by Constantine von Hoffman

Google Ad Accidentally Shows What’s Wrong with Passwords

Nov 14, 20112 mins
Data and Information SecurityEncryptionPhishing

Google's marketing push around online safety would be more impressive if its example of a good password wasn’t so bad.

Google is doing a big marketing push around online safety and protecting your information. This would be more impressive if the company’s example of a good password wasn’t so bad.

As part of its “Good To Know” campaign, Google addresses what goes into making a password strong. While it’s not cutting edge advice, it is solid common sense stuff like:

  1. Use a unique password for all your important accounts.
  2. Use a long password.
  3. Use a password with a mix of letters, numbers, and symbols.
  4. Try using a line from a song, film or play.
  5. Etc….

Here’s what they say about using a line from a song, film or play:

One idea you can try is to choose a line from your favorite song, film or play, like “To be or not to be: That is the question.” Then use numbers, symbols and mixed-case letters to recreate it: “2bon2bT1tq” is a password with quadrillions of variations. The more unusual the phrase you choose the better!

That particular password is based on little known line from a minor work of literature called Hamlet. You would do better to pick something a lot-less well known. How about, Wher4artTH00?  That’s because, as the folks at the blog Light Blue Touchpaper point out,

4 people out of 32,603,387 picked ‘2bon2btitq’ and 5 picked ‘2bon2b.’ The roughly one-in-a-million probability sounds impressive, but it only puts people using these passwords in the 50th and 48th percentiles of security. In other words, Google’s advised password is more common than what half of users choose. 

They suggest using the Diceware approach I discussed last month.

Google does have a much better solution than trying a variation on Mi2-step verification system requires access to your phone, as well as your account name and password. It uses a phone app to generate a unique password which you have to enter in addition to the usual password. You don’t have to do this each time you log in, just every 30 days or so. 

It may not be a foolproof system, but it’s pretty damn close.

Now to get something like it for the rest of the internet.