Advertisement
Security

In Search of the Ultimate Password

by

Your password is based on a word, about eight characters long. You’ve substituted some numbers for letters (‘3’ for ‘E’ and ‘4’ for ‘a’, etc.), you’ve made sure to capitalize a letter or two, and you’ve welded an exclamation mark to the end, as if to emphasize your adherence to the immutable checklist of password strength. You breathe a sigh of relief. Every month or so, you forget this password (or you remember it because you use it everywhere). But it’s strong… right? Let's dig into the subject of password security to uncover the myths, maths, and methods that define this crucial aspect of computing.

The Holy Grail

The Holy Grail

As denizens and explorers of the digital space, we can frame this discussion as a quest. We are in search of the holy grail of password security; a means of constructing a password that offers us maximum protection with maximum memorability — we’re only human, after all.

If the formula I described in my introduction — the one that accounts for the vast majority of passwords used today — sounds like the ideal, then you may be surprised to learn that it not only produces tricky-to-recall passwords (obviously), but it is also far less secure than you might expect. To make matters worse, having a strong password is only half the battle.

In order to understand why this is, we need to take a brief detour into the scary world of information theory to equip ourselves with some basic knowledge that will allow us to grasp how password security is measured and compared.

Entropy

In general, the integrity of a password is discussed in terms of bits of entropy, an interesting measure used in information theory to describe the uncertainty associated with a variable’s outcome. The more uncertainty, or in other words, the more that is unknown about the event being measured, the higher the entropy.

We need only remember that, the more bits of entropy a password has, the more difficult it is to crack.

For example, we would consider a coin toss to represent a single bit of entropy since the uncertain value is just one of two possibilities. The formula that represents the entropy value of a password is hideous, and we don’t need to understand it in order to make sense of entropy in general.

Bringing this back to our quest, we need only remember that, the more bits of entropy a password has, the more difficult it is to crack.

Know Thine Enemy

Now that we know the basic principle of how password strength is measured, we need to examine our opponents in this endeavor: the hackers, password crackers, and other digital miscreants who seek access to your accounts.

Password cracking is a cornerstone of the hacking world, and unsurprisingly boasts one of the most extensively developed arsenals in the hacker’s repertoire. In general, password cracking methods fall into one of two categories: pattern cracking, and brute-force attacks.

Password CrackingCracking a password is less difficult than you might think these days

Pattern-Based Password Cracking

If you’ve followed the formula from my introduction, your password is likely very susceptible to pattern-based cracking methods. These come in various flavors, ranging from the basic dictionary attack to more sophisticated variants that exploit common password creation techniques.

When they are applicable, pattern-based cracking approaches are preferable because they vastly reduce the number of possibilities a hacker must try before coming across the actual password.

If you’ve followed the formula from my introduction, your password is likely very susceptible to pattern-based cracking methods.

Brute-Force Attacks

That eight-character password you have that uses numbers, multiple-case letters, and special characters? It would probably take a half hour to crack.

This second category of attacks represents the barbarian approach to password hacking. In essence, a brute-force attack means that the hacker will use an incredibly powerful computer (or network of computers) to systematically try out every possible combination of characters to uncover your password.

Clearly, this seems daunting as each extra character you add to a password will require vast quantities of extra password possibilities. Unfortunately, depending on the skill and hardware available to your assailant, you can expect that a hacker will be able to test out between several hundred thousand and about a million possible password combinations per second.

That eight-character password you have that uses numbers, multiple-case letters, and special characters? It’s probably got an entropy value of between 30 and 50 bits. That would likely take as little as half an hour to crack wide open.

Our Friend, CAPTCHA

Regardless of the approach, cracking a password requires an ability to try many different passwords in order to find a match. This is where the other half of password integrity comes in: the account provider’s security measures.


Aggravating CAPTCHAs serve a crucial purpose in account security.

If you’ve ever encountered a CAPTCHA on a website (those forms that require you to decipher obscure digits or words in order to proceed) then you may have come to the conclusion that the website hates you, your eyes, and your free time. This is most likely not the case.

In fact, those aggravating CAPTCHAs serve a crucial purpose in the account security world: not only do they prevent automated bots from completing the login forms, they also add in an extra impediment that slows down a hacker’s ability to test out the thousands of passwords per second required to perform a successful crack. They are, of course, not infallible, but they are an extra layer of protection.

Along with other server-side security measures such as automatic login timeouts after too many failed attempts, CAPTCHAs represent the other side of the password protection coin.

It’s often worth exploring what kind of security measures a service has in place before committing too much of your private data to their care, because no matter how strong your password is, it won’t matter if the back door is open.

More Bad News: Some Password Creation Tricks Suck

For the most part, our introductory formula for password creation offers very savvy advice. Multiple cases, special characters, numbers; these are all sound techniques to make use of as part of your password.

There are other techniques that you’ve likely had recommended to you that just plain suck at keeping your account safe.

But there are some guidelines influencing their effectiveness, and there are other techniques that you’ve likely had recommended to you that just plain suck at keeping your account safe. Let’s examine some of these guidelines and identify examples of poor password techniques.

  • Using Numbers: Most people unfortunately interpret this guideline as “add a 1 to the end”, which is so banal as to pose virtually no additional challenge to a hacker. If you’re using numbers in your password, don’t just toss a bunch of them at the end and expect it to make a big difference.
  • Special Characters: The typical inclusion of special characters in a password is for the replacement of letters with visually similar characters (‘@’ instead of ‘a’, for instance). The problem with this is that all those pattern-based attack methods include all possible permutations of each word in their dictionary, including special character substitutions, meaning that your only achievement is in making a password that’s harder to remember for yourself.
  • Typing on a Different Keyboard Row: Ah, now this one seems like a stroke of genius! Instead of typing your password in its normal position on the keyboard, you mimic the same key pattern but shift everything one row up, or down, or over to the left or right. While this is certainly more compelling a method than the above, those same dictionaries also include these basic keyboard shifts for their words, meaning that the added security is, once again, negligible.
  • The Bottom of the Barrel: Sometimes, people get really lazy with passwords. They’ll do things like repeat one word or number several times (I once visited a coffeeshop whose Wi-Fi password was twenty six ’1’s in a row), or they’ll use a few sequential letters from their keyboard, or a name, birthday, or phone number. So now, when the hacker cracks your password, s/he will have your phone number and birthday too — bonus!

Now For Some Good News

The deck may seem stacked against you, but it’s worth remembering that most of us are not going to be the targets of dedicated hackers — our priority is to make informed choices about the services we choose to trust with our data, and to ensure that our accounts as secure as possible without causing ourselves unnecessary headaches trying to remember obscure strings of characters.

There are a number of clever ways to create secure passwords that conform to these criteria, but we’re going to focus in on two primary ones that are not only popular, but also extremely effective, and flexible enough to be used everywhere.

Our priority is to make informed choices about the services we choose to trust with our data, and to ensure that our accounts as secure as possible.

Diceware: Surrealist Security

One of the most fascinating paradoxes of password security is the fact that, while one word is cripplingly easy to compromise as a password, the use of several words in sequence actually constitutes one of the most secure possible password creation methods that also offers us the benefit of being vastly simpler to remember than an equivalently long string of random characters.

One of the primary methods of generating such a word list is called ‘Diceware’, so named because you use a set of dice to generate the password from a list of words, like this English example.

For each word in the password (or passphrase, in this case), you would roll a die five times. The resulting numbers would be strung together — let’s say 61345 — and then the corresponding word from the list is selected, in my case ‘toad’.

Now, as an example, let’s take a typical “strong” password: 7YmP@ni5 (timpanis, for you non-musical folk). That password offers us about 50 bits of entropy. It’s not bad, but it’s also not terribly memorable — which letter was substituted with which special character or number? Which letters were capitalized?

Password Strength
XKCD helps illustrate the problem

Finishing up a 5-word passphrase using the Diceware word list, I came up with ‘toadloafsteamwhackethos’. That gives us a baseline of about 65 bits of entropy — a much more daunting challenge for hackers (each additional bit of entropy means twice as many possibilities that need to be run through).

Normally, five words is considered the minimum viable length for a Diceware passphrase, and the beauty of the system is that the entropy value is calculated with the assumption that your hacker knows not only that you’re using a Diceware word list, but that they even know which one you’ve used and how many words are in your passphrase. In other words, if they know anything less than that, or are coming at it completely blind, the entropy of your passphrase is even higher!

And because it’s a simple list of common words, it’s far easier to remember, especially if you generate (or invent) a phrase that is humorous or jogs your memory in some other way — ‘Hey,listen!’ is a simple one for Zelda fans. 70 bits of nostalgic entropy right there.

Quotable Defense

A devious and very effective method for generating strong passwords involves the use of phrases in a slightly unconventional way that happens to tick off many of the checkboxes of strong password creation — assembling the first letters and all punctuation into a password.

Let us take, for instance, a poem like The Jabberwocky, by Lewis Carroll. From the first stanza, we shall take the first two lines, which are:

’Twas brillig, and the slithy toves
Did gyre and gimble in the wabe;

Then, applying this method, we would end up with “’Tb,atstDgagitw;”. That marvelous piece of password engineering represents a staggering 100 bits of entropy.

The Jabberwocky
Yeah, he looks like he can protect my password

Let’s look at the advantages: it appears, on the surface, completely random and so is impervious to pattern-based attacks; it uses both multiple-case letters and special characters; it is more than 12 characters long (a common guideline); and despite its apparent obscurity, it’s impossible to forget because it’s derived from a piece of literature that is inherently easy to remember — a poem!

Assuming you dislike poetry, you can of course make use of a line from your favorite speech, or a quotation from a book, or any other phrase that you are unlikely to ever forget.

I personally recommend poetry for two reasons: one, it tends to be rich in punctuation and capitalizations, and two, it is almost always very easy to memorize (just think of how many popular songs you can sing along to).

Varying Your Passwords

The last piece in the strong password puzzle is variability: do not use the same password everywhere, it is the single biggest mistake you can make. Ten weak passwords are safer than one stronger one used ten times, because if it gets compromised, every single account you have is also compromised immediately.

Do not use the same password everywhere, it is the single biggest mistake you can make.

Using the two methods we outlined above, you can easily find ways to keep things consistent and still have different passwords for different services. Changing the last word in your Diceware list, or using different verses from the same song’s lyrics, for instance.

Writing Things Down

We should briefly talk about the problem of writing passwords down to remember them. This is a security risk that many people take, putting their crucial passwords in a notebook or slip of paper in their wallet.

While it’s convenient, it also opens up an entirely new avenue of danger — if someone steals your wallet, they’d normally escape with some money and your ID. Now, they can also access every account that you’ve written down a password for. Can you remember to go and change them all in time?

When we propose our ideal password solution, we emphasize that it should produce something memorable precisely so that you won’t need to resort to writing things down to remember it.

Alternatively, if the formula you use is something that you can easily recall, then you may only need to write down obscure reminders that will be useless to anyone trying to crack your password. If you used the poetry acronym method, you could keep a note that simply indicates which verse you used for each service — a thief wouldn’t know what you’re talking about.

The Easy Way Out?

Who is a hacker more likely to target: one random person or a company that boasts about providing strong password protection for millions of users?

At this point, you may be wondering why you shouldn’t use a dedicated password service like LastPass to both manage and generate your secure passwords.

As those are both reputable and flexible tools, you should certainly consider using them. The reason it pays to be able to generate your own strong passwords is that, because those too are services run by companies, they are vulnerable to attack themselves — and they’re far more likely targets of a password assault than one lonesome individual is. After all, who’s a hacker more likely to target: one random person or a company that boasts about providing strong password protection for millions of users?

Since they’ve made it their business to do just that, many of these services are worth trusting, but if you’re more cautious, or you don’t want to have everything stored in an app, or you simply want a means to create a strong master password for those other solutions, it pays to know how to make one — and now you do!

Parting Thoughts

It goes without saying that the strongest passwords are those 20-character randomized behemoths that you can easily find a generator for on the web. These are categorically stronger than any other you’re likely to formulate. But they’re also useful only for machines and people with a ridiculous skill for memorizing complicated strings of characters — they simply aren’t practical for everyday use.

The notion of an ideal password that we’ve explored in this tutorial has been one that finds a happy balance between integrity and memorability. You’re now equipped to spot the most egregious password creation pitfalls and create strong, memorable, and variable passwords for yourself. So go forth and batten down the hatches on your valuable digital assets.

While you’re at it, don’t forget to change them every now and again — it’s harder to hit a moving target, after all.

Have a better method? We want to hear about it! Passwords are important, so hop into the comments and share your thoughts.

Related Posts
  • Business
    Finance
    How to Measure Your Business's Profitability1 measure business profitability
    Part one of our four-part series on key business metrics is a look at profitability metrics. You'll learn four of the most important ways of measuring profit, how you calculate them, what the results can tell you about the health of your business, and most importantly, what action you can take to improve your results in the future.Read More…
  • Computer Skills
    App Training
    Getting Started With LastPassLastpass logo
    Online security is crucially important, but you can't stay secure with simple, easily-rememberable passwords. LastPass is one of the most popular cross-platform password managers, and in this tutorial you'll learn how to use it to keep your passwords and info secure, and then securely share them with your team.Read More…
  • Code
    Web Development
    Securely Handling User's Login CredentialsSecure wide retina preview
    Consider the following tips on how to properly secure your user's login credentials.Read More…
  • Computer Skills
    Networking
    How to Keep Your Information Safe on Public Wi-FiCoffee shop
    So there you are, browsing the vast Internet in a coffee shop on your travels abroad. You log in to Facebook, as usual, and continue to peruse the postings of the day. Unbeknownst to you, there might be someone stealing your login info right as you press the return key. After all, it’s an open network at a coffee shop—anyone has access to your information. The same goes for airport WiFi, and the library down the street. Luckily, there’s a way to protect yourself. In this tutorial, I’ll explain how people obtain your sensitive information on an unsecured network and how to prevent them from doing so.Read More…
  • Computer Skills
    Security
    How to Perform a Password Security AuditPassaudit400
    With password breaches, like Adobe's recent loss of up to 130 million passwords, becoming all too common, now is a very good time to conduct an audit of your password security. In this tutorial I'll show you how to use 1Password or LastPass to analyse how secure your passwords, and where necessary, create new, secure ones.Read More…
  • Computer Skills
    Security
    Lock Up Your Mac with Security SettingsFilevault icon
    It all started when people passed around the rumor of the Mac’s invincibility. Some said a virus for the platform was nowhere to be found. Others knew the truth though: that there really can be malicious code written for OS X. Nothing’s perfect, you know. When an illness does befall Apple’s OS, the company typically issues penicillin in a timely manner. (The timeline actually depends on the problem though and can sometimes be an unnecessary length.) “Flashback”, for instance, was a trojan back door that came about in early 2012 with the aid of, despite the name, a hole in Javascript. Apple repaired the defect nearly two months after its release. There have been other infections in the past year as well — but I’m not here as a security analyst. Instead, I’m an advisor. Today, if you have some time and motivation, I’m going to help you secure your Mac as best as you possibly can.Read More…