This article on hacked RockYou passwords made me checking my own password-behavior, and – what should I say – everythings fine ;-)
But my real life experience in team and family tells me, that I’m the exception. And according to the TechCrunch-article above, I’m a biiiig exception: only 0.2% of the users had a »strong password«.
In this post I would like to point out the most common mistakes with passwords and want to show how you can make up easy to remember passwords that are strong further more.
1. The weak-password-trap
First: What are weak passwords? Basically they are short, contain only letters and can be found in the dictionary (even combinations of those – like “iloveyou” – are evil).
You should use at least eight characters to resist a Brute-Force-Attack. The more the better. (Who thinks that a long password is hard to memorise can use the method described in section 3.)
Every additional character multiplies the number of possible combinations enormous (see Appendix): using nine instead of eight characters, when using only lowercase letters, for example multiplies the possible combinations by 26, increasing them from 0,2 to about 5 trillion.
2. The same-password-trap
Even the strongest password is useless, when someone else knows it (saved as clear text, noted down, … ), and can access all kind of different accounts with it – check out the xkcd comic on password reuse.
3. How do I find a secure and easy to remember password?
Here is my tip to make up a long but easy to remember sentence. As an example we use (The sentence should be easy to remember): »The quick brown Fox jumps over the lazy Dog.«
Now we take the first letters of each word: TqbFjotlD.
Let”s replace the o (letter O) with an 0 (zero). The q looks a little bit like a 9 and the b like a 6. The l can be replaced with a 1: T96Fj0t1D.
Now I replace the j with a !, because they are also alike.
A secure password would be T96F!0t1D.
Things you can use most times: $ instead of S, 3 instead of E, 7 instead of t.
4. Password generators
There are a lot of programms, that generate a random sequence of characters. Some can be configured in aspects of length and used (special) characters. I use one for generate »one time passwords« e.g. for user-logins, where the password has to be changed after the first login. Because either you have to memorize these (more or less) random sequences (hard), or you have to note them down (insecure) or you have to store them, using:
5. Central pw management
Finally there is the possibility to store passwords in one central place. A small programm encrytes your password(s) into a database and decryptes them after entering a master-password.
This is really a handy way, because you can use real random character-sequences (from step 4), but you don’t have to remember or note them down. But even this way has three catches:
1. The PW-Management-Tool has to be secure itself (strong encryption of the passwords, resistent to attacks).
2. One password gives access to everything!
3. Most times, a PW-Management-Tool is bound to the computer on which it was installed. If you want to use the passwords from on the way, you have to use your brain or an (in)secure online-access.
One last tip
Don’t ever change your password on a friday or just before your holidays: the chance of forgetting is quite big.
And one more appeal to my developer collegues: please please please don’t store passwords as clear text in databases. The strongest password becomes useless if every sysop can read them in MySQL.
|Length||Used characters||possible combinations|
|8||lowercase only||26^8 (0,2 Billion)|
|8||lower-/uppercase and digits||62^8 (218 Billion)|
|8||lower-/uppercase and digits and special characters*||77^8 (1236 Billion)|
|9||lowercase only||26^9 (5 Billion)|
|9||lower-/uppercase and digits||62^9 (13500 Billion)|
|9||lower-/uppercase and digits and special characters*||77^9 (95000 Billion)|
|Obvisiously: a combination of long password and many characters enlarges the number of variations enourmously.|
* I tend to be cautious with special characters! It may happen that you are using a keyboard on which you can’t find all special characters (Mac/Windows, Abroad, cyber cafe). But !§$%&/()=?.,:; should always work. For the table above I assume 15 working special characters.