Did you know that the average user has 19 passwords?
The number is probably higher. The cited source is two years old, and the number of online services continues to grow. Moreover, most users have at least one or two devices with default passwords including their routers, entertainment devices, and so forth. For computer users that have been around a decade or more, they probably have at least a few accounts (and associated passwords) that they’ve forgotten about.
Password security is a tough challenge for those that understand how they work, and an absolute catastrophe for those that do not. The purpose of this post is to give some very brief, easy-to-understand password training to those in the latter category. There are three key topics: creating a password, how others store your password, and how to store your own passwords.
Creating a Password
There are two key principles for creating a password:
- Make it easy for you to remember
- Make it difficult for others to guess, even if they are using a computer
Those may sound like easy principles, but most users just can’t grasp how many passwords can be guessed using computers. The bad guys that want to crack your accounts use powerful computers that can, in certain circumstances, try millions of guesses a second.
So we’re going to do just a little bit of math for a second. Suppose your password is all lower case and has six letters. How many possible combinations are there? I mean, if we start with ‘aaaaaa’ and go all the way to ‘zzzzzz’, how many possible passwords can you create with six lower-case letters? The answer is computed by taking the number of possible letters raised to the power of how many letters are used in the password:
26 6 = 308,915,776
Now, to a human, over three-hundred million seems like a big number. To a computer, it’s chump change. Just for kicks and giggles, I wrote a quick test for breaking all of these passwords and it took me approximately twenty minutes. And I could have written a much faster version.
So what if we didn’t stick to just lower case letters? Suppose that the user has a six-character password that has a mix of upper-case letters, numbers, and even some symbols. Such passwords include six-digit pin passwords as well as things like: ‘ImNbr1’ (I’m Number 1). Other examples that use symbols are: ‘l@@k!!’. There are now 95 possible letters for each of the six spots in the password. That brings our total number of possible passwords to:
95 6 = 735,091,890,625
Surely 735 billion passwords is a lot, right? Nope. Expert crackers can go through all of those in less than three minutes.
In the article I read, nearly ten percent of users had passwords that were six characters or less! If you are in this one-in-ten group, please start using passwords of at least eight letters in length, and preferably ten. You might not think that adding in another character makes much of a difference, but we’re working with exponents here. Take a look at how the number of possible passwords increases:
95 7 = 69,833,729,609,375
95 8 = 6,634,204,312,890,625
95 9 = 630,249,409,724,609,375
95 10 = 59,873,693,923,837,890,625
But even once you choose a password of sufficient length, it is critical that you do not rely on whole words or well known phrases. The password crackers usually can’t guess every possible password once they get to be nine or ten characters in length, so they start turning to specially prepared dictionaries to help them guess. And changing the letters to numbers doesn’t help. Suppose, for example, you picked the password “trombone.” Ok, that’s 8 characters. Now, we need to use numbers and symbols, so maybe we change it to be “Tr0Mb@N3”.
To a human, that looks like a good password. I mean, who’s going to guess that?
But for the automated guessing programs, it’s very simple. Trombone will be in the dictionary, and substituting in numbers and symbols is very easy and quick for the computer to do.
What’s worse, YOU will have a hard time remembering it, violating the first principle of password choice.
Hackers can also easily break phrases like “momofgr8kids”.
While there are a number of methods for creating a good password, I’m going to give you my personal favorite: four or five random words. Here’s a sample password of this type:
Now, there are a couple of keys to creating this kind of password. You MUST choose the words randomly. You will unconsciously find yourself picking related words and you have to force yourself to ignore the impulse. When I was creating the password above, I picked the first word and then found myself thinking of words like “soup”, “dish”, “haggis” and other words relating to food. As soon as “chop” was in my brain, so were a bunch of related words.
The other key to this password is that you need to be picking words from a long list of words. If you find yourself always picking the same words, you’re going to get into trouble. The easiest way to have a long enough list is to choose words related to lots of different topics: money, kids, games, geography, books, sports, technology, etc, etc, etc.
For very important web sites (e.g., banking), it might be worth it to choose a five word password.
Note that many websites require passwords with at least one number. I recommend always using the same number and putting it at the beginning or end of the passwords you choose.
There are some security experts that have suggested these kinds of passwords can be broken “easily” as well. One of the references I will link to below says as much. However, when I read the details about how they do it, I’m of the opinion that their approaches only work against weak versions of these passwords (e.g., too few words, the use of predictable multi-word combinations, etc). And I have yet to read about five-random words being cracked.
There is one other approach that is very powerful, but it is very long and should only be used for the most sensitive data. For example, I use this approach to lock up all my other passwords (as I’ll discuss in the third section).
Make your password a poem that you write yourself.
Poems have enough structure (especially with rhyming) to help you memorize and use it. At the same time, they’re long enough to be virtually impossible to guess. My master password is actually a haiku. Although there’s no rhyming, the fixed-syllable structure made it easy for me to learn and remember.
Whatever you do, don’t write it down. If you have to write it down in order to memorize, destroy the written version once it is in your head.
How your Passwords are Stored
Most users are probably not aware that their passwords are not usually stored in the computers and websites they access. Typically, what is stored is known as the hash of a password.
Hashing is an interesting mathematical concept but a little complicated to explain. A hash is known as a one way function. Rather than explaining this in detail, here’s a relatively simple example: remainders. Suppose that you take a very large number and divide it by ten. You will get a remainder between zero and nine. But even if I know you divided by ten, knowing the remainder won’t tell me very much about the original number. There are an infinite number of numbers that, divided by ten, have a given remainder.
Hashes are kind of like that. You can easily compute the hash from the input, but it is almost impossible to reverse. The hashes are even better because they have certain security properties I won’t go into here. They key point is:
If somebody hacks a website that stored the hash of your password, they still don’t know your password.
Of course, that’s how it’s supposed to work. But it turns out that if your password is weak, it can be cracked from the hash by trying the approaches I mentioned earlier. So, back in 2012, there was a LinkedIn hack that compromised over one hundred million logins and password hashes. Over 90% of the passwords were reversed!
I was actually contacted by Pandora today because of this LinkedIn hack back in 2012. Pandora took the very proactive step of notifying Pandora users that have the same login email as appears in the hacked list. In other words, Pandora looked through the list of hacked users from LinkedIn and contacted all of their users with the same email address. Their reasoning was that many users undoubtedly re-use passwords.
Interestingly, I had forgotten that I even had a Pandora account. I created it long ago and long before I understood password security as well as I do now. Not only that, I realized as soon as I logged in that I was reusing the same password for another service. Thanks to this notice from Pandora, I reset a weak password on an account I had forgotten about, and I reset my password on another account wherein I was reusing the same weak password.
Managing Your Passwords
Which leads me to my last point. You absolutely must not reuse passwords. There are many reasons for this, but this post is already too long. If you’re really curious, do some web research.
But how in the world can the average user possibly remember twenty or so passwords?
You really need to get a password manager. A password manager is a program that stores all of your passwords encrypted. When you need one, you enter a master password and look it up. Most have plugins with browsers so that you can have your data entered into the website at the push of a button.
I myself use 1Password.
It’s not to say that there aren’t risks to a password manager. But for most users, these risks are so much lower than their current approaches that I’d say it’s a no-brainer. If you really don’t want to pay the money, you should find trustworthy file encryption software and create an encrypted password text file. Certain very paranoid security experts won’t even keep these files on their computer (for fear of malware) and instead put their password text file on a USB drive.
I hope that this blog post was helpful. If you want to read more, I recommend the following:
- XKCD comic explains password strength
- Wired's in-detail look at how experts crack passwords
- A list of websites that stupidly store passwords in plaintext
- Amazon recently had a bunch of usernames and passwords (password hashes) stolen
- Or were they?