The venerable XKCD said it best, “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”
During my time working directly with clients in a technical capacity, the complaints I hear most often always revolve around passwords and password management. People know they shouldn’t write them down. They know they shouldn’t use the same ones for different services. Some companies believe that forcing password changes at regular intervals leads to better security, when it just leads to people writing them down or choosing shorter, weaker passwords
What makes a good password? How do bad guys attempt to guess passwords? What are the best ways to keep up with all your passwords and still protect yourself?
Let’s take a deep dive on passwords and see if we can find the answers to these questions and maybe protect our online accounts and identities a little bit better.
For starters, let’s work on our nerd vocabulary.
Character set: Is your password made up of entirely lower-case letters from the English alphabet? Each digit in your password has 26 possibilities, in other words your password has a character set of 26. What about upper and lower-case letters from the English alphabet? 52 possibilities for every character. Are you a security guru and use a mix of upper-case, lower-case, numbers, and symbols? We’re up to 95 possibilities per character!
Search space: A five-character password made up entirely of numbers has a search space of 5^10…five characters, each with 10 possibilities. A five-character password made up of numbers, upper and lower-case letters, and special symbols has a search space of 5^95…five characters with 95 possibilities for each character. Because of this password complexity increases exponentially with each character added. A six-character password is exponentially bigger than a five-character password.
Entropy: Lack of order or predictability. Words that appear in a dictionary have low entropy. Using your listed business phone number as your Wi-Fi password is low entropy.
When it comes to how easy or difficult it is for a bad guy to guess your password there are several factors. Length, character set, and the likelihood that it exists in a dictionary or rainbow table.
Length is straightforward. The longer your password, the longer it takes for a bad guy to discover it by guessing every combination, otherwise known as a brute-force attack. Length is the most important variable by far.
Consider the following two passwords:
The first uses all available character sets, giving each character 95 possibilities. The second uses only lowercase letters; 26 possibilities each. The first password has just under eight billion possible combinations and the second has just over two hundred-billion. Length trumps everything.
Most people scratching their chin trying to think of a new password will go for what seems to be complexity over length, as length is considered diametrically opposed to memorability. This doesn’t need to be the case.
S3cuRep@s$! is a reasonably strong password. It used the entire character space and is nine characters long. It also requires you to memorize what letters you’ve substituted for numbers and special characters and requires some finger contortion. At one hundred-trillion guesses a second it would take just under two years for a computer to guess. Given Moore’s law that computing power doubles every eighteen months, in five years it would likely only take several months to guess that password.
Now consider Ilovespringtime1! It’s easy to type and would take over 13 billion centuries to guess at one hundred-trillion guesses a second. The best part? You’ve already memorized it.
Password Managers (or vaults) provide a way to store all of your passwords behind one master password. The premise is that you only need to memorize one password and that will grant access to all of your stored passwords. Furthermore, these managers have the ability to generate ultra-secure random passwords for you and since you won’t need to memorize them, they can be quite long. Good password managers also have options to allow you to sync your passwords across devices, indicate how strong your current passwords are, and log you into sites and services automatically.
There are some downsides. Forgetting your master password can lose you access to all of your passwords. Secure password managers cannot provide your password to you if you forget it. If you have a weak master password, getting compromised will give the bad guy access to all of your passwords.
Some excellent password managers are; LastPass, KeyPass, Dashlane, 1Password, and RoboForm 8.
Creating good passwords
There are many formulas to help you create and remember passwords while still allowing you to have strong, unique passwords for every site you visit. Here’s my favorite:
- Start with a strong base password – Let’s use Ilovespringstime!
- Now use the address of the website you’re visiting to provide some unique characters. Let’s count the number of characters in the site’s address, excluding the domain (.com, .net, etc.) and add that to the end of the password.
- g. If we’re creating a password for facebook.com our password would be Ilovespringtime!8
- Now to add a little more uniqueness – Take the first and last letter of the address and add it to the end of the password as well.
- g. Our completed, mostly unique password for Facebook would be Ilovespringtime!8fk
This might seem like overkill at first glance but consider the following, this password is easy to remember and extremely secure. Once you memorize your base password, you’re able to discern the rest simply by looking at the web address and remembering your formula.
There are numerous stories online about someone’s password being discovered by a security flaw in some website and then the bad guys took that password and tried all the usual spots, Amazon, BofA, Wells Fargo, etc., etc… Having unique passwords for at least any website or app that is tied to your personal and financial information is extremely important.