Browse All Articles > Strong (but Easy-to-Remember) Passwords
You need passwords for many websites and you know that it's unwise to use the same password everywhere. You have also heard that it's important to use "strong" passwords -- but they can be hard to remember. This article describes several options that will let you use, and easily remember, a hard-to-crack password that is different for every website where you login.
When you set an "impossible" criterion for a strong password, guess what? The user will invariably write it on a post-it note and stick it to his monitor. Then, when caught and reprimanded for doing that, he'll use his name and address -- something that he might not forget.
Both scenarios are much more dangerous than letting the user select a "weaker" password that meets reasonably-sound complexity policies.
We also hear miscellaneous advice that sounds good, but is meaningless... "Never start your password with a digit -- they are much easier to crack (10 rather than 42 options)." I don't know what cracking system that adviser is using, but I am certain that no log-in system on earth comes back with...
"Incorrect login: Only the first character is correct."
Nope. Password-cracking systems that show the first character cycling and then "locking-in" and then cycle the second character until it "locks in", and the nerdy guy says "...only five minutes until I have it..." Well, that's TV-Trope fiction, like the exploding car and the details revealed from "enhancing" a telephoto blowup of a reflection from a wristwatch.
Any reasonable website login system won't allow more than a few consecutive failed tries, but let's imagine a TV-Trope world where it allows the cracking software to try combination after combination and it takes half of a second to respond to each try. That's 117,267,084 years to try all combinations (think: dinosaurs and fossils).
OK... let's make it a really, really bad login system that allows you to try a million combinations per second. It will still take over 200 years. But BEWARE! On average, it will need to try only half of all combinations. So, using an 8-character password is way too risky! Your great grandchildren are in serious danger that your password will be cracked!
It can start with short words, so it won't need to cycle all 200,000+ English words and common names. Dictionary attacks do succeed -- on login systems that allow unlimited immediate retries, but those are rare. And you can usually foil a dictionary attack by using "mangled" words that are not in the dictionary.
Password crackers do the same thing. They can look up all kinds of personal information about you and try variations of your Mother's maiden name, your birthday, the street where you live, your brothers and sisters, the date of your gall bladder operation, etc. Even so, if you mangle it sufficiently, it can be easy for you to remember, and all of that personal data will be useless to the evil-doer. If the cracking software must try every mangled variation of every name, address, ZIP code, pet name, and restaurant that you know, it's nearly as bad off as if it had to do a brute-force (all-combinations) scan.
Note: Some sites won't let you use a too-short password. A common requirement for banking logins is a minimum length of eight characters. So size is important, if only to avoid the hassle of remembering special rules at some sites and not at others. What you need to focus on is complexity. You need a jumble of characters that do not spell anything, can't be guessed from your personal information, and is just long enough so that a brute-force attack will take too long to complete.
And it has to be easy to remember. If you write it down, you'll need it to be handy (e.g., in your desk drawer or in a thinly-disguised disk file named "pswds.txt"), and someone can find it. If you use the same password everywhere, then if you get scammed even once, then all of your secure logins are compromised -- that includes your on-line banking.
Here are three examples, some better than others, but this is really just to get you started thinking about your own system.
"My mother told me there would be days like this"
Now to generate the password, process that text with your "mental algorithm." For instance, the most trivial example is to take the first letter of each word:
Mmtmtwbdlt
To satisfy the "special characters" requirement, your algorithm might include some substitutions. When you would normally type S, type 5 or %. Or use 1 (one) instead of l (ell). You could make every third character uppercase. That sort of thing. That Microsoft page shows several ways to add complexity to the password without adding a heap of mental strain to your often-overworked neurons.
Now you will use only the letters of that word in your passwords, but you will put them in various, scrambled sequences.
LDGg!AYL
That looks like it would be hard to remember. It is! So with this algorithm, you write it down! You write down the website and the sequence numbers on a post-it note and stick it on your monitor. You can decode it, but nobody else can. (Reminder to the security-impaired: Write down the numbers, but type-in the matching letters. Oh, and don't write the secret-word key on the back of the paper.)
For instance, here is something I'll easily remember: My cat, Chocolate Chip, was 13 years old when we lived on Quincy Avenue.
So my "root" password is: CC13Qy
One possibility is to insert something at the beginning or tack something on the end... a so-called "salt" value. I've seen the suggestion to use the first three characters of the site's domain name. For instance, my EE login (domain name is Experts-Exchange.com) might be:
CC13QyExp
...or...
MmtmtwbdltExp
That algorithm would not protect me as much as I'd like. It's better than using the same password everywhere, but any good hacker could recognize the pattern -- if he scammed one password from me, he'd be able to figure out others.
Some variations I've heard include: The first few letters of the domain in reverse order; the three characters at the top, rightmost corner of the login screen; the second, fourth and last letter of the domain name; some sequence of letters directly below the password input box., etc.
You can go pretty far with this. Most people are quite visually oriented and when you get to the login-prompt, you'll probably be instantly reminded where you "hid the salt."
In practice, this works quite well. It is a secret that only you know, based on an algorithm (a set of visual cues) that only you know. Will a hacker guess that your salt was "The last character of the domain name, plus the number of letters in the word below the password input box, plus the gender (M,F or ?) of the person pictured"? Probably not, and anyway, the salt comes into play only if a hacker gets your base password somehow.
But you don't need to make a password so complex and hard to remember that you find that you need to write it down. Don't make it so long that you need to use personal data in order to remember it. Eight characters (including a mix of character case and digits, etc.) are probably "strong" enough for nearly any purpose. And it's not hard to come up with a "mental algorithm" that's easier to remember than the actual password.
I fully expect to take some heat (and "No" votes) from self-proclaimed security experts who will tell me I'm giving out bad advice and that everybody must use 14-character passwords for everything. So, I'll reply in advance: When your 85-year-old grandmother asks what she should use as her password, do you tell her,
"Well, grammy, you should always use: %wE7*45#Bb[g^vJ"
??? I doubt it -- she doesn't know what a circumflex is. You need to give her a simple password that is easy for her to remember (so she won't write it down), but hard to guess and hard to crack. And be sure to remind her not to use her grandchild's name!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
If you liked this article and want to see more from this author, please click the Yes button near the:
Was this article helpful?
label that is just below and to the right of this text. Thanks!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Background
Some network security folks go overboard when they talk to users about passwords. For instance, we hear "It must be 14 characters long" Oh, puleeeezzze! Nobody is going to remember a 14-character password, let alone the dolts that you need to be talking to about passwords.When you set an "impossible" criterion for a strong password, guess what? The user will invariably write it on a post-it note and stick it to his monitor. Then, when caught and reprimanded for doing that, he'll use his name and address -- something that he might not forget.
Both scenarios are much more dangerous than letting the user select a "weaker" password that meets reasonably-sound complexity policies.
We also hear miscellaneous advice that sounds good, but is meaningless... "Never start your password with a digit -- they are much easier to crack (10 rather than 42 options)." I don't know what cracking system that adviser is using, but I am certain that no log-in system on earth comes back with...
"Incorrect login: Only the first character is correct."
Nope. Password-cracking systems that show the first character cycling and then "locking-in" and then cycle the second character until it "locks in", and the nerdy guy says "...only five minutes until I have it..." Well, that's TV-Trope fiction, like the exploding car and the details revealed from "enhancing" a telephoto blowup of a reflection from a wristwatch.
Stars in the Galaxy
Brute-force password cracking software must exhaustively try every combination. It might start with the digits, but then it still needs to try the letters. A specific combination of eight characters (letter, digits, symbols) comes up one in 96^8 random tries. That's 1 in 7,213,895,789,838,336 (1 in 7.2 Quadrillion). If the first character is a digit, and if the software happens to start with combinations beginning with digits (why?), then it will need to try only 750 Trillion combinations. Ahem. Don't start with "A" either, I guess. If "A" is weak, then "B" is almost as weak... best to always start your passwords with "Z" ... right?Any reasonable website login system won't allow more than a few consecutive failed tries, but let's imagine a TV-Trope world where it allows the cracking software to try combination after combination and it takes half of a second to respond to each try. That's 117,267,084 years to try all combinations (think: dinosaurs and fossils).
OK... let's make it a really, really bad login system that allows you to try a million combinations per second. It will still take over 200 years. But BEWARE! On average, it will need to try only half of all combinations. So, using an 8-character password is way too risky! Your great grandchildren are in serious danger that your password will be cracked!
Dictionary Attack!
However, password cracking software doesn't sequence through all combinations. Instead, it knows that people use real words and names in their passwords. So it does a "dictionary attack" in which it tries all of the words in the dictionary, then each word plus one digit, and so forth. Then one digit plus each word, and so forth. Then two words...It can start with short words, so it won't need to cycle all 200,000+ English words and common names. Dictionary attacks do succeed -- on login systems that allow unlimited immediate retries, but those are rare. And you can usually foil a dictionary attack by using "mangled" words that are not in the dictionary.
Note: Any cracker's standard "dictionary" includes "words" like qwerty, op[], qaz, sdfsdf, and other keyboard-location mnemonics. They also include common words and names in which a 3 has been substituted for an E and 0 (zero) has been substituted for o (oh) -- such as l33thax0r and s0rdph1sh -- will quickly fall to a dictionary attack. So some kinds of "mangling" are not as safe as they might seem.
Personal Data Attack!
Who hasn't seen the TV show in which the safecracker gets the loot by using somebody's birthday or wedding anniversary as the combination? He's smart: He knows that people use numbers that they can remember.Password crackers do the same thing. They can look up all kinds of personal information about you and try variations of your Mother's maiden name, your birthday, the street where you live, your brothers and sisters, the date of your gall bladder operation, etc. Even so, if you mangle it sufficiently, it can be easy for you to remember, and all of that personal data will be useless to the evil-doer. If the cracking software must try every mangled variation of every name, address, ZIP code, pet name, and restaurant that you know, it's nearly as bad off as if it had to do a brute-force (all-combinations) scan.
Some Good Advice from Microsoft
Microsoft advises the following when setting a password policy for access to a sensitive SQL Server database:
Don't use all or part of the username
(I'll add: Don't use words that are in the dictionary)
(I'll add: Don't use words that are in the dictionary)
It must be at least eight characters long
It must contain characters from at least three of these groups:
- Uppercase letters (A-Z)
- Lowercase letters (a-z)
- Digits (0-9)
- Special characters, such as #^$!.*()~ etc.
Cracking software has an easy time with long passwords if they contain dictionary words or repeated sequences. Password length, by itself, is not a particularly good criterion.
- Uppercase letters (A-Z)
- Lowercase letters (a-z)
- Digits (0-9)
- Special characters, such as #^$!.*()~ etc.
Note: Some sites won't let you use a too-short password. A common requirement for banking logins is a minimum length of eight characters. So size is important, if only to avoid the hassle of remembering special rules at some sites and not at others.
And it has to be easy to remember. If you write it down, you'll need it to be handy (e.g., in your desk drawer or in a thinly-disguised disk file named "pswds.txt"), and someone can find it. If you use the same password everywhere, then if you get scammed even once, then all of your secure logins are compromised -- that includes your on-line banking.
You Need a SYSTEM
What you need is a "mental algorithm" -- a versatile, repeatable, password-generating system. You need a technique that generates different passwords for each website, but is easy to produce from memory when you need it.Here are three examples, some better than others, but this is really just to get you started thinking about your own system.
1. Secret Sentence
As an example at the Microsoft password advice page they suggest that you make up a long sentence -- or a string of words that you can remember. Maybe something like:"My mother told me there would be days like this"
Now to generate the password, process that text with your "mental algorithm." For instance, the most trivial example is to take the first letter of each word:
Mmtmtwbdlt
To satisfy the "special characters" requirement, your algorithm might include some substitutions. When you would normally type S, type 5 or %. Or use 1 (one) instead of l (ell). You could make every third character uppercase. That sort of thing. That Microsoft page shows several ways to add complexity to the password without adding a heap of mental strain to your often-overworked neurons.
2. Say the Secret [i]Woid[/i]
This is similar to the last one, but instead of a sentence, choose a word or very-short phrase that you will never forget and that you can easily visualize without writing down (never write it down). For instance: "LADYGaga!"Now you will use only the letters of that word in your passwords, but you will put them in various, scrambled sequences.
LADYGaga!
123456789LDGg!AYL
That looks like it would be hard to remember. It is! So with this algorithm, you write it down! You write down the website and the sequence numbers on a post-it note and stick it on your monitor. You can decode it, but nobody else can. (Reminder to the security-impaired: Write down the numbers, but type-in the matching letters. Oh, and don't write the secret-word key on the back of the paper.)
3. Cook Up a Sequence
Your base password will be a combination of some (apparently) arbitrary characters, digits, and symbols that you can remember, using your own mnemonic that you never reveal. Here, you can use personal data to help you remember the "cooked" portion, as long as it is scrambled and sautéed enough.For instance, here is something I'll easily remember: My cat, Chocolate Chip, was 13 years old when we lived on Quincy Avenue.
So my "root" password is: CC13Qy
Adding Salt -- Per-site Uniqueness
Algorithms #1 and #3 above describe how to generate a "base" password. But ideally, we'd like to have a password that is different for each website where we need to log in. Different, but also easy to remember!One possibility is to insert something at the beginning or tack something on the end... a so-called "salt" value. I've seen the suggestion to use the first three characters of the site's domain name. For instance, my EE login (domain name is Experts-Exchange.com) might be:
CC13QyExp
...or...
MmtmtwbdltExp
That algorithm would not protect me as much as I'd like. It's better than using the same password everywhere, but any good hacker could recognize the pattern -- if he scammed one password from me, he'd be able to figure out others.
Some variations I've heard include: The first few letters of the domain in reverse order; the three characters at the top, rightmost corner of the login screen; the second, fourth and last letter of the domain name; some sequence of letters directly below the password input box., etc.
You can go pretty far with this. Most people are quite visually oriented and when you get to the login-prompt, you'll probably be instantly reminded where you "hid the salt."
In practice, this works quite well. It is a secret that only you know, based on an algorithm (a set of visual cues) that only you know. Will a hacker guess that your salt was "The last character of the domain name, plus the number of letters in the word below the password input box, plus the gender (M,F or ?) of the person pictured"? Probably not, and anyway, the salt comes into play only if a hacker gets your base password somehow.
Summary
Using strong passwords is important, both in business and in your personal life. An easy-to-crack password could open up your bank account to various evil-doers who lurk in the dark, terrifying recesses of the venomous snake pit that is the Internet. Be sure to scare your kids with that, because it might save them from being embarrassed on FaceBook. And scare yourself (at least a little bit) because it also happens to be true.But you don't need to make a password so complex and hard to remember that you find that you need to write it down. Don't make it so long that you need to use personal data in order to remember it. Eight characters (including a mix of character case and digits, etc.) are probably "strong" enough for nearly any purpose. And it's not hard to come up with a "mental algorithm" that's easier to remember than the actual password.
I fully expect to take some heat (and "No" votes) from self-proclaimed security experts who will tell me I'm giving out bad advice and that everybody must use 14-character passwords for everything. So, I'll reply in advance: When your 85-year-old grandmother asks what she should use as her password, do you tell her,
"Well, grammy, you should always use: %wE7*45#Bb[g^vJ"
??? I doubt it -- she doesn't know what a circumflex is. You need to give her a simple password that is easy for her to remember (so she won't write it down), but hard to guess and hard to crack. And be sure to remind her not to use her grandchild's name!
Bold Caveat
No password-generating algorithm is perfect. Any system that is trivially easy (say, appending ten Xs) will be easier to crack than a system that employs truly randomly-selected characters, but writing passwords down on paper or putting them in a file on your hard disk presents an actual, not imaginary or overblown, risk. So work out a way to keep it in your head.
I heartily invite comments from everybody. I'd especially like to hear of other "mental algorithms" that you have used or have advised others to use. What works? What does not work?
Related links:
Password Recovery Speeds
http://www.lockdown.co.uk/?pg=combi
SQL Server 2008 password Policy
http://msdn.microsoft.com/en-us/library/ms161959.aspx
Microsoft SQL Server Strong Password Requirements
http://support.microsoft.com/kb/965823
Strong Passwords
http://msdn.microsoft.com/en-us/library/ms161962.aspx
=-=-=-=-=-=-=-=-=-=-=-=-=-http://www.lockdown.co.uk/
SQL Server 2008 password Policy
http://msdn.microsoft.com/
Microsoft SQL Server Strong Password Requirements
http://support.microsoft.c
Strong Passwords
http://msdn.microsoft.com/
If you liked this article and want to see more from this author, please click the Yes button near the:
Was this article helpful?
label that is just below and to the right of this text. Thanks!
=-=-=-=-=-=-=-=-=-=-=-=-=-
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (35)
Commented:
Commented:
http://boingboing.net/2014/02/25/choosing-a-secure-password.html
Granted MD5 these days is a gift to crackers, but you know lots of places must still use it. TL;DR version, the longer, more random and less word like, the better your chances of not being in the 10% of password hashes that didn't get solved. And if some site gets breached (like Kickstarter did a few days ago) you definitely should change your password to something secure.
Commented:
I personally use a cloud based solution that runs on mobile devices, mac and windows and I think there is even a Web based version for it. I was very hesitant about using a cloud based solution, who knows how the cloud is implemented and who has access, but I did a fair amount of research on the particular solution I picked (Keeper) and did not find any negative remarks (feel free to call me out if your experience is different). It has a built in password generator, I think they all do now days, where you can choose the complexity and content of the password. So now I only need to have one password and the database is synchronized over all my devices.
I have run into a problem with some sites however, they don't accept special characters. I don't know for sure but I think this is to limit possible shell exploits. Many special characters have special meaning to various shell so that if the password is passed to the shell you may be able to cause arbitrary commands to be executed. So I limit my complexity to a-zA-Z0-9, I have tired to include "-" and "_" but some sites reject even that.
Lastly some comments on a comment by aikimark from back in 2010:
2. always use https (secure) login pages -- I wish EE offered this
3. never use the same password for your email as you use for highly secure (financial) log-ins.
4. use a nonsensical phrase, such as Don't touch my moustache
5. Many passwords can be weak. For instance, if you have an ID to access articles on a site, you can use a weak password, such as pwd. Using strong passwords for all sites is not necessary.
1. Many password crackers use foreign language dictionary's so do not use any legal words or phrases, even Klingon.
2. I whole heartedly agree with this. I would add to always check and don't assume that the login is secure.
3. Again I agree, but as stated in the article, you should use different passwords for all your sites so this is a given.
4. Don't trust yourself to come up with a truly nonsensical phrase. The example here "Don't touch my mustache" is actually pretty well known (at least to my generation). A truly random password generator (with a password safe type solution) is best.
5. While technically true, I would not trust myself to decide what site does not need security now and forever. A site may only give me read access today, but will that always be what I require? The information I'm reading, is it always going to be "public"? While I may only require read access, does this give an attacker a foot hold to post on my behalf?
The above are my opinions. They come from years of experience and some really stupid mistakes. And as I stated above, if anyone has any differing opinion on cloud based solutions for a password safe I would really love to hear them.
Tom
Commented:
Commented:
View More