February 16, 2018
There are thousands of online service that we have access to via the internet today. Some are immensely useful and others are just plain silly. Regardless, they all need secure access. When it comes to something like your bank or email account, you definitely don’t want just anyone poking around. The main shield against having this happen is the humble username and password. These days we also have an emerging trend of using biometrics. Especially when it comes to mobile apps. Using mobile devices as a form of two-factor authentication is also a powerful modern development.
Despite all of this, you are still expected to come up with a decent password whenever you sign up for something new. You might even be asked to change it on a regular basis. So in addition to our already busy lives, we now have to constantly think up passwords that are :
So in this article, I’m going to look at a few methods that will help you craft a strong password. Without driving you nuts first.
To understand how to craft a good password, it helps to know how hackers crack them in the first place. If you go to a site like Facebook or Google and try to guess someone’s password, the account will be locked after three or so tries. You’d have to be incredibly lucky to guess a password correctly out of the many possible combinations. So no one tries to do this. Instead, when a data breach happens and encrypted password files are stolen, the hacker will use software to attempt a crack. The software takes the encrypted passwords and then guesses what it might be. It gets run through the same process used to encrypt the password in the first place. If the results look the same, it means the password has been guessed correctly. If not, it tries again. Since its applying the guesses to an offline copy of the database, it can try as many times as it likes. Modern computers can do this very quickly and often passwords can be cracked in a short enough time to make the method practical.
This is known as the “brute force” method. It takes a long time but will work eventually. In addition to this, other methods are applied that cut down the time a brute force attack takes. One of these is referred to as a “dictionary” attack. Here the cracking software uses common words in various combination to look for more likely passwords. After all, if your password consists of four common English words, it’s actually only a 4-digit password from the perspective of the software. Albeit with many possible words in each position.
So our goal is to create a password that makes this sort of attack as hard as possible. To extend the time it would take beyond what’s practical and defeat things like dictionary attacks.
The fastest and most secure way to craft a strong password is to use a password manager. The software will automatically create a password that’s almost impossible to guess. However, it will also be almost impossible to remember as well. That’s one of the reasons you need a password manager in the first place. Even then, you need to create a password for the password manager itself. That means there’s no way to escape the need to learn password crafting kung-fu.
This one is obvious enough, yet plenty of people never spare a thought for their password length. Most sites these days will ask for a password that’s at least eight characters in length. Why is that? It makes sense if you think of your password as a combination lock. If you only have one number, then you only need ten guesses. If you have four numbers, the possible combinations go up to 10 000. For every single digit, you add the number of combinations on a padlock goes up by a factor of 10.
If you allow numbers, letters, special character and case sensitivity it gets even better. There are 95 possible combinations of a single digit.
Using a password combination calculator we can see that the typical eight-character password has 6,634,204,312,890,625 possible combinations. That’s huge, but modern computers are plenty fast. So they can chew through that many combinations at thousands of tries per second. If you add just one more character, the possible combinations go up to 630,249,409,724,609,400. That’s a huge difference for such a small addition. So try to make your password as long as possible while still retaining the ability to remember it. It’s also essential to use all the character elements: upper case, lower case, numbers and special characters.
Thanks to dictionary attacks and sophisticated pattern analysis, you should avoid using simple phrases as passwords. Yes, you can make a very long password by writing a sentence, but that means you make it more likely that a sophisticated cracking tool will figure it out more quickly. Swapping out some letters for numbers and special characters isn’t necessarily any help either. Since the software already knows to swap “at” for “@” or “e” for “3”.
If you must create a password that consists of a phrase or a collection of random words, try to make it a little harder to simply pick it off the list. Choose four or five words that don’t have an obvious connection, but that you can remember by connecting them in your head. Basically, like the example password “correct horse battery staple” from that famous XKCD comic. It’s up to you to figure out a connection that will help you remember the password. Which brings me to the next point.
A mnemonic is something that’s easy to remember but contains a lot of information. For example, the notes on the line of the treble clef in music are EGBDF. Many mnemonics have been thought up to help students remember these notes. There’s “Every Good Boy Deserves Fudge” or “Every Good Boy Does Fine” as two examples. The first letter of each word represents the string you want to remember.
You can use exactly the same method to generate a password string that’s as strong as a randomly generated one. However, this is one you’ll remember because it’s connected to a phrase that only you know.
For example, you could make up a phrase such as “The monkeys threw $5 at my House”, which conjures a memorable image. Converting that to a password string you’d get “Tmt$5amH”. As long as you remember the phrase you can always come up with the password again. I first read about this method in an article about ethical hacker Kurt Muhl and I think it’s pure genius.
Getting a handle on good password creation habits is essential. But it’s not enough. It’s essential that you also use two-factor authentication wherever it’s available. Also, please don’t use the same password and email combination on multiple sites. Since different web-services have different levels of security, you might compromise your bank or primary email account, because you used the same password on another site with terrible security.
I’ve seen some articles on the web suggest that you write down your password and save it in a safe place. I’m a little torn on this advice. Personally, my principle is to never write any passwords down. However, if you do go this route there are ways to make it a little safer. Write down half of your password on one piece of paper and the other half on another. Store them in separate locations. It means you will have to be compromised twice to lose your password once.
Hopefully, you now have a good idea of the basics involved in making a strong password. You don’t have an excuse for using “p@$$w0rD1234” ever again.