Why a tweet makes a good password

26 Apr 2013

Tweets have lots of variety and a bit of memorability - why not use them to create strong passwords?

After talking about what to do if your Twitter account gets hacked , it'd be useful to have a few guidelines on what makes a good password - and I don't mean one that looks like gobbledegook! Make it difficult for someone to guess, with more than a dozen characters, numbers, letters and make it unique... yadda yadda yadda. Yes, that is all true and it does work, but how do you actually choose one in the first place?

Human beings are notoriously rubbish at randomness, but the good news for passwords is they don't have to be completely random and unrecognisable. In fact, the average tweet would actually make quite a good password!* Notwithstanding how easy it may be for someone to guess, the strength of a password depends on two primary factors: length and variety of character types. For a detailed analysis of that go have a read of GRC's How big is your haystack? report, but to save you some effort, here's a quick checklist for whether your intended password will be any good and whether you'll be able to remember it:

  1. Does it contain a few words or more, separated by spaces or other characters?
  2. Is it readable, to a human?
  3. If you asked a close friend to try and guess it, would they be able to?

Number one is all about length and variety; number two is all about whether you can remember it. Answer yes to both and you're on the right track. Number three is important because if the password is easy to guess then it doesn't matter how long or complex it is, it's just rubbish before you start.

So why is a tweet any good? Tweets normally contain several words, uppercase & lowercase letters, numbers, spaces, @-signs, #-characters, exclamation and question marks etc. Most tweets like this are more than 30 characters and readable to a human.

That will do very nicely for a password, so think about the passwords you use for your logins and if they don't fit the above very well then change them. If you have a password that can be found in a dictionary then change it, now. If you find a service you use that doesn't let you create a decent password (some don't allow spaces for example), then complain to them. Loudly. The more you do with a given account or the more an account allows you to do, the stronger your password should be.

Lastly, now you've gone to this little effort to actually try to use a 'proper' password, don't share it! Oh, and don't actually take a real tweet from Twitter... it's already been shared of course...


*For those who like data and methodology, 4,973,728 tweets analysed in 2010 showed a broad peak in the probability distribution for lengths of 20-25 characters and a similar analysis from 2012 gave the same basic characteristics but with a shift in the average length nearer to 30 characters. Given that tweets normally contain a mix of alphanumerics and other symbols including spaces and some of the words won't appear in a dictionary a tweet contains all the ingredients to make a good password.


Blog archive