Edward Snowden on Passwords: You’re Probably Doing Them Wrong

Sunday, on Last Week with John Oliver, Oliver aired an interview he did (in Moscow!) with Edward Snowden. As we have come to expect from Oliver, it was very funny… and very unsettling.

In the interview, Oliver asks Snowden about what the various US government spying programs can monitor. While this is usually a very dull topic that only the more security-aware of us could (or would want to) follow, Oliver manages to frame the discussion in a way that brings it close to home (and below the belt). In a nutshell, the federal government can read virtually everything you email, and a lot of what you text or say over the phone (the government says they don’t, but according to Snowden, they can). They can do it all legally, thanks to the vague wording and broad interpretation of the Patriot Act, and there isn’t much you can do about it, other than urge your representatives to modify the language. There is, however, something you can do about the less legal acts of spying and data collection, and, according to Snowden (and most security experts) you’re probably doing it wrong.



Bad passwords are one of the easiest ways to compromise a system.

Thanks to hollywood, the image of a hacker is someone typing furiously at a keyboard, making guess after guess at what your password might be based on information they know about you. Because of this image, far too many think that all they need to do is have a password that appears random, misspelled or unrelated to them. And they leave themselves incredibly vulnerable.

Hackers do not do the typing themselves, they use programs to do it for them (and there’s no actual typing, but that would make the movies really boring). Those computers check for every word in the dictionary, as well as permutations of those words (including intentional misspellings and variations). And those computers and programs are fast. As Snowden says in the interview, for an 8-character password it can take “less than a second for a computer to go through the possibilities and pull that password out.” That bears repeating… Less Than A Second.

To give you a sense of the truth of this, let’s use an example. Say you’re into shoes, so you have the password Shoo F3tish. It seems like a good password, right? It’s misspelled. It’s got a number in there to mix things up a bit. Now do a Google search for it and take a look at the top of the page…

Shoo F3tish Google Search Screen Shot

Not only did Google know exactly what you meant, but it came up with “about 1,170,000,000 results” in 0.56 seconds. Now, obviously, Google’s system works differently than a hackers, but it gives you an idea of how smart and fast these computers and programs are.

So what can you do?



Ideally, your passwords would follow these general rules:

  • they would be long – 12 characters or more
  • they would contain numbers, capital letters, lowercase letters and symbols
  • they would be random
  • they would be different for each site

This is, of course, unrealistic to the point of being ludicrous. Password management software (1Password, Dashlane, LastPass, etc.) can make it easier, but even with those, it’s cumbersome to have passwords that you can’t remember off the top of your head. Wouldn’t it be great to have a password that follows as many of the rules above as possible, but is also easy to remember?


The best advice is to shift your thinking from pass-word to pass-phrases.

If you can change your thinking from “words” to “phrases,” your accounts suddenly become more secure. If you take the example above, and make it more of a sentence – ihaveaShooF3tish – it quickly becomes more secure. Now, if we mix up the capital letters a bit (let’s only capitalize the vowels) and add a few symbols – Ih@ve@sHOOf3tIsh! – it becomes even more secure, while still being easy to remember. Is it uncrackable? No. It’s still just a string of permutations of words in the dictionary. But it is much more secure.



One of the things Snowden doesn’t touch on in the interview is that passwords aren’t everything. Many hackers won’t target your account individually – they’ll attack systems that give them access to hundreds or even thousands of usernames and passwords. Then they’ll try those credentials on other popular sites. Because of this it is important to use different passwords for different sites.

I know, I know. How can you possibly remember different passwords for every site, if it took this much to remember just one? It sounds crazy, but it’s not impossible.

For example, one way to do it is to add a word to your pass-phrase that is specific to the site you’re accessing. You don’t want it to be the name of the company, of course – Ih@ve@shOOf3tIsh!target – that’s too easy to guess. However, if you take another element of the store, like the logo, and add that, you now have something easy to remember, but not so easy to guess – Ih@ve@shOOf3tIsh!bullseye. Again, it’s not uncrackable, but it does make it a lot harder, and that can often be enough.