Choosing secure passwords is a tricky business. This document describes some strategies for creating and selecting them to effectively protect your accounts. The key points are that you need long passwords that are hard to crack but easy to remember, that you should have different passwords for different accounts and that for critical accounts you should have different usernames as well.
Most of the text in the section entitled “Why We Need Long Passwords” originated in the “Choosing Your Master Password” of my passgen help document but I feel that the information is important enough to warrant a separate posting. The section entitled “Why We Need Different Passwords for Different Accounts” is new. At the end there is a short conclusion that introduces the passgen and passgenw tools for generating random passwords.
1 Why We Need Long Passwords
We tend to select passwords from a finite set of choices because random patterns are particularly difficult for us to memorize. We also like short character sequences because they are easier to remember. Both of these tendencies work against us because attackers know all about them and use dictionaries of common passwords to quickly determine whether we are using one of the thousands or millions of known passwords. This is possible because short character sequences and common words are each to check. Let’s briefly look at why that is.
If we choose a password that is a common word like “password” or “secret” we are vulnerable to an attack using dictionary words where an attacker simply tries all to decrypt our data using all of the words in the dictionary as the password. For a reasonably powerful modern computer that could run 10,000 tests per minute it would take less than 2 hours to test a million words.
If we choose a random set of 5 characters for our password like “Ae4%.” or “?>3r$” we may think that it is safe but it really isn’t. There are about 90 or so printable characters consisting of lower case letters, upper case letters, digits and punctuation characters. That means that there are 905 or 5,904,900,000 (about 6 billion) possible permutations with replacement.
But how safe is that really? If special purpose cracking hardware can run a million tests per second, then it would take less than 2 hours to try all permutations and crack your password. This is called a brute-force rainbow attack.
Going to 6 characters improves things. The same attack would take about a week so it is clear that adding more characters can make you safer but not necessarily as safe as you think. For one thing, I don’t know how fast cracking hardware is these days but I know that the state of the art is advancing rapidly and the attacks can be run in parallel which may mean that a billion tests per second may not be out of the question in the foreseeable future.
In addition, psychology plays a big role, it is unlikely that we will ever choose something truly random (unless we use a password generator) because we may not like to use shift keys or we find letters are easier to type than the punctuation characters and so on and, finally, remembering long sequences of random characters is really hard so you would probably have to write it down once the number of characters exceeded some number (probably around 7).
From the discussion in the previous section it is clear that you want to choose a password that is hard to attack using dictionary or brute-force approaches but is easy to remember so you don’t have to write it down. Given the uncertainty of the state of the art for cracking, the password should be at least 15 characters and should not be a common word. It should also have some punctuation, numbers and mixed case letters. This section describes five simple strategies for choosing passwords.
Strategy #1 – Common Words
The first strategy uses 3 or more common words randomly combined. An example would be “goldfishsummermikonos“. This approach is simple (all lower case letters), fairly easy to remember and reasonably secure. It consists of 21 lower case letters which would have 2126 or about 2.4×1034 permutations for a brute force attack. But a reasonable attacker would not necessarily use a brute force attack, instead they might try word combinations. If they used a dictionary of a million words and tried all combinations of 3 words they would only have to try 1018 permutations which, while very large, is significantly smaller than 1034. That is why you want to have at least 15 characters.
The reason that you want three or more common words is because 1 common word is easy to attack as shown in the previous section and two is within the realm of possibility. Using the previous assumptions based on a dictionary of a million words and a million tests per second, two common words would have 1012 possible combinations which could be cracked in less than 12 days so three is a good choice for a lower bound.
Strategy #2 – Common Words + Prefix
The second strategy is add random prefix to the common words approach. An example would be “F@9/goldfishsummermikonos“. Where the prefix is “F@9/“. This makes the password significantly harder to crack but it is still fairly easy to remember.
Strategy #3 – Common Words + Prefix + Suffix
The third strategy is to add a suffix to the second strategy so that it has three parts: a prefix, the common 3 word phrase and a suffix. The suffix would be a small set of simple random characters.
Strategy #4 – Common Words + Separators
The fourth strategy is to separate the words in the common phrase using a small sequence of punctuation characters, for example “/goldfish/summer/mikonos/” or “/goldfish!summer!mikonos/“.
Strategy #5 – Substitution
The fifth strategy is to substitute symbols for characters so our 3 common words approach might look like this: “901dfi5h5ummermik0n05” where I substituted zero (0) for oh (o), five (5) for “s”, and 9 for “g”. There are many other possibilities for substitution that use punctuation characters like “@” or “&” for a. They are all good approaches if you can remember them.
One of the most common substitution approaches is called “leetspeak” and is used by IRC chatters everywhere. You can find out more about it on wikipedia: http://en.wikipedia.org/wiki/Leet.
3 Why We Need Different Passwords for Different Accounts
Although the strategies described in this blog are helpful please remember that no password is completely secure. It can be cracked by malware, poached by social engineering attacks, observed through shoulder-hacking, stolen from the site where your account is stored or collected in other nefarious ways that boggle the imagination (such as reading keystrokes from reflected images off of your eye, really!). For all of these reasons and more, it is very important that you use different passwords for different accounts to limit the amount of damage that occurs if one of your accounts is hacked.
Most of us have many accounts which creates logistical problems. For example, I have more than a hundred so trying to memorize all of the passwords is out of the question. For that reason you will need to store them somewhere. The most obvious choice is one of the many password managers available on the market.
I do not recommend using password managers that rely on cloud storage unless you know that they are secure. By that I mean that they have strong protections in place such as a zero-trust network infrastructure that protects you from malicious insiders (rogue employees) as well as strong barrier defenses (and intrusion detection) to frustrate external attackers. Never use a cloud based system that does not use strong encryption by default for storing and communicating information. I would look for a public key infrastructure (PKI) model using PGP or GPG at the very least.
I do not recommend closed source software that you download or buy and then install onto your computer because I have concerns about embedded malware, security flaws in the code itself (that could be exposed by 3rd party security audits), and nefarious functions like sending information back (“phone home” functionality) to an external server which may not be secure. If you want to use this type of solution please make sure that they have had some sort of security audit with published results.
If you want to use a spreadsheet or text document based on your favorite office suite or writing tool, that is fine but make sure that the data is encrypted and that you keep your computers malware/virus defenses up to date. If you adopt this approach and want to keep the data on a USB drive (or similar device), please be careful. Thumb drives are infamous for having vendorware (vendor installed software that is automatically installed on your computer without your knowledge — very similar to malware in my opinion, the only difference is that you know the source) and/or malware.
If you want to simply write them down on a piece of paper, try to obfuscate them in some way. You could leave out letters, words, suffixes, or prefixes, You could add random letters, words, suffixes or prefixes. You could do both. Anything will help if it guarantees that the passwords cannot be used directly if they are stolen. Here is a quick example, if your password is “fr1n63d/qu073d/4cn3/wr4pp3r” you might add a prefix like “h1d33m600d/” to create “h1d33m600d/fr1n63d/qu073d/4cn3/wr4pp3?. Also make sure that you keep the paper somewhere safe.
I used a tool that I wrote called passman that is available on this site (joelinoff.com). It is free and open source so that you can inspect it for vulnerabilities and backdoors. It is more difficult to use than commercial products and I do not recommend it for novices but it is reasonably secure. I wrote it because I wanted a secure web based solution.
If you know of other secure storage approaches, please let me know.
4 Different Usernames for Different Accounts
Although this is not strictly a password strategy, it is worth mentioning here because using different usernames for different accounts is also a good way to protect your account data and, unlike passwords, you do not need different usernames for all accounts just for the critical ones that have access to your bank accounts or credit cards like amazon.
Many folks use the same username for all of their accounts which means that once the username name is stolen from a single account that stolen username can be used for social engineering attacks for your other accounts which basically means that an identity thief could call one of your accounts and say “i have forgotten my password, my name is <your name>, my username is <your username>, my social security number is <your SSN>, etc.” and get access to your account through legitimate means. If any of those are incorrect, this social engineering attack will generally not work unless the company is really lax about security.
Please note that you don’t have to be tricky with usernames to get good protection. The usernames to don’t have to be really long and they only need to have letters and may be a number. For example if your typical username is “bob” you could “bob1? or “betty” on other accounts and do a decent job of obfuscation.
As you can see, there are many different password generation strategies that we could use. We have only touched upon a few here. Just make sure that your password is at least 15 characters and try to make sure that it has at least some digits, punctuation characters or capital letters unless it is very long. Also make sure that you use different passwords for different accounts so that if one of your accounts is hacked and the password is stolen your other accounts are safe and, finally, use different usernames for critical accounts.
If you are using any 3rd party tools, try to make sure that they are secure using Google or Bing.
Please note that the recommendations in this post do not apply if you write your password down and leave it lying around, or give it away or send it in an email, a skype message, a twitter message, an IRC chat or any other public forum. No form of electronic communications is secure.
If you must send your password to someone, consider using a PKI (public key infrastructure) solution like GPG or PGP.
To aid password selection, I have created two web based public domain tools: PassGen and PassGenW to generate candidate passwords. PassGenW generates passwords that easier to remember because they are composed of common English words.