Awards
- Community Pick
- Experts Exchange Approved
You need passwords for many websites and you know that it's unwise to use the same password everywhere. You have also heard that it's important to use "strong" passwords -- but they can be hard to remember. This article describes several options that will let you use, and easily remember, a hard-to-crack password that is different for every website where you login.
Background
Some network security folks go overboard when they talk to users about passwords. For instance, we hear "It must be 14 characters long" Oh, puleeeezzze! Nobody is going to remember a 14-character password, let alone the dolts that you need to be talking to about passwords.
When you set an "impossible" criterion for a strong password, guess what? The user will invariably write it on a post-it note and stick it to his monitor. Then, when caught and reprimanded for doing that, he'll use his name and address -- something that he might not forget.
Both scenarios are much more dangerous than letting the user select a "weaker" password that meets reasonably-sound complexity policies.
We also hear miscellaneous advice that sounds good, but is meaningless... "Never start your password with a digit -- they are much easier to crack (10 rather than 42 options)." I don't know what cracking system that adviser is using, but I am certain that no log-in system on earth comes back with...
"Incorrect login: Only the first character is correct."
Nope. Password-cracking systems that show the first character cycling and then "locking-in" and then cycle the second character until it "locks in", and the nerdy guy says "...only five minutes until I have it..." Well, that's TV-Trope fiction, like the exploding car and the details revealed from "enhancing" a telephoto blowup of a reflection from a wristwatch.
Stars in the Galaxy
Brute-force password cracking software must exhaustively try every combination. It might start with the digits, but then it still needs to try the letters. A specific combination of eight characters (letter, digits, symbols) comes up one in 96^8 random tries. That's 1 in 7,213,895,789,838,336 (1 in 7.2 Quadrillion). If the first character is a digit, and if the software happens to start with combinations beginning with digits (why?), then it will need to try only 750 Trillion combinations. Ahem. Don't start with "A" either, I guess. If "A" is weak, then "B" is almost as weak... best to always start your passwords with "Z" ... right?
Any reasonable website login system won't allow more than a few consecutive failed tries, but let's imagine a TV-Trope world where it allows the cracking software to try combination after combination and it takes half of a second to respond to each try. That's 117,267,084 years to try all combinations (think: dinosaurs and fossils).
OK... let's make it a really, really bad login system that allows you to try a million combinations per second. It will still take over 200 years. But BEWARE! On average, it will need to try only half of all combinations. So, using an 8-character password is way too risky! Your great grandchildren are in serious danger that your password will be cracked!
Dictionary Attack!
However, password cracking software doesn't sequence through all combinations. Instead, it knows that people use real words and names in their passwords. So it does a "dictionary attack" in which it tries all of the words in the dictionary, then each word plus one digit, and so forth. Then one digit plus each word, and so forth. Then two words...
It can start with short words, so it won't need to cycle all 200,000+ English words and common names. Dictionary attacks do succeed -- on login systems that allow unlimited immediate retries, but those are rare. And you can usually foil a dictionary attack by using "mangled" words that are not in the dictionary.
Personal Data Attack!
Who hasn't seen the TV show in which the safecracker gets the loot by using somebody's birthday or wedding anniversary as the combination? He's smart: He knows that people use numbers that they can remember.
Password crackers do the same thing. They can look up all kinds of personal information about you and try variations of your Mother's maiden name, your birthday, the street where you live, your brothers and sisters, the date of your gall bladder operation, etc. Even so, if you mangle it sufficiently, it can be easy for you to remember, and all of that personal data will be useless to the evil-doer. If the cracking software must try every mangled variation of every name, address, ZIP code, pet name, and restaurant that you know, it's nearly as bad off as if it had to do a brute-force (all-combinations) scan.
Some Good Advice from Microsoft
Microsoft advises the following when setting a password policy for access to a sensitive SQL Server database:
Now if you go to the oft-referenced "Password Strength Checker"...
Check your password — is it strong?
https://www.microsoft.com/
It advises using a 14-character password. I've already described what is wrong with that: Giving good advice that's too hard to follow is safe for you (and makes a Network Security Specialist appear to be earning his salary), but you might as well give out bad advice as giving out impossible-to-follow advice.
Now go to that site and type in a real password that you use. It probably comes up as a "weak" password. Now add ten Xs. Voilà! According to that ridiculous gauge, you have just created an unbreakably-strong password! Type in LOLLOLLOLLOLLOL and see what it says about that. Repeat after me: "Ell Oh Ell!"
Cracking software has an easy time with long passwords if they contain dictionary words or repeated sequences. Password length, by itself, is not a particularly good criterion.
Note: Some sites won't let you use a too-short password. A common requirement for banking logins is a minimum length of eight characters. So size is important, if only to avoid the hassle of remembering special rules at some sites and not at others.
What you need to focus on is complexity. You need a jumble of characters that do not spell anything, can't be guessed from your personal information, and is just long enough so that a brute-force attack will take too long to complete.
And it has to be easy to remember. If you write it down, you'll need it to be handy (e.g., in your desk drawer or in a thinly-disguised disk file named "pswds.txt"), and someone can find it. If you use the same password everywhere, then if you get scammed even once, then all of your secure logins are compromised -- that includes your on-line banking.
You Need a SYSTEM
What you need is a "mental algorithm" -- a versatile, repeatable, password-generating system. You need a technique that generates different passwords for each website, but is easy to produce from memory when you need it.
Here are three examples, some better than others, but this is really just to get you started thinking about your own system.
Adding Salt -- Per-site Uniqueness
Algorithms #1 and #3 above describe how to generate a "base" password. But ideally, we'd like to have a password that is different for each website where we need to log in. Different, but also easy to remember!
One possibility is to insert something at the beginning or tack something on the end... a so-called "salt" value. I've seen the suggestion to use the first three characters of the site's domain name. For instance, my EE login (domain name is Experts-Exchange.com) might be:
CC13QyExp
...or...
MmtmtwbdltExp
That algorithm would not protect me as much as I'd like. It's better than using the same password everywhere, but any good hacker could recognize the pattern -- if he scammed one password from me, he'd be able to figure out others.
Some variations I've heard include: The first few letters of the domain in reverse order; the three characters at the top, rightmost corner of the login screen; the second, fourth and last letter of the domain name; some sequence of letters directly below the password input box., etc.
You can go pretty far with this. Most people are quite visually oriented and when you get to the login-prompt, you'll probably be instantly reminded where you "hid the salt."
In practice, this works quite well. It is a secret that only you know, based on an algorithm (a set of visual cues) that only you know. Will a hacker guess that your salt was "The last character of the domain name, plus the number of letters in the word below the password input box, plus the gender (M,F or ?) of the person pictured"? Probably not, and anyway, the salt comes into play only if a hacker gets your base password somehow.
Summary
Using strong passwords is important, both in business and in your personal life. An easy-to-crack password could open up your bank account to various evil-doers who lurk in the dark, terrifying recesses of the venomous snake pit that is the Internet. Be sure to scare your kids with that, because it might save them from being embarrassed on FaceBook. And scare yourself (at least a little bit) because it also happens to be true.
But you don't need to make a password so complex and hard to remember that you find that you need to write it down. Don't make it so long that you need to use personal data in order to remember it. Eight characters (including a mix of character case and digits, etc.) are probably "strong" enough for nearly any purpose. And it's not hard to come up with a "mental algorithm" that's easier to remember than the actual password.
I fully expect to take some heat (and "No" votes) from self-proclaimed security experts who will tell me I'm giving out bad advice and that everybody must use 14-character passwords for everything. So, I'll reply in advance: When your 85-year-old grandmother asks what she should use as her password, do you tell her,
"Well, grammy, you should always use: %wE7*45#Bb[g^vJ"
??? I doubt it -- she doesn't know what a circumflex is. You need to give her a simple password that is easy for her to remember (so she won't write it down), but hard to guess and hard to crack. And be sure to remind her not to use her grandchild's name!
Bold Caveat
No password-generating algorithm is perfect. Any system that is trivially easy (say, appending ten Xs) will be easier to crack than a system that employs truly randomly-selected characters, but writing passwords down on paper or putting them in a file on your hard disk presents an actual, not imaginary or overblown, risk. So work out a way to keep it in your head.
Related links:
=-=-=-=-=-=-=-=-=-=-=-=-=-
If you liked this article and want to see more from this author, please click the Yes button near the:
Was this article helpful?
label that is just below and to the right of this text. Thanks!
=-=-=-=-=-=-=-=-=-=-=-=-=-
Background
Some network security folks go overboard when they talk to users about passwords. For instance, we hear "It must be 14 characters long" Oh, puleeeezzze! Nobody is going to remember a 14-character password, let alone the dolts that you need to be talking to about passwords.When you set an "impossible" criterion for a strong password, guess what? The user will invariably write it on a post-it note and stick it to his monitor. Then, when caught and reprimanded for doing that, he'll use his name and address -- something that he might not forget.
Both scenarios are much more dangerous than letting the user select a "weaker" password that meets reasonably-sound complexity policies.
We also hear miscellaneous advice that sounds good, but is meaningless... "Never start your password with a digit -- they are much easier to crack (10 rather than 42 options)." I don't know what cracking system that adviser is using, but I am certain that no log-in system on earth comes back with...
"Incorrect login: Only the first character is correct."
Nope. Password-cracking systems that show the first character cycling and then "locking-in" and then cycle the second character until it "locks in", and the nerdy guy says "...only five minutes until I have it..." Well, that's TV-Trope fiction, like the exploding car and the details revealed from "enhancing" a telephoto blowup of a reflection from a wristwatch.
Stars in the Galaxy
Brute-force password cracking software must exhaustively try every combination. It might start with the digits, but then it still needs to try the letters. A specific combination of eight characters (letter, digits, symbols) comes up one in 96^8 random tries. That's 1 in 7,213,895,789,838,336 (1 in 7.2 Quadrillion). If the first character is a digit, and if the software happens to start with combinations beginning with digits (why?), then it will need to try only 750 Trillion combinations. Ahem. Don't start with "A" either, I guess. If "A" is weak, then "B" is almost as weak... best to always start your passwords with "Z" ... right?Any reasonable website login system won't allow more than a few consecutive failed tries, but let's imagine a TV-Trope world where it allows the cracking software to try combination after combination and it takes half of a second to respond to each try. That's 117,267,084 years to try all combinations (think: dinosaurs and fossils).
OK... let's make it a really, really bad login system that allows you to try a million combinations per second. It will still take over 200 years. But BEWARE! On average, it will need to try only half of all combinations. So, using an 8-character password is way too risky! Your great grandchildren are in serious danger that your password will be cracked!
Dictionary Attack!
However, password cracking software doesn't sequence through all combinations. Instead, it knows that people use real words and names in their passwords. So it does a "dictionary attack" in which it tries all of the words in the dictionary, then each word plus one digit, and so forth. Then one digit plus each word, and so forth. Then two words...It can start with short words, so it won't need to cycle all 200,000+ English words and common names. Dictionary attacks do succeed -- on login systems that allow unlimited immediate retries, but those are rare. And you can usually foil a dictionary attack by using "mangled" words that are not in the dictionary.
Note: Any cracker's standard "dictionary" includes "words" like qwerty, op[], qaz, sdfsdf, and other keyboard-location mnemonics. They also include common words and names in which a 3 has been substituted for an E and 0 (zero) has been substituted for o (oh) -- such as l33thax0r and s0rdph1sh -- will quickly fall to a dictionary attack. So some kinds of "mangling" are not as safe as they might seem.
Personal Data Attack!
Who hasn't seen the TV show in which the safecracker gets the loot by using somebody's birthday or wedding anniversary as the combination? He's smart: He knows that people use numbers that they can remember. Password crackers do the same thing. They can look up all kinds of personal information about you and try variations of your Mother's maiden name, your birthday, the street where you live, your brothers and sisters, the date of your gall bladder operation, etc. Even so, if you mangle it sufficiently, it can be easy for you to remember, and all of that personal data will be useless to the evil-doer. If the cracking software must try every mangled variation of every name, address, ZIP code, pet name, and restaurant that you know, it's nearly as bad off as if it had to do a brute-force (all-combinations) scan.
Some Good Advice from Microsoft
Microsoft advises the following when setting a password policy for access to a sensitive SQL Server database:- Don't use all or part of the username
(I'll add: Don't use words that are in the dictionary)
- It must be at least eight characters long
- It must contain characters from at least three of these groups:
- Uppercase letters (A-Z)
- Lowercase letters (a-z)
- Digits (0-9)
- Special characters, such as #^$!.*()~ etc.
Now if you go to the oft-referenced "Password Strength Checker"...
Check your password — is it strong?
https://www.microsoft.com/
It advises using a 14-character password. I've already described what is wrong with that: Giving good advice that's too hard to follow is safe for you (and makes a Network Security Specialist appear to be earning his salary), but you might as well give out bad advice as giving out impossible-to-follow advice.
Now go to that site and type in a real password that you use. It probably comes up as a "weak" password. Now add ten Xs. Voilà! According to that ridiculous gauge, you have just created an unbreakably-strong password! Type in LOLLOLLOLLOLLOL and see what it says about that. Repeat after me: "Ell Oh Ell!"
Cracking software has an easy time with long passwords if they contain dictionary words or repeated sequences. Password length, by itself, is not a particularly good criterion.
Note: Some sites won't let you use a too-short password. A common requirement for banking logins is a minimum length of eight characters. So size is important, if only to avoid the hassle of remembering special rules at some sites and not at others.
What you need to focus on is complexity. You need a jumble of characters that do not spell anything, can't be guessed from your personal information, and is just long enough so that a brute-force attack will take too long to complete.
And it has to be easy to remember. If you write it down, you'll need it to be handy (e.g., in your desk drawer or in a thinly-disguised disk file named "pswds.txt"), and someone can find it. If you use the same password everywhere, then if you get scammed even once, then all of your secure logins are compromised -- that includes your on-line banking.
You Need a SYSTEM
What you need is a "mental algorithm" -- a versatile, repeatable, password-generating system. You need a technique that generates different passwords for each website, but is easy to produce from memory when you need it. Here are three examples, some better than others, but this is really just to get you started thinking about your own system.
- 1
Secret Sentence
As an example at the Microsoft password advice page they suggest that you make up a long sentence -- or a string of words that you can remember. Maybe something like:
"My mother told me there would be days like this"
Now to generate the password, process that text with your "mental algorithm." For instance, the most trivial example is to take the first letter of each word:
Mmtmtwbdlt
To satisfy the "special characters" requirement, your algorithm might include some substitutions. When you would normally type S, type 5 or %. Or use 1 (one) instead of l (ell). You could make every third character uppercase. That sort of thing. That Microsoft page shows several ways to add complexity to the password without adding a heap of mental strain to your often-overworked neurons.
- 2
Say the Secret Woid
This is similar to the last one, but instead of a sentence, choose a word or very-short phrase that you will never forget and that you can easily visualize without writing down (never write it down). For instance: "LADYGaga!"
Now you will use only the letters of that word in your passwords, but you will put them in various, scrambled sequences.
Example: You choose the order 1,3,5,7,9,2,4,1. So your password is the first, the third, the fifth, etc. letters of your secret word:
LDGg!AYL
That looks like it would be hard to remember. It is! So with this algorithm, you write it down! You write down the website and the sequence numbers on a post-it note and stick it on your monitor. You can decode it, but nobody else can. (Reminder to the security-impaired: Write down the numbers, but type-in the matching letters. Oh, and don't write the secret-word key on the back of the paper.)
- 3
Cook Up a Sequence
Your base password will be a combination of some (apparently) arbitrary characters, digits, and symbols that you can remember, using your own mnemonic that you never reveal. Here, you can use personal data to help you remember the "cooked" portion, as long as it is scrambled and sautéed enough.
For instance, here is something I'll easily remember: My cat, Chocolate Chip, was 13 years old when we lived on Quincy Avenue.
So my "root" password is: CC13Qy
Adding Salt -- Per-site Uniqueness
Algorithms #1 and #3 above describe how to generate a "base" password. But ideally, we'd like to have a password that is different for each website where we need to log in. Different, but also easy to remember!
One possibility is to insert something at the beginning or tack something on the end... a so-called "salt" value. I've seen the suggestion to use the first three characters of the site's domain name. For instance, my EE login (domain name is Experts-Exchange.com) might be:
CC13QyExp
...or...
MmtmtwbdltExp
That algorithm would not protect me as much as I'd like. It's better than using the same password everywhere, but any good hacker could recognize the pattern -- if he scammed one password from me, he'd be able to figure out others.
Some variations I've heard include: The first few letters of the domain in reverse order; the three characters at the top, rightmost corner of the login screen; the second, fourth and last letter of the domain name; some sequence of letters directly below the password input box., etc.
You can go pretty far with this. Most people are quite visually oriented and when you get to the login-prompt, you'll probably be instantly reminded where you "hid the salt."
In practice, this works quite well. It is a secret that only you know, based on an algorithm (a set of visual cues) that only you know. Will a hacker guess that your salt was "The last character of the domain name, plus the number of letters in the word below the password input box, plus the gender (M,F or ?) of the person pictured"? Probably not, and anyway, the salt comes into play only if a hacker gets your base password somehow.
Summary
Using strong passwords is important, both in business and in your personal life. An easy-to-crack password could open up your bank account to various evil-doers who lurk in the dark, terrifying recesses of the venomous snake pit that is the Internet. Be sure to scare your kids with that, because it might save them from being embarrassed on FaceBook. And scare yourself (at least a little bit) because it also happens to be true.But you don't need to make a password so complex and hard to remember that you find that you need to write it down. Don't make it so long that you need to use personal data in order to remember it. Eight characters (including a mix of character case and digits, etc.) are probably "strong" enough for nearly any purpose. And it's not hard to come up with a "mental algorithm" that's easier to remember than the actual password.
I fully expect to take some heat (and "No" votes) from self-proclaimed security experts who will tell me I'm giving out bad advice and that everybody must use 14-character passwords for everything. So, I'll reply in advance: When your 85-year-old grandmother asks what she should use as her password, do you tell her,
"Well, grammy, you should always use: %wE7*45#Bb[g^vJ"
??? I doubt it -- she doesn't know what a circumflex is. You need to give her a simple password that is easy for her to remember (so she won't write it down), but hard to guess and hard to crack. And be sure to remind her not to use her grandchild's name!
Bold Caveat
No password-generating algorithm is perfect. Any system that is trivially easy (say, appending ten Xs) will be easier to crack than a system that employs truly randomly-selected characters, but writing passwords down on paper or putting them in a file on your hard disk presents an actual, not imaginary or overblown, risk. So work out a way to keep it in your head.I heartily invite comments from everybody. I'd especially like to hear of other "mental algorithms" that you have used or have advised others to use. What works? What does not work?
Related links:
Password Recovery Speeds
http://www.lockdown.co.uk/
Password strength checker
https://www.microsoft.com/
SQL Server 2008 password Policy
http://msdn.microsoft.com/
Microsoft SQL Server Strong Password Requirements
http://support.microsoft.c
Strong Passwords
http://msdn.microsoft.com/
http://www.lockdown.co.uk/
Password strength checker
https://www.microsoft.com/
SQL Server 2008 password Policy
http://msdn.microsoft.com/
Microsoft SQL Server Strong Password Requirements
http://support.microsoft.c
Strong Passwords
http://msdn.microsoft.com/
=-=-=-=-=-=-=-=-=-=-=-=-=-
If you liked this article and want to see more from this author, please click the Yes button near the:
Was this article helpful?
label that is just below and to the right of this text. Thanks!
=-=-=-=-=-=-=-=-=-=-=-=-=-
by: mwvisa1 on 2010-08-24 at 06:11:42ID: 18696
Classic!
I enjoyed reading this. I have participated in a good number conversations regarding password complexity and the importance of the system in the process (i.e., two factor authentication or other measures that support users having what are perceived as "lesser" strength passwords, not 14 characters, while maintaining full security as I not only have to steal your key but your box of treats for your pitbull too.).
A CTO I know always says: changing passwords at work is "stupid"! Bank passwords don't expire, why should those for computer systems?
Every 60-90 days my strong password becomes invalid and so I have to remember a whole new one. What most users will do is as you say pick something ridiculously easy with 01...99 at the end. Oh boy! Or simply write it down.
Anyway, he made a speech a few months ago where he started off with "I use one password". Everyone was in awe. He uses some of the mental algorithms you mentioned with suffix|prefix, but he took it a step further by tiering passwords. It is a different pattern for low level "I need to provide an e-mail and password to subscribe to this newsletter" sites than for more secure business systems than saw highest level of risk accounts like bank. This protects you from the I got your one password and now I have the keys to the kingdom. The other consequence is you can loosen the security on the bulk of sites making it easier to remember following Pareto principle there are probably 20% max of the credentials you maintain that represent 80% or more of your personal|business risk, so why waste your energy securing the other 80%.
In other words, if you are going to go for the 14-character unbreakable masterpiece password then do so on the absolute last thing you would want to lose and use summer10 on all your 100 other web sites that if compromised mean nothing in the scheme of your life or the world.
Anyway, nicely presented, you have my Yes vote above.
Thank you!!