Monday, April 5, 2010

Picking A Good Password

Like most people, I spend a fair amount of time dealing with passwords.  However as a nerd, I also spend a fair amount of time reading and thinking about passwords.  For a while, I've wanted to join the legions of blogs spouting off about password security while knowing nothing about it.  Much of my advice will contradict many IT policy type advice.  No one wants to give somewhat lax, but realistic, advice for fear of being blamed after an attack.  Since I'm just some random dude on the internet, if you follow my advice and then get screwed I can just laugh at you rather than fear responsibility.  Hopefully, this will make my advice more realistic.

There is no shortage of advice along the lines of using 12 random characters, different for every password, changed monthly, and written down nowhere.  All those ideas are terrible, and ignore basic facts about people.  However, they do have some root in good practices.  The problem is they have been corrupted and taken to an extreme by people that don't understand them.

Before making a password you must first understand what types of attacks you will be protecting against. You think about what you are protecting and act accordingly.  Many people use the same password on every website, from their bank to the Pumpkin Lover's Forum.  The reason that this is a bad thing is that while your bank likely takes security seriously the forum possibly doesn't.  Thus, an attacker can get your password from the forum and then use it everywhere else you have an account.

So your first step is to decide what sites deserve a unique password, and which ones don't.  Some sites will be obvious, e.g., your bank, or anything with your credit card info.  While I'll agree that it is important to protect those accounts I want to talk about a different type of site that everyone has, but that many probably don't consider that important: your email.  The reason your email is important is not that people could pose as you, or read your past emails (although that could be a concern).  Rather, your email is likely a key to all your other accounts.  If you've ever forgotten your password to a site you know you can usually reset your password and have it emailed to yourself (or if the site has terrible security they'll send you the original password).  If an attacker has access to your email he can reset your password to any other site, and then intercept the email.  This means your email is one of the most important accounts you have.

On the other end of the spectrum is random forums and other sites.  More and more often sites force you to register to gain access to content.  Bugmenot can help to some degree, but sometimes you just have to register for some site, possibly one you know you will never return to.  If you truly will never return you might want to use a disposable email service and make a quick one time account (and submit it to Bugmenot).  However if you plan on reusing the account, you may want an account only you can access.  In these cases you can use the same simple password across the web.  You can use any regular dictionary word, just be sure you won't care at all if someone hacks this account.

For other sites though, you want a hard to crack password.  Yet, it also has to be easy to remember.  There are a few different approaches to this.  I'll list three here.  First there is a simple memory device.  The example I remember from ZDTV more than a decade ago was to use the last 4 presidents.  First letter of first name, followed by ones place digit of year they took office.  Republicans in capitals, democrats in lower cases.  This gives (without quotes) "G(b3G!b9".  George 1989, Bill 1993, George 2001, Barack 2009.  In case it isn't obvious where the ( and ! came from I held shift while typing 9 and 1, thus "capitalizing" them since they are republicans.  The good thing about this is that it should be easier to remember the method for coming up with the password than a random string itself.  If you think you will forget you can write down a somewhat cryptic hint, and the info is easy to look up.  This specific example isn't that great.  There is too much of a pattern, not to mention it has been used as an example in various places.  You should definitely pick a different one.  It is important not to use something that would be likely to be guessed by someone that knew you.  Stuff about your favorite foods, bands, TV shows, movies, etc would be bad choices.

I don't use that method at all, as I find the next two methods produce better passwords which are easier to remember.  The next method is stringing together ordinary words with special characters in between.  Now I do realize people always warn against using dictionary words in passwords, but that is aimed at using a single word.  I am talking about using multiple words 2 or 3.

Let me go off on a tangent here and explain how you calculate how many possibilities there are from a number of choices.  The formula is quite simple.  You find the number of choices for each place, and multiply them together.  If the number of choices is the same for every place then you can simply raise that number to the power of the number of places.  For example if you can only choose digits (0-9) that is 10 choices.  If you have 4 numbers (as in a common PIN) that gives you 10 * 10 * 10 * 10 = 10,000 possible choices.  You can also do 104 = 10,000.  Since most people only use lower case letters in passwords, and their passwords are 8 or less letters long you can find the number of possibilities for an eight letter password with 268 = 208,827,064,576.  I realize 200 billion sounds like a lot of passwords but you aren't concerned with humans guessing your password one by one.  Rather you are concerned with a computer doing it automatically billions at a time.  "The system supports a brute force attack of 300 billion passwords per second".

You can add a great deal of complexity to your password by adding capital letters, digits, and special characters (% * :).  A standard keyboard has 26 letters * 2 + 10 digits + 32 special characters = 94 possibilities.  A stronger password using all these types and 10 characters long would have 9410 = 53,861,511,409,489,970,176 possibilities.  At 300 billion passwords per second that would still take over 5 years to go through all the possibilities.  The problem is completely random characters are nearly impossible to remember.

Enter the use of words.  The problem with using words is that while you may have a lot of characters they aren't random.  Thus, you can't use the above rules for calculating possibilities.  Instead you need to treat the word as a single character.  So if you use an eight letter word instead of 268 = 208,827,064,576, you instead would do 10,0001 = 10,000.  I use 10,000 because a list of the 10,000 most common words will probably cover any word you come up with.  Thus there are 10,000 possible choices to the first power (since there is only one word).  However, if you simply increase the number of words, and toss in some extra characters in between the number grows immensely.  If we use three words, and between each insert a digit or special character (digits or shift + digit = 20 characters), we end up with 10,0003 * 202 = 400,000,000,000,000.  This will "only" last 22 minutes at 300 billion passwords per second, but it is vastly better than 8 random letters, and I think much easier to remember.

Some notes about this method.  First the digits in between don't increase the total possibilities by much.  The reason to include them is they do increase the protection by quite a bit if someone is specifically targeting this type of password.  There are also a number of methods you can use to increase the possibilities without making the password much harder to remember.  First you can use a (random) name.  Just make sure you don't use a name of someone you know.  It shouldn't be hard to remember a name that is somewhat silly.  Next, you can replace some letters with characters that look similar (zero for oh, 0 for o).  Finally, you can use one word that isn't in the list of common words.  Maybe find a word of the day archive, pick a random month and find a word that you think sounds funny.

Using those methods you may come up with something like "Pauley^chair3mulct".  It shouldn't be that hard to remember that.  However, my preferred method produces even better passwords.  Instead of using just a few words you use a lot; you use a whole sentence.  Building on the techniques from the previous method you want to use a word not on a common word list, and digits and special characters.  However, in a sentence it is easier to use these in a way that is memorable.  "I saw Jeffrey eat 19 pineapples, with the shells."  Note this includes both cases, digits, punctuation, a name, and an unusual word.  At the same time it shouldn't be that hard to remember.  It would also be easier to put a hint somewhere that doesn't stand out.

A caveat to long passwords though is that many sites won't allow long passwords.  Before using a sentence as a password you should find out how long of a password the site allows.  Don't just assume that since a site allows the password that it is using the whole thing either.  If a site does limit you to a shorter password then you can use one of the other two methods.

Finally, I'd like to write something about hints.  Writing passwords down is often said to be a bad idea.  However, writing down a slightly modified version of the password and keeping it in your wallet can be quite secure.  "ISJE19PWTS" on a post it in your wallet shouldn't give too much away.  For one thing most people keep their wallets pretty secure.  For another even if an attacker found that they would probably assume it was the password itself, and not a hint.  Even knowing you used the sentence method, and given the first letter from each word an attacker would have a hard time guessing every possibility.  If you want even more protection you can omit some words from the hint.  "ISJE19P", or "I saw jeff" if you remember the first part of the password you are likely to remember the whole thing.

I've written a simple javascript password checker.  There are many similar checkers out there, but something that bothered me about them is that they made no attempt at using a dictionary to gauge password strength.  The password Password1, which is one the most common passwords out there, and would quickly fall to any dictionary attack, scores as high as skwEow4ck.  Since I'm very lazy, the dictionary function isn't as robust as I'd like, but it's there, and I'm unlikely to improve it any more.


  1. This is cool. Thanks.
    One more tip is if your name is John Lee Smith and you were born in 1980 then have a password like: !(*)J410L312S519.
    1. [Shift]1+9+8+0.
    2. "J" in "John".
    3. "4" because the name "John" is 4 letters long.
    4. "10" because "J" is the 10th letter in the alphabet. (Repeat step 2-4 until all 3 names are complete. Also you might want to add more.)

  2. what about using common stuff, for example:

    would that fall easy to a brute-force or dictonary attack? it contains lowercase, uppercase, numbers and symbols.

  3. good article but of course it'd be useful if financial websites could employ uniformly similar requirements tho' their disparities are further enhanced by pin numbers (except for Paypal). Low security sites/areas we could use same password. Just my thoughts!!