Password

Password Strength

Evaluating the strength of a password

A password is as strong as it is unlikely to be guessed. The measure of the strength of a password (or complexity of guessing a password) is given in bits of security. All computer passwords are translated to binary, strings of ones and zeros. Usually, a password is translated from ASCII to binary. One string of 10 ASCII characters would be translated into 80 bits, and guessing the correct sequence of 80 bits (assuming they are truly random) would take 2^80 or 1,208,925,819,614,629,174,706,176 operations (in the worst case). Trying one billion operations (fast for 2009's standards) per second would result in 38 million years of operations.

Unfortunately, the average 10 character password is not random. The normal all lowercase passwords take up only about 10% of the password space, so even if the password contained purely random lowercase ASCII characters, the time to breaking it would be drastically reduced (26^10 gives a 40 hour attack). See lockdown.co.uk's password page for a rundown of various passwords. These cracking times assume that the cracker has physical access to the encrypted data or a hash of the password. Usually this is not the case: most of your passwords will be for online accounts, presenting a much more difficult task to the password cracker. Such a scenario makes brute force cracking almost impossible because the time it takes to try a passwords over the internet is about a tenth of a second and most servers will only allow a limited number of guesses before locking the user out for a day. Therefore, online passwords can be substantially weaker than passwords used to encrypt documents, and still retain enough strength to keep your accounts safe for millions of years.

Suggested strength of a password

I recommend 8-10 random characters for online accounts. Passwords used in online accounts should be considered compromised if an adversary gains access to the server (through hacking or stealing). Note, these 8-10 character passwords must NOT be words from dictionaries, word fragments, words with letters, phrases, short forms, etc. They should be truly random and contain at least 26 possibilities per character (that is, at least lower alpha). It is vital that you not use the same password for multiple online accounts: if one of the accounts gets compromised, other accounts will be in jeopardy. Use password management to keep track of multiple passwords.

Here are some examples passwords that are good enough for online accounts (do NOT use these specific ones):

  1. 7leFriUs

  2. 32UfLEwl

  3. prI5proe

  4. v7umOA2h

  5. qoaN6ewo

These passwords would take (62^8)/2 (109,170,052,792,448) guesses on average. The reason that this is enough is that guessing a password online is a slow process: fewer than 100 guesses can be made per second to most servers, and few sites today will allow more than 100 wrong guesses without an extended lockout period (often 24 hours). Note that your "password reset" answer should be at least as strong as your password, and often stronger because many sites do not have limits on guesses of password reset questions.

For encryption, a password of 20 random characters or more is probably safe. A 20 character password should keep an adversary busy for the next hundred billion years at today's standards. In order to watch out for Moore's Law, throw in a few more characters or use upper and lower alpha. Thankfully there are ultimate limits on computation which prevent computers from getting faster and faster forever.

Here are some examples passwords that are good enough for encryption (do NOT use these specific ones):

  1. ju9unutrUcat8dayudRe

  2. w3uzeTaZAsaChexaspU7

  3. Thef6A54ZAse5ruphefr

  4. su9AXequcha68E2uDa6H

  5. WRE9eJe8rufArupeChAC

These passwords would take 62^20/2 (352,211,712,773,499,011,484,165,132,308,190,000) guesses on average. This would take a really long time to guess (at least a billion years).

Memorizing strong passwords

The most common complaint I get from people when I tell them to use long passwords is that they have a hard time remembering random passwords. I would respond that most people have never tried to remember something random. I memorized 40 digits of pi while letting my pet Chinchilla, Whiskers (I no longer have him) out for a run in the hallway (you have to keep an eye on them or they will eat the drywall). Strong memorization comes from the act of repeatedly recalling something.

Try it. Make a 20 character random lowercase password (for example, take the 4th root of a long, arbitrary number and shift each of the first 20 letters of this sentence with the root, using one digit at a time from the back to front, skipping every third digit). Plucking at the keyboard does not generate a random password. After you have your password, type it out ten times, one entry right below the other (so you can see the old entries). Then try typing it out from memory. Then change your Windows logon password to it (make SURE that you have another administrator account on your computer that has a different password) and write the password down on a yellow sticky and hide it under your keyboard. Set your screensaver so that it locks your workstation and set it to start after one minute of being idle (in HSL): start{BUTTON}>Control Panel{MENU ITEM}>Display{ITEM}>Screen Saver{TAB}>Wait:["1"]{TEXT FIELD}>On resume, password protect[check]{CHECK BOX}>OK{BUTTON}>

If you use your computer often, you will have a rock solid password memorized within a few days. Use this password for your password management scheme. Then you can use a variety of shorter (8-10 character) passwords for your various online accounts.

Really bad passwords

The following are really bad types of passwords to select for a new password. The top ones are worse than the lower ones, but I strongly recommend not using any of these types of passwords.

    1. Any password that has ever been compromised (i.e., figured out by a password cracker and used to take over your account). These are the worst passwords to ever use. Only a moron would continue to use a compromised password or use it again in the future. Change these immediately!

    2. Any password that you have used on an online account (e.g., Facebook) that has been compromised. See image below.

    3. Any password that has been used on a computer that had a virus at the time. If something like the following has happened to you, you need to remove all viruses and then change all passwords ever used on your computer (if you change them before you remove the viruses, you will just have to repeat the process).

    4. These or these or this or these

    5. Your name, your company's name, or the name of someone know of (or parts or permutations or combinations of your name, etc.)

    6. Any names (like Bob)

    7. Anything well known (like ncc1701--the ship number for the Starship Enterprise)

    8. Passwords you have used for a long time (avoid using the same password for more than a year)

    9. Passwords you currently use (i.e., don't use the same password for many things)

    10. Passwords you have used before (i.e., don't recycle old passwords--consider them compromised)

    11. Anything in your email near the word "password"

    12. Anything in your email

    13. Anything in anyone's email

    14. Anything that has ever been transmitted without strong encryption and security

    15. Anything that has ever been entered on an untrusted machine (for example, your friend's virus-stuffed laptop)

    16. Words that can be found in any English dictionary

    17. Phrases or sentences comprised of the above

    18. Key patterns on any keyboard

    19. Anything anyone (including yourself) has ever used as a password before

    20. Any word or piece of information that exists on your hard drives

    21. Any word or piece of information on the web

    22. Any word or piece of information that exists on any hard drives

    23. Leetspeak or other similar morphs of words

    24. Any combination or permutation of the above or any password that includes part of one or more of the above

Password cracking tools include lists of many the above and means of generating those things that are not yet in lists (for example, by combining and permutating the above). A common strategy would be to start with a list of the one million most common passwords of all time, then try all names, then try all words in the largest English dictionary, then try common phrases and sentences, then try all patterns on the keyboard, then try everything on your hard drive (which, if you don't use full disk encryption, could include almost anything you have ever typed), then try common strings found on the web, then try common leetspeek variants of the above, then try combinations of the above.

Note that, until I wrote this page, 7leFriUs would have been a great online password. But I just wrecked it.

Multi-Factor Authentication

Unfortunately, even a great password used with care can be compromised. For very important accounts, you should use multi-factor authentication. There are many bogus multi-factor authentication schemes, which are simply "one-big-factor" methods. HSBC, for example, requires your card number, your password, and three randomly chosen characters from another password. That's better than "just a password," but once all three parts of the authentication scheme are known, the game is up. True multi-factor authentication requires at least two of the following: something you are (e.g., your fingerprint, your hand size, your retina image), something you have (e.g., your phone, a key fob), and something you know (e.g., your password, a PIN). All of HSBC's factors are something you know things, so they do not have multi-factor authentication.

Google, however, has a true two-factor authentication scheme that requires your password and a 6-digit numeric code that expires every 30 seconds (see their support page and official blog post). I highly recommend this because your Google Account serves as your "password reset" option for many of your other online accounts (meaning that if it gets compromised, who ever owns it can change all your other account passwords).

Password Management

If you use a computer you likely have multiple accounts with various websites and organizations. I have discovered that it is not possible or advisable to keep all your credentials (which must remain confidential: online account credentials (account usernames, associated email addresses, passwords) bank account numbers, password reset questions, PIN numbers, WiFi passwords, router passwords, other account numbers,, etc.) only in your head. I can guarantee that you will forget one of your passwords eventually (and for the purpose of this document, "passwords" refers to all types of credentials which must remain confidential) or else you will be reduced to using only a few different passwords for all of your accounts, counter to the policies of using a strong password. There are several good ways to catalog your account credentials, some of which are detailed below. But first, here are some bad ways of storing passwords (if you give into the temptation to use one of these, you will suffer the consequences and will have no excuses or else you will force me to suffer the consequences by asking me to recover your password or data which could take many hours):

Not storing passwords at all. You will forget these. In "contacts" (e.g., in Outlook or Gmail). These are not encrypted and will get stolen. In a password management utility that does not encrypt passwords (anything that does not require a master password). These only "nominally" encrypt passwords and are easy to extract from. On paper. You will lose paper. Others will read paper. You cannot easily backup paper. In a non-backed up file. With any password catalog, whenever you make a new online account, add the password to your storage location and save it and back it up before submitting your account application (so you won't forget your password).

Below are good options for storing your password.

LastPass

LastPass is a very convenient way to store and access your passwords. The basic version is free, and has addons for all the major browsers as well as mobile app versions (for $1 per month, although you can get around this by using Firefox on Android and installing the free browser extension). I'm not a huge fan of the UI, and there are a few missing features (like extensible hidden fields).

KeePass

KeePass is free and great. It is simple to setup and use. It is open source. I highly recommend it. If you have trouble using it with Apple products, do not use Apple products.

Firefox

Firefox has the ability to remember your passwords. Firefox's password management system is also useful but is not a substitute for a password catalog. Do not use this ability unless you use a master password. If you use this feature without using a master password, you will have to change all the passwords you have entered (because you should consider them compromised). You can set your master password (which will encrypt your passwords in Firefox's storage) with the following steps (in HSL):

Firefox{PROGRAM}> Tools{MENU}> Options{MENU ITEM}> Security{TAB}> Use a master password[check]{CHECK BOX}> Enter new password:[<password>]{PASSWORD FIELD}> Re-enter password:[<password>]{PASSWORD FIELD}>

When you get to a website that asks for a username and password, after you enter your credentials, a bar will show up near the top of the Firefox window that will ask you if you want to save the password you just entered. You will have the option to "Remember" the password, "Not Now" (this makes the bar go away but it will show up again next time you enter your credentials at this page), and "Never for This Site" (which will cause the bar to go away and never appear for the website you are at).

You can use the password exporter addon to export your list of passwords to an encrypted list and later import this list to another Firefox profile (e.g., on another computer or another computer account). You can also setup Firefox sync.

Password Safe

Password Safe (SourceForge page) by Bruce Schneier (schneier.com) is an excellent tool for storing passwords securely. His quickstart guide is good. There is also a video tutorial. The included help documentation is very useful. There is an Android version called Android-PasswordSafe.

TrueCrypt

If you do not have a software program that handles the encryption and decryption for you (or want more layers of security), you can use TrueCrypt to create an encrypted virtual drive and then stick your password files in there. Be sure to choose a strong password of the encryption variety (the 20+ character type). Use the memorization strategy suggested on the strong password page. For an introduction to TrueCrypt, see my page on using TrueCrypt.

Simply put an unencrypted Excel file (or use another file format such as a word document) with your passwords inside your TrueCrypt file container and mount it when you need to add a new password or look up an old one. This really isn't the best security because it leaves an "unencrypted" file (from the perspective of other programs) just lying around on the disk. It's safe once you close it and dismount the drive, but it's not completely secure until then.

[Edit]