Choosing a Good Password

Passwords. They're the bane of our online existence, yet they are critical for protecting our privacy. How complex should a password be? How can you create a password that is secure and easy to remember at the same time – does such a thing even exist? Why do I regularly use 30-character passwords, while most people balk at meeting the minimum length of 8 characters?

Importance of a password

A password can be compared to the key to your home or car. You probably don't want to come home only to find all of your expensive electronics and jewelry stolen, yet for some inexplicable reason, people leave the key to their front door right under their doormat or forget to lock their doors. It just doesn't make sense. Likewise, choosing a weak password doesn't make much sense either.

How passwords are stored

Passwords are often stored as one-way hashes – seemingly random sequences of characters that can be reliably reproduced by running the original password through a function, but done in such a way that it is nearly impossible to reconstruct the original password from its hash. Two common algorithms used for this are MD5 (Message Digest algorithm 5) and SHA-1 (Secure Hash Algorithm 1). The MD5 hash of "hello world" is 5eb63bbbe01eeed093cb22bb8f5acdc3 and the hash of "hello worlds" is b96b878ad72f56709dbb5628e1cea18d; notice that adding a single character drastically changed the hash.

How do hackers get the passwords then, if it is impossible to recover them from the hashes? Aside from obvious methods that basically trick the user into revealing their passwords (i.e. phishing emails and keyloggers). a common method is a "dictionary attack", which basically runs a list of words through the encryption algorithm

Weak passwords

Some of the most commonly used passwords are password, qwerty, and letmein. However, if someone is trying to gain unauthorized access to a system, these will likely be the first ones to try. The excuse for using these is that they're easy to remember, much like leaving your key under the doormat. But it's also far less secure: these passwords are easily cracked by a dictionary attack.

Strong and difficult passwords

Something like f^43|@{,4Tg is a secure password and is quite resistant to dictionary attacks, requiring the attacker to revert to the much slower brute force attack. But is it a good choice for a password? The answer is usually "no." Do you really want to memorize 11 "random" characters? Likewise, 5TeG8^|<",.#>$34h^%hb bvD354#{>)* is a strong password, but is even harder to memorize due to its length.

Of course, there are cases when such passwords are necessary, especially if they are used as keys. (The difference between a "key" and a "password" is that the key is actually used as part of some encryption algorithm, and the more random it is, the better.) Your WPA WiFi "password" is actually a key, which is used to encrypt internet traffic going to and from your router. Another case is some extreme-security scenario such as government servers; hopefully, the CIA database isn't protected by "password", like it often is in movies.

The best choice: secure and easy-to-remember passwords

My method for selecting a password is as follows:

  1. Think of a phrase. We will use my password is better than yours as an example.
  2. Randomize the capitalization of some letters. We now have My paSswOrD iS beTTeR thAn yoUrs.
  3. Replace some of the letters with similar numbers, symbols, or sequences of both. We now have /\/\y p4$s\/\/0rD 1S b3TT3R t|-|An yo|_|r$.
  4. (Optional) Remove some of the spaces and throw in some "gibberish" between the lines to make it even more secure. We now have /\/\y!p4$s\/\/0rD++1Sb3TT3R t|-|An yo|_|r$,!.

Congratulations! You now have a secure, hard-to-guess, hard-to-crack password which can be memorized as simply "my password is better than yours." It's a whopping 44 characters long! Of course, a truly random password is more secure... but memorizing 44 random characters is EXTREMELY difficult for most people.

Alternatives to passwords

Two commonly-used alternatives to passwords are fingerprint readers and smart cards. Some fingerprint readers authenticate via fingerprint alone; others store your secure password and release it once your finger is on the sensor. Smart cards not only require you to physically have a card, but also require you to enter a short PIN, and thus are the authentication method of choice for corporate use.

However, passwords are not going anywhere anytime soon. Thus, it is still important to know how to create good passwords, even if you are armed with a smart card – you never know when you'll need a password for something.

What methods do you use for creating passwords? Please leave your feedback in the comments.

Posted on Sunday, February 28, 2010 at 3:25 PM | Permalink

Comments (2)

Jacob
Sunday, February 28, 2010 at 5:40 PM
I usually just think of a phrase and add capitallization to it. Or I just ask you :D
Options: Reply | Quote | Flag / Report

David
Tuesday, March 9, 2010 at 4:42 PM
i think of a phrase that has some personal value, and make it fun, but easy to remember.
Options: Reply | Quote | Flag / Report

Leave a comment

 
two times two is (Huh?)
Comment moderation is enabled.
Your comment will appear on the page after it has been reviewed.