How to Pick a (Good) Password
Picking a password is easy, right? Just pick a common word or phrase, like “password” or “iloveyou”, and you are sure to never forget it! Wait, that might be too easy. Okay, how about your anniversary, then? If you cannot remember that one, you have bigger problems!
Unfortunately, many people still hold onto these ideas, and it is one of the first lessons taught in Hacking 101. The Oxford English Dictionary contains 171,476 words, and a modern computer can check each of them against your password in under a second. So can you just change a character or two in the word and make it better, like “p@ssw0rd”? Nope! Hackers know people do this also, so they have already added every variation you can think of to their dictionaries. Then, they enrich it with common phrases people like to use, like “iloveyou”. This method of password cracking is so popular it has its own name: the dictionary attack.
People also like to use personal pieces of information as passwords; anniversaries, names, favorite teams, etc. But this information is not as private as you might think. You share most of it freely on your Facebook page, and the rest can be found through phishing. Even if you do not personally use social media, there is a good chance your spouse, parents, children, coworkers, and friends do. And you can be sure that at least one of them posted about having a great time at your 20th anniversary party last year!
Okay, so you know all about bad passwords, now. Let’s discuss what makes a password good. It can be boiled down to this:
A good password is not worth the effort it would take to crack it.
Hackers have varying goals, whether it is profit, fame, politics, or something else. But, like everyone, they have limited time and resources. The perceived value of the target determines how much time they are willing to spend hacking it. If cracking your password might take hundreds of years, they will find another target.
Once you have a password not in a dictionary, the only way to crack it is with brute-force. This method involves trying every combination of possible characters until a match is found. This may seem impossible, but desktop computers can test millions (or even billions) of potential passwords per second! A password like “password” can be cracked in a few hours using brute-force alone. Imagine what a botnet of thousands of computers can do!
So, your job is to create a password that is not in a dictionary and cannot be quickly brute-forced. To do this you need to consider three important components:
Length – The longer a password is, the better. An 8 character password of only lowercase letters takes hours to crack, 9 – days, 10 – months, 11 – years, 12 – centuries.
Complexity – If you go beyond lowercase letters and include uppercase letters, numbers and special characters (e.g. !, @, #, $), the total time to crack the password goes up significantly. A 12 character password utilizing all 4 types takes almost 9 million years to crack.
Time – The time between password changes is also significant. If you change it more frequently than the time it takes to brute-force, then it cannot be cracked using brute-force alone. Best practice is to change your password every 90 days.
After reading all this, are you wondering how on earth you will create a password that is 12 characters long; contains uppercase, lowercase, numbers, and special characters; change it every 90 days; and still remember it?
You are not alone! Security experts are well aware of this problem, and have recommendations to help. There are many methods out there, but we will only present two of the most popular in this article.
Bruce Schneier Method - Using this method, you come up with a sentence, and then turn that sentence into a password. For example,
Sentence: Mary had a little lamb, Its fleece was white as snow.
Ideally, you would pick a sentence that is more personal to you. But this one would take billions of years to crack. Again, length is better, so if you can incorporate longer sentences it will help dramatically.
Passphrase Method - In this method, you pick six random words and string them together as your password. I would recommend using a generator. You can use either the one with spaces or the one with dashes, depending on the software requirements. For example,
bomb fide ellis x mire loss
Using either of these two methods will help you design strong passwords. If you would like to see how long it would take for your password to be cracked, please look at this excellent site: https://www.betterbuys.com/estimating-password-cracking-times/.
Also keep in mind that computers are becoming more advanced every year. At one time an eight character password was considered very strong! There is no reason to believe that today’s strong passwords will not become tomorrow’s easy targets. We strongly recommend you sign up for alerts from US-CERT (United States Computer Emergency Readiness Team) and stay informed of information security trends and threats.