, Early To Rise = etbetr
    Then I might easy to remember years (birth year digits in order, or out of order.)
    And, “favorite” special characters. I like “@”.
    -=Gr@nt M@cL@ren=-

    8/24/17 @ 7:20 pm

    Gary Rosenzweig@nt: Actually, this is exactly what I am warning against in the video. Those are all examples of weak passwords. You shouldn’t use any of those, or combinations. You need to use randomly-generated passwords.

    8/25/17 @ 8:41 am

    Gary, if I would replace all my passwords by Safari-generated ones and then depend upon iCloud Keychain, are the passwords encrypted and stored locally across all my devices (and then new/changed ones sync’d via iCloud), or do the devices need iCloud access in order to fill them in? I realize if wifi or internet is down I wouldn’t be online anyway, but there is a chance I might be online but unable to connect with iCloud. I fear giving up complete control here.

    8/25/17 @ 8:51 am

    Ron: iCloud encrypts the passwords. iCloud stores them locally for time you don’t have access, but obviously updates to those passwords won’t work until you are connected.

    Kay Arnold
    8/25/17 @ 10:30 pm

    What if myMac book pro…Safari crashes?? how do I retrieve the keychain passwords??

    8/26/17 @ 7:16 am

    Kay: If Safari crashes, then just restart it. If you can’t run Safari at all, then you’ve got problems that you need to fix. You can always use the Keychain Access app on your Mac to get to your password another way temporarily while you fix it.

    8/27/17 @ 3:39 am

    Is it possible to print a physical copy of your Keychain passes to keep locked away?

    8/27/17 @ 8:01 am

    Jasper: Not really possible. I guess this is too much of a risk — someone gets access to your computer for a few seconds, prints all (to a PDF or whatever), and takes them. YOu can always look through them, grab your most important passwords to critical sites, and copy and paste those into a document to print (and delete the document).

    8/30/17 @ 2:19 am

    Hi Gary,what if I use generated password from Keychain and then my Mac crashes and is formated and the back up got corrupt,so I start with completely new machine.Where shall I look for those passwords?Are they lost?

    8/30/17 @ 6:57 am

    Lubomir: If you are using iCloud Keychain, then no, they are not lost. Just log on to iCloud with your new Mac. Also, most systems have password recovery options. What happens if you forget your passwords now?

Comments Closed.