Your password is based on a word, about eight characters long. You’ve substituted some numbers for letters (‘3’ for ‘E’ and ‘4’ for ‘a’, etc.), you’ve made sure to capitalize a letter or two, and you’ve welded an exclamation mark to the end, as if to emphasize your adherence to the immutable checklist of password strength. You breathe a sigh of relief. Every month or so, you forget this password (or you remember it because you use it everywhere). But it’s strong… right? Let’s dig into the subject of password security to uncover the myths, maths, and methods that define this crucial aspect of computing.
The Holy Grail
As denizens and explorers of the digital space, we can frame this discussion as a quest. We are in search of the holy grail of password security; a means of constructing a password that offers us maximum protection with maximum memorability — we’re only human, after all.
If the formula I described in my introduction — the one that accounts for the vast majority of passwords used today — sounds like the ideal, then you may be surprised to learn that it not only produces tricky-to-recall passwords (obviously), but it is also far less secure than you might expect. To make matters worse, having a strong password is only half the battle.
In order to understand why this is, we need to take a brief detour into the scary world of information theory to equip ourselves with some basic knowledge that will allow us to grasp how password security is measured and compared.
In general, the integrity of a password is discussed in terms of bits of entropy, an interesting measure used in information theory to describe the uncertainty associated with a variable’s outcome. The more uncertainty, or in other words, the more that is unknown about the event being measured, the higher the entropy.
We need only remember that, the more bits of entropy a password has, the more difficult it is to crack.
For example, we would consider a coin toss to represent a single bit of entropy since the uncertain value is just one of two possibilities. The formula that represents the entropy value of a password is hideous, and we don’t need to understand it in order to make sense of entropy in general.
Bringing this back to our quest, we need only remember that, the more bits of entropy a password has, the more difficult it is to crack.
Know Thine Enemy
Now that we know the basic principle of how password strength is measured, we need to examine our opponents in this endeavor: the hackers, password crackers, and other digital miscreants who seek access to your accounts.
Password cracking is a cornerstone of the hacking world, and unsurprisingly boasts one of the most extensively developed arsenals in the hacker’s repertoire. In general, password cracking methods fall into one of two categories: pattern cracking, and brute-force attacks.
Pattern-Based Password Cracking
If you’ve followed the formula from my introduction, your password is likely very susceptible to pattern-based cracking methods. These come in various flavors, ranging from the basic dictionary attack to more sophisticated variants that exploit common password creation techniques.
When they are applicable, pattern-based cracking approaches are preferable because they vastly reduce the number of possibilities a hacker must try before coming across the actual password.
If you’ve followed the formula from my introduction, your password is likely very susceptible to pattern-based cracking methods.
That eight-character password you have that uses numbers, multiple-case letters, and special characters? It would probably take a half hour to crack.
This second category of attacks represents the barbarian approach to password hacking. In essence, a brute-force attack means that the hacker will use an incredibly powerful computer (or network of computers) to systematically try out every possible combination of characters to uncover your password.
Clearly, this seems daunting as each extra character you add to a password will require vast quantities of extra password possibilities. Unfortunately, depending on the skill and hardware available to your assailant, you can expect that a hacker will be able to test out between several hundred thousand and about a million possible password combinations per second.
That eight-character password you have that uses numbers, multiple-case letters, and special characters? It’s probably got an entropy value of between 30 and 50 bits. That would likely take as little as half an hour to crack wide open.
Our Friend, CAPTCHA
Regardless of the approach, cracking a password requires an ability to try many different passwords in order to find a match. This is where the other half of password integrity comes in: the account provider’s security measures.
Aggravating CAPTCHAs serve a crucial purpose in account security.
If you’ve ever encountered a CAPTCHA on a website (those forms that require you to decipher obscure digits or words in order to proceed) then you may have come to the conclusion that the website hates you, your eyes, and your free time. This is most likely not the case.
In fact, those aggravating CAPTCHAs serve a crucial purpose in the account security world: not only do they prevent automated bots from completing the login forms, they also add in an extra impediment that slows down a hacker’s ability to test out the thousands of passwords per second required to perform a successful crack. They are, of course, not infallible, but they are an extra layer of protection.
Along with other server-side security measures such as automatic login timeouts after too many failed attempts, CAPTCHAs represent the other side of the password protection coin.
It’s often worth exploring what kind of security measures a service has in place before committing too much of your private data to their care, because no matter how strong your password is, it won’t matter if the back door is open.
More Bad News: Some Password Creation Tricks Suck
For the most part, our introductory formula for password creation offers very savvy advice. Multiple cases, special characters, numbers; these are all sound techniques to make use of as part of your password.
There are other techniques that you’ve likely had recommended to you that just plain suck at keeping your account safe.
But there are some guidelines influencing their effectiveness, and there are other techniques that you’ve likely had recommended to you that just plain suck at keeping your account safe. Let’s examine some of these guidelines and identify examples of poor password techniques.
- Using Numbers: Most people unfortunately interpret this guideline as “add a 1 to the end”, which is so banal as to pose virtually no additional challenge to a hacker. If you’re using numbers in your password, don’t just toss a bunch of them at the end and expect it to make a big difference.
- Special Characters: The typical inclusion of special characters in a password is for the replacement of letters with visually similar characters (‘@’ instead of ‘a’, for instance). The problem with this is that all those pattern-based attack methods include all possible permutations of each word in their dictionary, including special character substitutions, meaning that your only achievement is in making a password that’s harder to remember for yourself.
- Typing on a Different Keyboard Row: Ah, now this one seems like a stroke of genius! Instead of typing your password in its normal position on the keyboard, you mimic the same key pattern but shift everything one row up, or down, or over to the left or right. While this is certainly more compelling a method than the above, those same dictionaries also include these basic keyboard shifts for their words, meaning that the added security is, once again, negligible.
- The Bottom of the Barrel: Sometimes, people get really lazy with passwords. They’ll do things like repeat one word or number several times (I once visited a coffeeshop whose Wi-Fi password was twenty six ’1’s in a row), or they’ll use a few sequential letters from their keyboard, or a name, birthday, or phone number. So now, when the hacker cracks your password, s/he will have your phone number and birthday too — bonus!
Now For Some Good News
The deck may seem stacked against you, but it’s worth remembering that most of us are not going to be the targets of dedicated hackers — our priority is to make informed choices about the services we choose to trust with our data, and to ensure that our accounts as secure as possible without causing ourselves unnecessary headaches trying to remember obscure strings of characters.
There are a number of clever ways to create secure passwords that conform to these criteria, but we’re going to focus in on two primary ones that are not only popular, but also extremely effective, and flexible enough to be used everywhere.
Our priority is to make informed choices about the services we choose to trust with our data, and to ensure that our accounts as secure as possible.
Diceware: Surrealist Security
One of the most fascinating paradoxes of password security is the fact that, while one word is cripplingly easy to compromise as a password, the use of several words in sequence actually constitutes one of the most secure possible password creation methods that also offers us the benefit of being vastly simpler to remember than an equivalently long string of random characters.
One of the primary methods of generating such a word list is called ‘Diceware’, so named because you use a set of dice to generate the password from a list of words, like this English example.
For each word in the password (or passphrase, in this case), you would roll a die five times. The resulting numbers would be strung together — let’s say 61345 — and then the corresponding word from the list is selected, in my case ‘toad’.
Now, as an example, let’s take a typical “strong” password: 7YmP@ni5 (timpanis, for you non-musical folk). That password offers us about 50 bits of entropy. It’s not bad, but it’s also not terribly memorable — which letter was substituted with which special character or number? Which letters were capitalized?
XKCD helps illustrate the problem
Finishing up a 5-word passphrase using the Diceware word list, I came up with ‘toadloafsteamwhackethos’. That gives us a baseline of about 65 bits of entropy — a much more daunting challenge for hackers (each additional bit of entropy means twice as many possibilities that need to be run through).
Normally, five words is considered the minimum viable length for a Diceware passphrase, and the beauty of the system is that the entropy value is calculated with the assumption that your hacker knows not only that you’re using a Diceware word list, but that they even know which one you’ve used and how many words are in your passphrase. In other words, if they know anything less than that, or are coming at it completely blind, the entropy of your passphrase is even higher!
And because it’s a simple list of common words, it’s far easier to remember, especially if you generate (or invent) a phrase that is humorous or jogs your memory in some other way — ‘Hey,listen!’ is a simple one for Zelda fans. 70 bits of nostalgic entropy right there.
A devious and very effective method for generating strong passwords involves the use of phrases in a slightly unconventional way that happens to tick off many of the checkboxes of strong password creation — assembling the first letters and all punctuation into a password.
Let us take, for instance, a poem like The Jabberwocky, by Lewis Carroll. From the first stanza, we shall take the first two lines, which are:
’Twas brillig, and the slithy toves
Did gyre and gimble in the wabe;
Then, applying this method, we would end up with “’Tb,atstDgagitw;”. That marvelous piece of password engineering represents a staggering 100 bits of entropy.
Yeah, he looks like he can protect my password
Let’s look at the advantages: it appears, on the surface, completely random and so is impervious to pattern-based attacks; it uses both multiple-case letters and special characters; it is more than 12 characters long (a common guideline); and despite its apparent obscurity, it’s impossible to forget because it’s derived from a piece of literature that is inherently easy to remember — a poem!
Assuming you dislike poetry, you can of course make use of a line from your favorite speech, or a quotation from a book, or any other phrase that you are unlikely to ever forget.
I personally recommend poetry for two reasons: one, it tends to be rich in punctuation and capitalizations, and two, it is almost always very easy to memorize (just think of how many popular songs you can sing along to).
Varying Your Passwords
The last piece in the strong password puzzle is variability: do not use the same password everywhere, it is the single biggest mistake you can make. Ten weak passwords are safer than one stronger one used ten times, because if it gets compromised, every single account you have is also compromised immediately.
Do not use the same password everywhere, it is the single biggest mistake you can make.
Using the two methods we outlined above, you can easily find ways to keep things consistent and still have different passwords for different services. Changing the last word in your Diceware list, or using different verses from the same song’s lyrics, for instance.
Writing Things Down
We should briefly talk about the problem of writing passwords down to remember them. This is a security risk that many people take, putting their crucial passwords in a notebook or slip of paper in their wallet.
While it’s convenient, it also opens up an entirely new avenue of danger — if someone steals your wallet, they’d normally escape with some money and your ID. Now, they can also access every account that you’ve written down a password for. Can you remember to go and change them all in time?
When we propose our ideal password solution, we emphasize that it should produce something memorable precisely so that you won’t need to resort to writing things down to remember it.
Alternatively, if the formula you use is something that you can easily recall, then you may only need to write down obscure reminders that will be useless to anyone trying to crack your password. If you used the poetry acronym method, you could keep a note that simply indicates which verse you used for each service — a thief wouldn’t know what you’re talking about.
The Easy Way Out?
Who is a hacker more likely to target: one random person or a company that boasts about providing strong password protection for millions of users?
At this point, you may be wondering why you shouldn’t use a dedicated password service like LastPass to both manage and generate your secure passwords.
As those are both reputable and flexible tools, you should certainly consider using them. The reason it pays to be able to generate your own strong passwords is that, because those too are services run by companies, they are vulnerable to attack themselves — and they’re far more likely targets of a password assault than one lonesome individual is. After all, who’s a hacker more likely to target: one random person or a company that boasts about providing strong password protection for millions of users?
Since they’ve made it their business to do just that, many of these services are worth trusting, but if you’re more cautious, or you don’t want to have everything stored in an app, or you simply want a means to create a strong master password for those other solutions, it pays to know how to make one — and now you do!
It goes without saying that the strongest passwords are those 20-character randomized behemoths that you can easily find a generator for on the web. These are categorically stronger than any other you’re likely to formulate. But they’re also useful only for machines and people with a ridiculous skill for memorizing complicated strings of characters — they simply aren’t practical for everyday use.
The notion of an ideal password that we’ve explored in this tutorial has been one that finds a happy balance between integrity and memorability. You’re now equipped to spot the most egregious password creation pitfalls and create strong, memorable, and variable passwords for yourself. So go forth and batten down the hatches on your valuable digital assets.
While you’re at it, don’t forget to change them every now and again — it’s harder to hit a moving target, after all.
Have a better method? We want to hear about it! Passwords are important, so hop into the comments and share your thoughts.