As imperfect as they are, passwords are still the most common method for authentication. And will continue to be at least in the near future. This makes it critical that everyone uses strong passwords. Unfortunately, what the average Internet user considers a decent password is usually a pretty weak one. Here are a few things to consider when coming up with passwords.
What most password tips boil down to is using more than eight characters and making the passwords alphanumerical. That is a decent piece of advice, but it has its flaws. Say, you choose the word “president” for your password. You can add some 1337 speak to this and change letters with numbers and symbols and capitalize a few others – to end up with “pR35!d3n7” or something like that.
This may seem like a strong password, but it is actually a pretty bad one for a couple of reasons. First, it is susceptible to a dictionary attack. “President” is the 304th most frequently used words in the English language, according to the Corpus of Contemporary American English (COCA). So, it is a very easy one for a machine to guess. The same goes for all the letter-for-number substitutions in it – they are the first rule a hacker would put in a dictionary attack. And the second reason the password is bad is that it is kind of hard to remember – which letters exactly were capitalized and which weren’t?
How do you come up with a strong password then? Here are two reasonably sound approaches.
Make strong passwords, combine random words
A couple of years ago, the XKCD comic addressed the very issues presented above and came up with a method that is the exact opposite: hard for machines to guess and easy for people to remember. The concept is to take a bunch of random words and put them together for one long phrase. In their example, the authors used the words “correct,” “horse,” “battery,” and “staple” to come up with “correctbatteryhorsestaple” as a password.
This password is a pretty solid one. First, it is 25 characters long, which makes it exceptionally hard for a brute-force attack due to the insane amount of combinations. Then, “correctbatteryhorsestaple” is not a word in the dictionary, so it is pretty resistant to the basic dictionary attack. The biggest plus, however, is that it is pretty easy to remember. The problem is that attackers have now had two or three years to design non-basic attacks that are tailored for these kinds of passwords.
Imagine a dictionary attack that just tries combinations of the most popular English words next to each other – kind of like what a brute-force attack does with characters. Save for “staple,” all the words are pretty common. However, you can counter this by using weirder words. The COCA list mentioned above is free and has the top 5,000 words – avoiding any word from the list when picking a password is a good idea. Then you can shake things up by adding symbols. If you put something like a hyphen in the middle of one of the words (not between), the password would become practically unbreakable.
Bruce Schneier’s method: Turn sentences into passwords
Security expert Bruce Schneier has proposed another good method for coming up with strong passwords. He argues that the XKCD scheme’s dependency on words makes it susceptible to attacks – as we also noted, hackers are in on the trick. Schneier instead recommends taking a sentence and turning it into the password.
For example, the sentence above I just typed, can be used to create a password by taking the first letter from every word in it: “sirtasatiitp.” Then you can 1337 it up into “s!rT4satI!tp” – 12 characters, numbers, symbols, random capital letters, and also no words or phrases. And, although it is harder to remember the result, there is a clear logic behind it that you can train your mind to follow.
The problem is that you need different passwords for different accounts. Using the same one is a severe mistake. This is what password managers are for. These programs store an encrypted database with the passwords for all the user’s accounts, which is decrypted with a single key – one super strong password to protect all the rest you use.
Keep in mind that crooks read password tips too
It is important to note that no matter how good a password-gneration scheme seems, there is always a logic to it. And this logic could be replicated by an adversary as well. Especially by someone who has studied your social media footprint and can tailor an attack to your profile.
As far as the Schneier scheme goes, it could theoretically be broken too. Take me, for example. One could easily find out Metallica is among my favorite bands. They have something like 100 songs. Imagine I based my passwords on their lyrics. It wouldn’t be hard to devise an attack that uses these 100 lyrics as a library of rules to brute-force my passwords.
The moment a method goes public, ways to break it are also being designed. This is why I referred to passwords as imperfect at the beginning of this post. The best way to come up with really good passwords is to be aware of the methods used to break them, and opt for a scheme that subverts these methods.