Is the BBC’s advice on choosing a password sensible?

Question

In this article on the BBC’s website they offer advice on how to develop a password. The steps are as follows.

Step 1: Choose an artist (a recording artist I presume)

Lets choose as an example case study the teen idol and all round bad boy Justin Bieber.*

Step 2: Choose a song. (The catcher the better)

Next, I need to choose a song from the Biebs vast repertoire of classics. My particular favourite of his, is his insightful look into the dark world of controlling relationships “Boyfriend”.

Step 3: Choose some lyrics

Now I need some lyrics from “Boyfriend”, I'll go with the slightly menacing chorus. “If I was your boyfriend, I'd never let you go”

Step 4, 5 and 6: Passwordify the lyric

Now we need to take the Biebs prose and turn into a password. We do this by taking the first letter of each word in the lyric “If I was your boyfriend, I'd never let you go, I'd never let you go”

iiwybinlyg

Make it case sensitive:

iIwyBiNlYg

Turn it into 'leet speak' by changing it up with symbols and numbers:

1Iwy&1NlY9

My question isn't about the mathematical strength of passwords which obviously will depend on the lyric that is chosen and how one goes about passwordifying it, it is more about the the predictability of the total amount of possible passwords that are likely to pop up using this method.

As we are all aware, humans can be very predictable creatures, it wouldn't take a huge amount of effort to generate dictionaries based on certain demographics, music genres, or targeted attacks based on profiling individuals.

My initial thoughts on this was that this would be terrible advice to give out in a business as it would lead to many users using the same formula to develop their passwords, which would only be exacerbated by making the passwords more predictable. On a national scale this could be sound advice, which leads me to my question:

Is the BBC’s advice on how to choose a password sensible, given how predictable we humans are? If so, in what scenarios is this sensible advice?

*Justin Bieber used for humorous reasons only.

Answer 1

My question isn't about the mathematical strength of passwords which obviously will depend on the lyric that is chosen and how one goes about passwordifying it, it is more about the the predictability of the total amount of possible passwords that are likely to pop up using this method.

This is a good question, and I'm going to depart from the norm here, put on my tinfoil hat, and say "no, this is not a good idea." Why? Let's look at it in the context of the Snowden leaks.

Because the GCHQ spies on all traffic on the British internet, and according to the Snowden leaks, your internet traffic is shared with the five eyes. Even if you're using HTTPS, this is a bad idea.

"But Mark Buffalo, you're being a maniac tinfoil hattist again!" Think about it. The time to crack your password was suddenly and significantly reduced. How?

1. GCHQ takes history of your online searches. They likely know when you signed up for a certain website thanks to XKeyscore.

2. If they know when you signed up for that website, they'll see you went to Google.com around that time and did a search for song lyrics. Even if you're using HTTPS, the fact that you connected to google.com around that time, and then visited a website that hosts song lyrics, is all they need to begin breaking your password.

   • Even if they can't view the traffic, they can still see that you connected. Even if you're using HTTPS, this doesn't stop them from hosting lyric websites themselves. This also doesn't stop companies from logging your search results, and it doesn't stop the companies from providing these results to anyone. If they know what kind of songs you like, or don't like, it makes it even easier.

3. Now they can write an algorithm to crack your passwords much, much easier than brute-forcing every possible combination. Or even better yet, use a ready-made password cracker with a provided dictionary of those results.

---

But Mark Buffalo, the government isn't monitoring me!

That's all fine and dandy. You generally don't need to worry about them unless you're a criminal. Or you're privacy-conscious. Or you're a security researcher.

There's another important aspect you need to consider, which I think is far worse than the government: advertisement companies, and hackers "But Mark Buffalo, I use NoScript (great) and Ghostery (Ghostery sells your info)!" Most people don't use those. And many people who do, also don't use those tools when they use their smartphone.

There are data trails everywhere, especially if you own a smartphone (android in particular), and there are plenty of evil marketing companies that will sell your data down the river the first chance they get. Or maybe they aren't evil companies, but they get breached by hackers.

Anyone with a "need" could buy that data, and those sophiscated enough could steal it. While this seems like frantic worrying for such a small thing for most people, it gets much worse when you delve into the realm of federal contracting. This is one of the ways security breaches start.

All of the steps listed previously could be done without XKeyscore. They can be done very easily with vast marketing databases.

---

Stop the tinfoil, Mark.

If I were wearing my tinfoil hat right now, I'd believe this article was made as part of a plan to intentionally weaken standards. I personally believe that weakening standards is a national security risk, especially when federal contractors adopt those weakened standards.

Personally, I would worry more about evil marketing companies and hackers than I would the government. Especially when deliberately-weakened standards are what help potentially-hostile countries gain unauthorized access to critical infrastructure and intellectual property.

---

But seriously, this makes your password weaker

Now let's talk about numbers, and social engineering.

With a normal brute force of this password, you'd likely need the following characters based on this password policy:

  abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=

That's 76 possible characters. With this password method, assuming most people will use 6-7 words to generate the password, and perhaps add 1 symbol - !@#$%^&*() being the most common - plus a number, you'll need to test - for an 8-character password - 1,127,875,251,287,708 combinations to exhaust the password space. This could take an impossibly long time depending on the hashing algorithm and hardware.

Let's use md5 as an example (it's terrible, but it's computationally cheap. Please don't use md5; I am only using it as an example). To exhaust the character space of an 8 character password, it would take 4 years to crack with a cheap workstation. About 4 years 25 days 7 hours 46 minutes 54 seconds. If you were to up the password length to 9, it would take over 309 years. Keep in mind that processing power is growing rapidly.

Learning extra parameters about the user's password allows you to simplify this. Let's assume that you choose the following song: baby hit me one more time. This is your favorite song, and I know this because I socially-engineered you into telling me. Let's choose a predictable lyric phrase to create a password with: Hit me baby one more time. This becomes HmBomT. Now let's add some leet with a number. Now we have H@BomT3. Now that we know your favorite song, and your favorite phrase, this is what your password alphabet space becomes:

hHmMbBoOmMtT1234567890!@#$%^&*()-_+=

As you can see, this alphabet space is significantly reduced. It's much, much faster if you know what character the password starts with, but let's assume you don't. Let's further assume it's been randomized. Now you've reduced the time needed to exhaust the password space to 2,901,713,047,668 combinations, it takes 3 days to crack the password with a cheap workstation. Let's upgrade it to 9 characters. Now it takes 137 days 15 hours 47 minutes.

You can calculate this yourself (charset: custom). Also, all of this assumes you don't have a dedicated GPU cluster.

EDIT:

It's come to my attention that there is now evidence of custom hardware solutions dedicated to cracking bcrypt, one of which is a lot less expensive than a 25-GPU array, uses less power, and is vastly superior in every regard. Please read this amazing article if you want to learn more.

---

But shouldn't we simply increase password length?

Yeah, you could. Truthfully, it greatly increases entropy when you increase the password length.

However, then it becomes annoying to enter - especially for corporate environments that require you to log out every time you leave the computer. On top of that, it's very hard to remember this password.

You might eventually forget it after entering different passwords and being forced to change every few months. Even worse, you could forget it immediately, and be forced to visit the IT help desk to reset your password. This results in costs to the business, and lost productivity.

In fact, a better method would be a xkcd's correct horse battery staple. You could use an upper case somewhere, and a number somewhere else, or you could make it even easier while increasing entropy: something like correct horse battery staple gasoline. It's very easy to remember, very easy to type, and it's very hard for computers to break. Also remember that this should be randomly-generated from a 2048 word list.

For websites, I would recommend a password manager such as KeePass. I would not use LastPass, as it's vulnerable to phishing attacks. Websites can know you have LastPass enabled, because your browser is sending this information to the website if requested! This is part of how browser-fingerprinting works.

For corporate and other logins which you aren't able to use a password manager with, I would recommend a variant of correct horse battery staple with an extra word. Maybe correct horse battery staple gasoline? Much easier to remember.

Answer 2

It's horrible :) To provide some numbers to back claims by other answers:

This provides some numbers of how many songs are popular per year. For the last decade it was as low as 300-400 Top40 hits per year! Average word count for a song is 300-600, depending on the style, and they do 7-10 words per sentence (And I imagine that's the comfortable length of a password nowadays).

All this tallied up - the corpus of password bases for people who listen to popular music will be about 40,000 per year, not including repetitions (And we all know popular songs don't have a single repeating line!).

As such, just picking a random common, everyday word and adding your favorite digit to the end is just as secure a password base (assuming your favorite song is less than a year old - very true for so many people!). Which, if you ask any IT or security personel, is not secure at all. In fact, it's strictly worse than XKCD's famous tr0ub4dor&3, due to a smaller corpus and smaller average word length, and that was discussed en-masse.

To add insult to injury - none of the steps in the advice is any good really.

• Most people tend to listen to the same music. Just go to a concert of a boy-band and look at the sheer size of the crowd (vs the number of words the singer is going to mutter).

• I sincerely doubt most people will take the fiddly middle of a verse. I find it much more plausible that it's the catchy chorus that will be chosen (After all, you have to remember the line word-for-word, not just the general meaning or tempo!)

• Taking the first letter of words is horrible. 7 letters cover 65% of the language that way. Of course this didn't analyze lyrics specifically, but I doubt it's better there¹.

• Case-sensitive is OK, but only if you make the uppercase positions truly random. Which you won't. It's too easy if the first one is capital. And you don't lump them together, nonono. And there has to be a decent number, but not too much, right?

• l33t-ing a password is mostly meaningless. Of the most-common letters, only a couple can be replaced, and the replacement is known beforehand. And you won't properly randomize which characters get replaced and which - not.

---

¹ Trying to make an argument, I actually calculated the Shannon entropy from the article above. Turned out it's ~4.075, vs 4.7 for a random letter distribution. This is not as bad as I expected, although it does mean that a 10-character password is 70 times easier to guess if it's made by first-lettering, rather than having random letters

Answer 3

It is more secure than what most people are doing, which is to use one dictionary words. The BBC's method starts with one or two sentence, instead of just a word. However, it is less secure than what it could have been.

First, if you're using a well known chorus, you're increasing the chance of other people having similar passwords to you.

Second, personally I think it's easier to type whole words than disconnected letters, even if it increases the number of keys that you need to press. Using just the first letters from a sentence throws away entropy.

My advice if you need a password that's intended to be remembered (i.e. can't be saved in a password manager) is to randomly generate a phrase using something like diceware.

Another alternative is to start by generating a random n-letters password. But then try to find a mnemonic for it. This difference in the order is crucial; if you start with the mnemonic and then passwordify the mnenomic, you're likely to be less random than if you generated the password first.

Answer 4

yes its not bad advice though it depends how strongly people follow it, unlike your self I wouldnt slam my favourite artist out there (we all know you like JB..)

following this advice would most likely make many pick their FAVOURITE artist and their FAVOURITE song and most likely the chorus or very well known line (the ones you sing along to and do not mumble) making it very easy to work out the average persons password, but, as it stands following this method would make it alot harder to guess but also alot harder to remember. creating good passwords and remembering them is a gift some people do not hold.

my counter advice would be randomly generate all of your passwords and store them in a keychain keeping only your primary email password and password to your keychain stored in your head.

but once again just so i do not seem so negative, this is a better option than ilovejb2016... its not bad advice for non-tech people.

I wanted to speak about this again, update my answer.

Im not saying its good for someone like us on this site who know security and are security conscious to follow this advice, this would most likely weaken our passwords following this method. BUT BUT BUT this advice would help people like my parents, my nan, kids. those who passwords might and most likely are terrible words following the standard one capitol letter at as their first character lower case and a number (most likely their age, birth year, 1, 11, 123, 321) and the password its self is a normal word relating to their everyday life. e.g. the name of their pet hippo.. Chubby123 for example!

THIS IS GOOD ADVICE FOR THOSE PEOPLE. but not us, you have to remember people, people are not very good with computers or being secure I could hack all of your grandmothers by writing common words.

Answer 5

Like most things in security, it depends on what you're trying to protect, and who you're trying to protect it from.

Short answer is: For logging into most websites, it's likely secure for attackers trying to guess passwords by trying multiple logins.

For any scenario where an attacker can perform an offline attack this is unlikely to be a good method of preventing a determined attacker since offline attacks can perform millions, sometimes billions of attempts per second. This would be true for wifi passwords, encryption passphrases, or if an attacker obtains the hashes from a website.

Answer 6

Passwords length is more important than complexity when it comes to security.

1Iw&iNLy3 so this password has 9 characters which is quite low and can be cracked in a matter of time.

So, when trying to increase the strength of your passwords/pass-phrases, my advice is to consider length as much or more than you consider complexity. Make your admin and root passwords/pass-phrase 18 or more characters long and forget about complexity at 18 characters-plus, they are all but uncrackable.

Please check yourself here the strength:

https://howsecureismypassword.net/

This password 1Iw&iNLy3 can be cracked in 275 days while this passphrase I_Like_Sausages_and_Eggs_For_Dinner will take 64 quattuordecillion years to crack.

So answering your question it is a very bad advice.

https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength

http://crambler.com/password-security-why-secure-passwords-need-length-over-complexity/ https://stormpath.com/blog/5-myths-password-security/

Answer 7

In a world where people very frequently disclose information on social media about their favorite musical artists, songs, genres, and even specific favorite lyrics, is this a good password strategy to use?

Umm... no.

Will it withstand a simple guessing attack using, say, 500 very frequently-used passwords? Sure. (Unless the dictionary creator was wise to this tactic and you picked a really, really, really commonly-chosen lyric, I guess.) But if you were interested in stopping an attacker who was willing to do even very basic targeting recon/info-gathering about you--or already knew you to some degree (for eg., a co-worker)--this would be a lousy password choosing-strategy.

Answer 8

To play devil's advocate, this technique can be used if you end up with a long enough password (you may want to use two lines for this). And it is definitely an improvement if your old password is harry1990 or qwerty123. However, this technique is (a) overly complex, and (b) the resulting password is sub-optimal. I believe this famous XKCD comic best explains what's wrong with complex convoluted rules which define your password:

Answer 9

Considering most people would likely pick a popular song's chorus (especially since you want 'the catchier the better') and only change letters like E and A to 3 and 4 respectively, it wouldn't be beyond the bounds of reason to generate a wordlist from popular songs in this manner with relative success.

Answer 10

Humans are indeed very predictable, a lot more so than we usually think we already are, see e.g. here. So, you should never choose your passwords using a scheme that involves meaningful information to you.

Answer 11

The short answer is "no". This article by Jeff Atwood makes are fairly good case for any password of less than 12 characters being insecure.

Summary: the above is fine for the someone-trying-passwords scenario (~1000 guesses per second), but so would just using the phrase "If I was your boyfriend, I'd never let you go" as your password. Most people have so many passwords, at some point some some service they use will have all their password hashes dumped. This is the "offline" checking of hashes scenario. If the service uses an insecure hash, then your password doesn't matter. If they use a secure one, but someone thinks there's money in cracking the passwords, time on "cloud" machines with GPUs for fast hash calculations is cheap. This page puts the time to brute-force your example password at under 2 hours in such a scenario.

Answer 12

No. It isn't good advice on creating a password. I can't really see any specific advantage to the password method at all.

It's easier to guess because it likely uses a common phrase (remember, as criminals we're trying to crack as many passwords in the database as possible, not one specific one. Yes you might use an obscure phrase, but I'll bet the majority of people will use a chorus lyric from a popular song).

It's not secure to brute force attacks either. The length of password it produces is short, so you can brute force it relatively quickly. Maybe it would hold out against a brute force a bit longer than an equal length password without characters, as the criminals would likely run a brute force on just alphanumeric characters first.

It's also less secure because it's difficult to remember. If you can easily remember your password, you don't write it down on the post-it note under your desk or in the passwords.txt file on your desktop.

The only advantage this method has is resistance to dictionary attacks, as it contains no dictionary words.

As others have mentioned, the Correct Horse Battery Staple method is the best method for creating a memorable password that is resistant to pretty much every attack. There are currently 1,025,109 English words to choose from. 4 words gives 1.1^24 possibilities and 7 words gives you more combinations than the number of possible MD5 hashes. If you choose even a 4 word password and replace a random character with a random ascii character/symbol, you have essentially made dictionary attacks impossible and only brute force applicable. Assuming an average word length of 5 characters, the total number of combinations would be ~20^254, which is too big to compute even by Google's calculator.

However, if you can remember 4 words and a substitution, the password is incredibly easy for you to remember.

So basically, BBC's method is less secure than randomly generating a password. Don't use it.

Answer 13

Use a password manager.

A very popular password manager among the technocrati is KeePass.

My IT manager says "LastPass for the babies" (implying that its easiest).

---

edits: link removed due to objections to article's credibility. Direct answer added by request.

As for the question, I'll say it's good (but not great) advice. There's definitely worse passwords out there than 1Iw&iNLy3, and its more of a guideline than an algorithm: while you're using Justin Beiber, I could use quotes from the I Ching, Yogi Barra or Rocky IV, and my 'passwordification' can be more or less complex than yours. So their advice is a perfectly good starting point for folks who decline the use of a password manager.

Answer 14

In a word, no. It is extremely stupid. Anything that reduces the search space for attackers is insecure. Don't do this. Somebody should hold the BBC to account for this.

Answer 15

This is really bad advice I concur with the general consensus.

But, the target audience for this advice is people who use passwords like password123 or il0vecarr0ts so this will improve their passwords, albeit with a flawed password...but less flawed. Which is a good thing.

Also the risk of what you are protecting has to be considered, for example if a 14 year old girl is using a JB song to seed her password for Facebook, then that is probably a reasonable risk to take.

If however if someone like BA Obama is using all the single ladies by Beyonce to seed the password that protects the proverbial big red button on the US nuclear arsenal..well then that would be a little too risky.

Answer 16

Is this password better than other naive schemes that generate passwords like Texas89, ddddd, zxczxc, Judges12:6, purple1, or 65432? Yes, much better. Would I recommend it to a friend? Probably not.

A good password generation scheme balances the priorities of trillions or more unique passwords (not just thousands), and being easy to remember and type. This password scheme, especially as described by BBC, makes it too easy to make an insecure password for how hard the passwords are to remember.

What's our threat model?

• Is a hacker using a leaked password from somewhere else to see if you reused it? The suggested scheme makes it easier to generate lots of memorable unique passwords than other schemes (like adding 0 to a random word), so you could protect yourself here as long as you remembered the hundreds of passwords you're creating.
• Is a friend, colleague, or social engineer trying to guess your password based on their knowledge of you? In this case they'd likely never guess the password even if they correctly guessed it was based on one of your favorite songs.
• Is a hacker trying to crack your password offline (e.g. after a database leak)? This is the most dangerous threat, and the one with the most complex password policy implications. We'll discuss that in greater detail.
• There are also methods like phishing, taking over the password reset, and stealing a plaintext database. In all of those threats it doesn't matter how complicated your password is; it's gone anyways.

However, it's worth pointing out that using a password manager effectively is a better solution to all of the above threats, although it does introduce a minor additional threat of having your password manager's database leaked.

What advantage is there in only using the first letter?

There are thousands of words in the English language and but only twenty six letters. Even natural English, non-random phrases give you more entropy than the collection of their first letters (see more below). "ijamwnsasth" could stand for "I'm just a man who needed someone and somewhere to hide", "it's just a most wonderful new shirt and skirt that had" or "imagine just anyone may work near Seattle and show them here", "in just a manner which satisfied and seemed to her", or hundreds of other phrases.

Of course, password crackers do sometimes have databases of song lyrics to draw from, so this suggested password scheme is probably attempting to circumvent attacks based on such databases. The problem is that they're significantly cutting the complexity in the process. You can add strength to a password by taking away letters (for example, letein is better than the extremely common password letmein), but this suggested scheme seems to strip away too much randomness to make the password stronger.

The only realistic reason I can see to use this scheme instead of using the full words is if the service used has a maximum password length. Since many passwords are compromised by methods other than offline cracking, a high maximum password length is sometimes viewed as unnecessary by companies. A lot of companies still have 16 character or lower for maximum password length, despite OWASP's recommendations on the matter.

Password entropy

Humans are pretty bad at telling how complex a password is by looking at it, so don't trust just your judgement. We can measure password complexity in bits of entropy, and there are several ways to do it. The most naive way is to assume the attacker is trying to brute force the password using all the characters in the character set allowed, in which case password length and character set allowed are the only criteria. Full-knowledge entropy, on the other hand, assumes the worst-case scenario in which the attacker fully understands your password generation scheme. In practice the true difficulty of your password usually lies somewhere between the two, usually closer to full-knowledge entropy due to the sophistication of modern crackers.

As for blind entropy, this scheme seems sufficient when a long password is used. However, the article by BBC doesn't state any suggestions for password length, which I view as a major oversight. Since password cracking difficulty goes up exponentially, especially when brute-forcing a large character set, adding just two random characters to your password can make your password 1000 times harder to crack. Both the password suggested here and on the BBC site are at least ten characters long, providing a large amount of entropy.

Is the first letter really better than the whole word?

We know from Claude Shannon and more modern results that the English language has at least 1.1 bits of entropy per non-space character, possibly as high as 1.75 bits (see also here). Other studies show that each word can be estimated to add 5.97 bits of entropy.

In comparison, the entropy of random letters in the English alphabet is 4.7 bits and the entropy of first letters is about 4.1 bits per letter. That means the first letters in a randomly chosen 6-word phrase is about as random as the first four entire words in the same phrase, or that even a single random letter is only as complex as about four letters of a normal phrase. (Note that these figures don't apply when the individual words are randomly chosen, as in the xkcd scheme.)

But aren't song lyrics more predictable? Not much more predictable than other English phrases as long as the lyrics as randomly chosen. Careful analysis of the frequency distribution of the MusixMatch dataset against other English corpora shows that the differences are not huge, and some of the differences can probably be attributed to differences in counting methods. See the chart below. However, this is all assuming that we're choosing our phrases completely at random from each source. If you pick a common phrase from either you might be busted.

So in summary, even if the attacker knows that you're picking 10 fairly-random letters and your neighbor is picking 10 whole words from lyrics, your neighbor's password is more complex, assuming the lyrics are randomly chosen. Changing capitalization or using common character substitution only mask this problem.

Why substitute characters for numbers and change the casing?

You might say to yourself "26 character English is way too small a character set. I'll just substitute @ for a and the attacker will be forced to use dozens of symbols in the character set". In reality, hackers know you'll make substitutions like this so p@ssw0rd is still a horrible password. So yes, changing case randomly and substituting characters will make your password more random, but don't expect your password to be more than 2-4 times more difficult to guess per character when using both of these methods.

That being said, most services now force you to use an alphanumeric password and this ensures you meet those constraints. However, I'm wary of using symbols as the primary method to enforce password complexity since they make it much more difficult to remember your password, hackers know you're going to make these substitutions, and several studies have shown that increasing length, not character complexity, is often the better way to generate secure passwords. (see this study or this one)

Actual Password Cracking

Your BBC-scheme password would probably be cracked using plain brute-force. A password is typically cracked by running every combination of a set of composition rules over every hashed password in their stolen database. Password composition rules include dictionaries of common words, numbers, and character substitutions. You can learn more here.

For example, if you used several entire words and your password was short enough, the attacker could possibly crack it using a dictionary attack. In the book Financial Cryptography and Data Security, researchers ran an experiment in which 37% of their cracked passwords matched lyrics but only 5% of these lyric passwords were not found using dictionary based attacks or other password databases.

However, since your characters are fairly random, I don't think any of the commonly used rules would help here. The best approach would be brute force over the character set of alphanumeric characters and common substitution symbols like @. I'm no expert in estimating cracking time, but based on results like these any such password of 6 or fewer characters would be very insecure, but any password in this scheme of 11 or more characters should be ok for the average user. Such a password would be so difficult to brute force that an attacker would have to be running a custom hardware, have huge amounts of lot time/money, and/or be cracking an insecure hash like md5.

So in summary: yes if you pick song lyrics as randomly as possible and you make sure it's long enough, this scheme suggested by BBC would generate a secure (but hard to remember) password. It's better than most naïve schemes average people use for passwords. However, it's based on some shaky principles, like assuming the first letter is better than the whole word, and BBC's article omits some of the most important points like the importance of length. There are better ways to come up with and manage passwords. I wouldn't recommend this to a friend.

Answer 17

Doing the math your password gets more secure (higher entropy) if its longer not more complex. Ideally it is long and complex but who can remember that. So there is always a trade-off between usability and security.

Here is are two good blog posts which discuss that in detail:

https://pthree.org/2011/03/07/strong-passwords-need-entropy/

http://crambler.com/password-security-why-secure-passwords-need-length-over-complexity/