Passwords: the key to security. From logging into your
computer to logging into a network to logging into a website to logging into
your private data, the “password” is the key to security. There are a few other
ways to assure that only the authorized user can access data and systems, but
the password is the ubiquitous key to most all things digital.
So what’s in a password? What’s its purpose and how can it
be designed or created to best accomplish that purpose? The best passwords are
ones that are easy to remember, but hard to guess. That’s the “key.”
The “easy to remember” part is important. If we can’t
remember our passwords, then we’ll have to write them down and refer to the
writing every time we log on. That fact means we usually don’t use random combinations
of letters for passwords, although they would actually be the best. In some
cases, writing down the password is just a time consuming annoyance. In other
cases, recording the password can make it possible for a thief to steal the
written password and eliminate the requirement to guess it.
To make it easy to remember, most people use familiar things
to construct a password. They might use the names of their children or pets. Of
course, is someone knows them, that might be easy to guess. Or they could use
familiar things like important dates or addresses or common words. But using
common words or constructing passwords with predictable patterns make it much
easier to guess than using a truly random collection of characters to construct
a password.
The length of the password is also a factor in making it
harder to guess. It is much easier to guess a four-character password than an
eight-character password. In fact, most systems will insist that a password be
at least six or eight characters to be accepted as a password.
Let’s examine the mathematics behind that idea of longer
passwords are harder to guess. The difficulty of guessing something correctly
depends on how many choices there are to guess. If I said, “guess which hand
has the quarter,” there are two choices, “left” and “right” and the odds of
guessing correctly is 50%. In addition, if you got two guesses, you would be
bound to get it right.
If I said, “guess what day of the week we’re going to the
party,” you’d have 1 in 7 chances of getting it right. And, if I gave you seven
guesses, you’d be certain to guess it correctly.
So we have to give the hackers trying to guess our password
a lot of choices to try because they are going to try more than once. In fact,
with modern computer hardware, they are going to try billions and billions of
times. (I’ll have to write a more technical article about the methods hackers
use. I’ll save that for later.) For now, let’s figure out how many possible
passwords you can create of a given length.
Suppose we created a single character password using only
the lower-case letters on the keyboard. There are 26 letters from “a” to “z.”
So there could be 26 possible one-letter passwords.
Now suppose you could have two letter passwords? Then for
each of the letters as the first letter, you would have 26 passwords made up of
different second letters. For example, “aa,” “ab,” “ac,” … “az.” Since there
are 26 “first” letters, that would be 26 times 26 total passwords. Twenty-six
times 26 is 26 squared or (26)2.
If there were three letters then the total number of unique
combinations would be 26 x 26 x 26 which is 26 cubed or (26)3. It should be
obvious now that the formula for the total number of combinations of lower-case
letters in a password of length “n” would be (26)n. You see, the bigger the
“n” the more possible combinations.
A password made up of eight, lower-letters would come from a
possible collection of (26)8 = 208,827,064,576. Seems like a pretty big
collection to guess the one right answer from. That’s 208 billion possible
passwords. If we chose only random combinations of letters, then that is how
many guesses it would take. Or, put statistically, if the hacker guessed half
that many, then the odds would be 50-50 the hacker would guess right.
But we also want the password to be memorable. So we are
more likely to make the password some word we know, such as “aardvark” or
“workroom.” The problem is that the hacker knows we are likely to use common
words, so he (or she) will not try all the possible 208,827,064,576
combinations of letters, but just common words out of a list called a
“dictionary.” There are only about 50,000 common words in the normal
dictionary. Of course, people use names too as passwords, so hackers will add
all the common names to their word lists, but you can imagine that that only
comes to around 60,000 eight-character words. That’s a lot less to guess than
our original 208 billion possibilities.
For that reason, most passwords are created with numbers in
addition to letters. That raises the total and makes passwords that don’t
exactly match common words. Since there are ten numerals from 0 to 9, now the
formula is (36)n and an eight-character password would include (36)8
possibilities which equals 2,821,109,907,456 combinations. We’ve increased the
number of possible passwords by ten times, but – more importantly – a simple
dictionary search would be prevented, assuming we are smart in how we use the
numbers.
You see, hackers know what we’re doing because they are
people too. In addition, they’ve analyzed millions and millions of actual
passwords to determine just what people are most likely to do when choosing a
password.
For example, we may just take a seven-letter word and add
a number on the end, such as “realize5,” or we may take two short words and
put numbers between them such as “big5tent.” That does make it harder for the
hacker as they might have to test a lot of dictionary words with one or more
numerals at the end or they may test putting two short words together separated
by a numeral. That greatly increases the number of guesses required to have a
possibility of guessing correctly, but, remember, they are using powerful
computers that can make a lot of guesses in a short time.
Many systems will require the addition of capital letters
and even other symbols to make passwords harder to guess. That’s a good idea.
Suppose we used all the lower-letters, all the upper-case letters, and
numerals? Then there are a total of 26 + 26 + 10 choices for each character and
an eight-character password could be any combination of (62)8 = 218,340,105,584,896
possibilities. But, more important, the number of dictionary words increases
greatly too.
Unfortunately, most people will do something very predictable,
such as only capitalize the first letter in the password. Hackers know this, so
now they just have to test every word in their dictionary twice, once with no
caps and once with the first letter capitalized.
Remember that random passwords are the hardest to guess, and
so try to be a little random. It does help to add some more symbols such as
punctuation and special characters such as “#,” “$”, or “@.” There are actually
256 total ASCII characters in most computers character sets, but we need to
stick to characters on the main keyboard. Since passwords are almost always
entered without seeing what we’re typing to increase security, we want to stick
to simple characters on the keyboard. Plus, some of the ASCII characters have
special functions that we don’t want to have in a password to keep things
simple for the programmer writing the programs that process the passwords.
Still I count an additional 32 special characters on my normal English keyboard
so adding them gives us 26 + 26 + 10 + 32 = 94 total characters. So an
eight-character password using all the keys on the keyboard and upper and lower
case letters would yield (94)8 passwords = 6,095,689,385,410,816. The bigger the number, the harder it is to
guess. (Certain characters may not be allowed in passwords such as the comma or
the period; so I tend to stick to the characters across the top of the
keyboard.)
In fact, with modern computers that the hackers are using to
guess passwords, I suggest longer than eight character passwords. Making the
password ten characters, and not even bothering using special characters, just
the upper- and lower-case letters and numerals yields (62)10 = 839,299,365,868,340,200.
That’s about a thousand times as many possible passwords as we got with eight
characters and all the funny symbols.
I don’t want to say in public how long my passwords are
because I don’t want that information known. Even the length of your password
is something to keep secret because the hacker actually has to test all lengths
that are likely. That increases the total even more. So they will have to use
their dictionary to create all six-character, seven-character, eight-character,
nine-character, and … well, they’ll probably not even try more than eight
characters. Remember, it isn’t important that the locks on your house be impossible
to break into. They just have to be good enough to discourage the burglar so he
(or she) will go next door and rob your neighbor.
Make your passwords hard enough to break, and the hacker
will just go find an easier target. It’s “every man (or woman) for themselves
in this scary world.”
So make your password long, I suggest 10 to 12 characters or
even 16 if you’re truly paranoid. Use upper- and lower-case letters, but don’t
just capitalize the first letter. Don’t use common words or names. You can use
common words, but mix in numbers and even special characters. Oh, and a
warning. Those of you that think it is a good idea to substitute a “3” for an
“E” or a “1” for an “I,” the hackers know that.
One of the first passwords they’ll test is “s3cr3t.” Remember,
the hackers are smart. They’ve studied how most people make passwords. They use
powerful lists of common words and they add all kinds of special rules to
handle capitalization and or use of numbers and they know most people put the
first letter capital or end the password with numbers of make these silly
substitutions. Those are the first million guesses they try. Then they move on
to harder and more random combinations.
Here’s a good suggestion: Some people think of common
phrases and then use the first letter of each word in the phrase as the
password. It appears random, (and it’s been proven to be equal to truly random
letter combinations in difficulty to guess), but it is easy to remember because
you recall the known phrase. For example, “To be or not to be, that is the
question,” becomes “tbontbtitq.” A rather nice, ten character password. Go
ahead, substitute zero for “O” and one for “I.” This helps in this case, and makes
it even harder, “tb0ntbt1tq.”
Now, I suggest a little less common phrase than the famous
“to be or not to be” phrase, but it isn’t hard to come up with phrases that
won’t become words in the hackers list of words. Bible verses are a great
choice since we know all the hackers are heathens. :-) How about “fgsltwhghoaos.”
But then I told you not to use really, really famous quotations. (It does
depend on which Bible translation you use. Some say “only begotten” instead of
“one and only.” That’s a hint folks to the last phrase.)
Also notice that this phrase technique tends to produce
fairly long passwords. Some web sites will require capitals and numerals and
even special characters. You can still use the phrase technique by combining it
with the silly number substitution, which, are now, not so silly. You could
also substitute “$” for “s” or “&” for “e” or “@” for “a.” Be creative, but
consistent. That will make them easier to remember. Your passwords will still
be nearly random and not open to dictionary attacks. You can also be consistent
in capitalization. You might always capitalize the fifth and the seventh
letter.
Finally, and this may be the best advice of all, use
different passwords for your different accounts. I know that can be very
difficult and may drive you to recording your passwords. But hackers can break
into some web site of company computer and recover your passwords. (I’ll write
a more technical article about that too … someday.) If the hacker was able to steal your actual password from some computer system, then, no matter how strong your password creation algorithm is, the hacker doesn't have to guess. He (or she) knows it now and will likely try it on every bank that exists.
So, at the very least, use
unique passwords for your bank, credit union, and stockbroker. They should each have
separate passwords. Also protect your email account or accounts with strong
passwords. If a hacker gains access to your email account, they may request new
passwords for other important accounts and these new passwords will be mailed
to your email. Guessing passwords isn’t the only trick up a hacker’s sleeve.
It is also a good practice to change your passwords
periodically. At IBM we had to change passwords every 60 days. Since I had a
couple of dozen IBM passwords, that was almost an all day chore, and I had no
choice but to record the passwords. I used an encrypted file on the computer to
do that.
Computers and browsers may offer to memorize your passwords for you.
That’s OK in some instances, but I worry that if your local computer gets
hacked or stolen, this may backfire on you. I don’t have a strong opinion on
the use of such features. If you create really strong passwords, then that is
good. If you have your “every-day” computer memorize those strong passwords,
well … I just don’t know if that is a good or bad thing. I’ll have to research that
more.
Well, that’s all folks. Now you have some good ideas for
making good passwords that will defy hacker attacks. And don’t be stupid. They
know what letters you are likely to capitalize or where you’ll probably put the
numbers. Be different. Be creative. Be hard to guess.
Don’t be a donkey … or a jackass. Do you know how many
people use “secret” for their password? But you know better now. You’d make it
“sEcr3T5.”