Monday, February 11, 2013


Passwords: the key to security. From logging into your computer to logging into a network to logging into a website to logging into your private data, the “password” is the key to security. There are a few other ways to assure that only the authorized user can access data and systems, but the password is the ubiquitous key to most all things digital.

So what’s in a password? What’s its purpose and how can it be designed or created to best accomplish that purpose? The best passwords are ones that are easy to remember, but hard to guess. That’s the “key.”

The “easy to remember” part is important. If we can’t remember our passwords, then we’ll have to write them down and refer to the writing every time we log on. That fact means we usually don’t use random combinations of letters for passwords, although they would actually be the best. In some cases, writing down the password is just a time consuming annoyance. In other cases, recording the password can make it possible for a thief to steal the written password and eliminate the requirement to guess it.

To make it easy to remember, most people use familiar things to construct a password. They might use the names of their children or pets. Of course, is someone knows them, that might be easy to guess. Or they could use familiar things like important dates or addresses or common words. But using common words or constructing passwords with predictable patterns make it much easier to guess than using a truly random collection of characters to construct a password.

The length of the password is also a factor in making it harder to guess. It is much easier to guess a four-character password than an eight-character password. In fact, most systems will insist that a password be at least six or eight characters to be accepted as a password.

Let’s examine the mathematics behind that idea of longer passwords are harder to guess. The difficulty of guessing something correctly depends on how many choices there are to guess. If I said, “guess which hand has the quarter,” there are two choices, “left” and “right” and the odds of guessing correctly is 50%. In addition, if you got two guesses, you would be bound to get it right.

If I said, “guess what day of the week we’re going to the party,” you’d have 1 in 7 chances of getting it right. And, if I gave you seven guesses, you’d be certain to guess it correctly.

So we have to give the hackers trying to guess our password a lot of choices to try because they are going to try more than once. In fact, with modern computer hardware, they are going to try billions and billions of times. (I’ll have to write a more technical article about the methods hackers use. I’ll save that for later.) For now, let’s figure out how many possible passwords you can create of a given length.

Suppose we created a single character password using only the lower-case letters on the keyboard. There are 26 letters from “a” to “z.” So there could be 26 possible one-letter passwords.

Now suppose you could have two letter passwords? Then for each of the letters as the first letter, you would have 26 passwords made up of different second letters. For example, “aa,” “ab,” “ac,” … “az.” Since there are 26 “first” letters, that would be 26 times 26 total passwords. Twenty-six times 26 is 26 squared or (26)2.

If there were three letters then the total number of unique combinations would be 26 x 26 x 26 which is 26 cubed or (26)3. It should be obvious now that the formula for the total number of combinations of lower-case letters in a password of length “n” would be (26)n. You see, the bigger the “n” the more possible combinations.

A password made up of eight, lower-letters would come from a possible collection of (26)8 = 208,827,064,576. Seems like a pretty big collection to guess the one right answer from. That’s 208 billion possible passwords. If we chose only random combinations of letters, then that is how many guesses it would take. Or, put statistically, if the hacker guessed half that many, then the odds would be 50-50 the hacker would guess right.

But we also want the password to be memorable. So we are more likely to make the password some word we know, such as “aardvark” or “workroom.” The problem is that the hacker knows we are likely to use common words, so he (or she) will not try all the possible 208,827,064,576 combinations of letters, but just common words out of a list called a “dictionary.” There are only about 50,000 common words in the normal dictionary. Of course, people use names too as passwords, so hackers will add all the common names to their word lists, but you can imagine that that only comes to around 60,000 eight-character words. That’s a lot less to guess than our original 208 billion possibilities.

For that reason, most passwords are created with numbers in addition to letters. That raises the total and makes passwords that don’t exactly match common words. Since there are ten numerals from 0 to 9, now the formula is (36)n and an eight-character password would include (36)8 possibilities which equals 2,821,109,907,456 combinations. We’ve increased the number of possible passwords by ten times, but – more importantly – a simple dictionary search would be prevented, assuming we are smart in how we use the numbers.

You see, hackers know what we’re doing because they are people too. In addition, they’ve analyzed millions and millions of actual passwords to determine just what people are most likely to do when choosing a password.

For example, we may just take a seven-letter word and add a number on the end, such as “realize5,” or we may take two short words and put numbers between them such as “big5tent.” That does make it harder for the hacker as they might have to test a lot of dictionary words with one or more numerals at the end or they may test putting two short words together separated by a numeral. That greatly increases the number of guesses required to have a possibility of guessing correctly, but, remember, they are using powerful computers that can make a lot of guesses in a short time.

Many systems will require the addition of capital letters and even other symbols to make passwords harder to guess. That’s a good idea. Suppose we used all the lower-letters, all the upper-case letters, and numerals? Then there are a total of 26 + 26 + 10 choices for each character and an eight-character password could be any combination of (62)8 = 218,340,105,584,896 possibilities. But, more important, the number of dictionary words increases greatly too.

Unfortunately, most people will do something very predictable, such as only capitalize the first letter in the password. Hackers know this, so now they just have to test every word in their dictionary twice, once with no caps and once with the first letter capitalized.

Remember that random passwords are the hardest to guess, and so try to be a little random. It does help to add some more symbols such as punctuation and special characters such as “#,” “$”, or “@.” There are actually 256 total ASCII characters in most computers character sets, but we need to stick to characters on the main keyboard. Since passwords are almost always entered without seeing what we’re typing to increase security, we want to stick to simple characters on the keyboard. Plus, some of the ASCII characters have special functions that we don’t want to have in a password to keep things simple for the programmer writing the programs that process the passwords. Still I count an additional 32 special characters on my normal English keyboard so adding them gives us 26 + 26 + 10 + 32 = 94 total characters. So an eight-character password using all the keys on the keyboard and upper and lower case letters would yield (94)8 passwords = 6,095,689,385,410,816.  The bigger the number, the harder it is to guess. (Certain characters may not be allowed in passwords such as the comma or the period; so I tend to stick to the characters across the top of the keyboard.)

In fact, with modern computers that the hackers are using to guess passwords, I suggest longer than eight character passwords. Making the password ten characters, and not even bothering using special characters, just the upper- and lower-case letters and numerals yields (62)10 = 839,299,365,868,340,200. That’s about a thousand times as many possible passwords as we got with eight characters and all the funny symbols.

I don’t want to say in public how long my passwords are because I don’t want that information known. Even the length of your password is something to keep secret because the hacker actually has to test all lengths that are likely. That increases the total even more. So they will have to use their dictionary to create all six-character, seven-character, eight-character, nine-character, and … well, they’ll probably not even try more than eight characters. Remember, it isn’t important that the locks on your house be impossible to break into. They just have to be good enough to discourage the burglar so he (or she) will go next door and rob your neighbor.

Make your passwords hard enough to break, and the hacker will just go find an easier target. It’s “every man (or woman) for themselves in this scary world.”

So make your password long, I suggest 10 to 12 characters or even 16 if you’re truly paranoid. Use upper- and lower-case letters, but don’t just capitalize the first letter. Don’t use common words or names. You can use common words, but mix in numbers and even special characters. Oh, and a warning. Those of you that think it is a good idea to substitute a “3” for an “E” or a “1” for an “I,” the hackers know that.

One of the first passwords they’ll test is “s3cr3t.” Remember, the hackers are smart. They’ve studied how most people make passwords. They use powerful lists of common words and they add all kinds of special rules to handle capitalization and or use of numbers and they know most people put the first letter capital or end the password with numbers of make these silly substitutions. Those are the first million guesses they try. Then they move on to harder and more random combinations.

Here’s a good suggestion: Some people think of common phrases and then use the first letter of each word in the phrase as the password. It appears random, (and it’s been proven to be equal to truly random letter combinations in difficulty to guess), but it is easy to remember because you recall the known phrase. For example, “To be or not to be, that is the question,” becomes “tbontbtitq.” A rather nice, ten character password. Go ahead, substitute zero for “O” and one for “I.” This helps in this case, and makes it even harder, “tb0ntbt1tq.”

Now, I suggest a little less common phrase than the famous “to be or not to be” phrase, but it isn’t hard to come up with phrases that won’t become words in the hackers list of words. Bible verses are a great choice since we know all the hackers are heathens. :-) How about “fgsltwhghoaos.” But then I told you not to use really, really famous quotations. (It does depend on which Bible translation you use. Some say “only begotten” instead of “one and only.” That’s a hint folks to the last phrase.)

Also notice that this phrase technique tends to produce fairly long passwords. Some web sites will require capitals and numerals and even special characters. You can still use the phrase technique by combining it with the silly number substitution, which, are now, not so silly. You could also substitute “$” for “s” or “&” for “e” or “@” for “a.” Be creative, but consistent. That will make them easier to remember. Your passwords will still be nearly random and not open to dictionary attacks. You can also be consistent in capitalization. You might always capitalize the fifth and the seventh letter.

Finally, and this may be the best advice of all, use different passwords for your different accounts. I know that can be very difficult and may drive you to recording your passwords. But hackers can break into some web site of company computer and recover your passwords. (I’ll write a more technical article about that too … someday.) If the hacker was able to steal your actual password from some computer system, then, no matter how strong your password creation algorithm is, the hacker doesn't have to guess. He (or she) knows it now and will likely try it on every bank that exists.

So, at the very least, use unique passwords for your bank, credit union, and stockbroker. They should each have separate passwords. Also protect your email account or accounts with strong passwords. If a hacker gains access to your email account, they may request new passwords for other important accounts and these new passwords will be mailed to your email. Guessing passwords isn’t the only trick up a hacker’s sleeve.

It is also a good practice to change your passwords periodically. At IBM we had to change passwords every 60 days. Since I had a couple of dozen IBM passwords, that was almost an all day chore, and I had no choice but to record the passwords. I used an encrypted file on the computer to do that.

Computers and browsers may offer to memorize your passwords for you. That’s OK in some instances, but I worry that if your local computer gets hacked or stolen, this may backfire on you. I don’t have a strong opinion on the use of such features. If you create really strong passwords, then that is good. If you have your “every-day” computer memorize those strong passwords, well … I just don’t know if that is a good or bad thing. I’ll have to research that more.

Well, that’s all folks. Now you have some good ideas for making good passwords that will defy hacker attacks. And don’t be stupid. They know what letters you are likely to capitalize or where you’ll probably put the numbers. Be different. Be creative. Be hard to guess.

Don’t be a donkey … or a jackass. Do you know how many people use “secret” for their password? But you know better now. You’d make it “sEcr3T5.”

No comments:

Post a Comment