I don’t know if this is actually a good idea or not, but hear me out (and please comment below!):
Can a URL be used as a strong password?
Laziness is the Mother of Invention
This morning I was walking the dog, futzing with my phone, and trying to sign up for a new social network. The app asked me for a password, and I didn’t want to use my standard low-security, easy-to-type-on-a-smartphone-with-one-hand password (because low security passwords are a bad idea). I wanted to follow good practices for creating strong passwords and I was in the mood for a lazybones way to do it.
My phone has an awesome custom keyboard called TouchPal that has its own clipboard manager which allows me to pull up a list of the last few things I’ve copied to the clipboard and paste them into new things.
Today, when prompted to come up with a password for a new app, I looked in my clipboard history and found a URL for an image I had recently copied and pasted somewhere else:
https://media.giphy.com/media/yHpvgfOKKBAD6/giphy.gif
I pasted it into the app, it accepted it (apparently it doesn’t limit password characters, which is great), and my password manager stored it so I can always just paste it in when I login.
How Secure is That?
It hit me that this URL fits most criteria for a strong password – it’s got 53 characters (!!!) made up of letters, numbers, and punctuation, which, although it doesn’t have capitals, still makes it a pretty strong password.
It’s not on the most common passwords 2016 list, and it doesn’t contain easy to guess life details like birthdays, pet names, child names, sports teams, anniversaries, or the word “password”. It’s not even a URL that’s near and dear to my heart, like my website or something — just a complete RANDOM, Strangers on a Train – style image URL that happened to be handy at the time.
In fact, according to HowSecureIsMyPassword.net, would take a computer about 112 SESVIGINTILLION YEARS to crack your password
!!! That’s by far the highest score I’ve ever seen on that site, and is probably the biggest number I’ve ever heard of anywhere, BTW.
Is that Crazy?
So now, I fully invite you to ridicule me publicly if you think this is a stupid idea, but is there any real science around this? Under what circumstances would it be OK to copy and paste a URL as a strong password? Or maybe use the XKCD method and paste in a random string of words and spaces? What do you think?
Liked this post? Follow this blog to get more.