As a father of two children who are approaching puberty fast, and especially now when the global lockdown forces millions of children to attend school from home across the globe, I’ve come to realize that there are a plethora of tools that they have to use in order to attend their classes. For most of these services, children have to create their own accounts, and part of that process is choosing a password. Therefore, I wanted to teach the kids how to select good passwords that they can also remember.
So what did I do? I went to my search engine of choice, and searched for “how to select your password” to find an article for which I could just point to for the kids and end of story. Easy! Unfortunately, five minutes later, I was astonished to observe the lack of proper information on this subject available on the Web today. Some articles almost do a good job, most articles are actually sloppy and written in a hurry, and I’ve also found some that are downright toxic and give bad (or in more benign forms, outdated) advice in password selection.
So here I am, sleeves rolled up, ready to do the heavy lifting of what I had hoped to find ready-made on the Internet. Hopefully this article will be useful for people other than just my kids.
The Problem At Hand
If you’re reading this, it means you have Internet access. And since you do, you must actively own several accounts with various service providers: e-mail, social media, e-shopping, e-banking, etc. Part of creating an account, is to secure access to it so that you and only you can use it. And finally, part of securing an account is to have a secret token that only you have or only you know, which constitutes proof that you are who you claim to be; so that the service provider grants you access to your account while preventing others to do so.
The most common way of securing an account is via a secret token (called password) that only you know. Nowadays this has been extended with a physical token (like your mobile phone, or a USB stick, etc.) that only you own. When you need to authenticate, you need to prove that you know the password and (in certain cases) own the device. In this article we will concentrate on the password aspects only.
When we create the online account we are asked to provide that secret piece of information that supposedly only we know. For that, we are asked to come up with a secret keyword. Unfortunately, we are very bad at selecting good and secure passwords. If you want a visual analogy, think of the countless people absolutely sure that stuffing the keys in our shoes followed by the sock, or hiding our keys under the doormat or under a flower pot next to the door, represents a bulletproof way of securing our valuables once we decide to enter the water at the beach or leave the house. What evil mind can guess our super-secret location?
Pretty much the same thing happens in the realm of passwords.
What Constitutes A Good Password?
A good password needs to match all of the following key criteria:
Difficult to guess by others or brute-forced by computers
Easy to remember by the owner
Unique for every account
Not stored, written, or saved in any form on any media; whether it’s a piece of paper in your wallet or cabinet, a “secret” file on your phone or a database in the cloud
There are specialized software out there called password managers, which manage people’s passwords and provide comfort for their users by taking over the responsibility of renewing, managing and securing the passwords for the user. But by definition, they must break the last point in the above list and they also bring a series of caveats most people are unaware of.
The Case For Password Managers
There is a special category of people that work around managing complicated passwords, who are slightly more comfortable with technology, which use password managers. While the password manager idea is not the worst idea out there, it constitutes a single point of failure. Basically people are delegating their trust concerns to a third party – whether that is a software running on your local machine or a cloud service – to generate and store all the passwords they use in their daily life, all protected by a single password (yes, there are additional protections that can be used, which we will address later). Hopefully, access to that manager is backed by a strong password and not a weak one.
In either case, in my opinion, this is the lazy approach because people cannot be bothered to come up with their own methodology in choosing appropriate, memorable passwords. They may get locked out when their hard drive fails or when they find out in newspapers that their password manager used vulnerable libraries when generating those strong passwords, or when the cloud service storing their password database has been broken into and copied by online hackers.
I don’t want to completely dismiss the usefulness of password managers, but I have the impression that many people misunderstand what they do and how they work, so much so that they either use weak passwords with them, or they are using solutions that are known to suffer from security holes. Like in any field of activity, there are worse and there are better password managers out there, and it’s not easy to keep track which is what.
Call me outdated, decrepit, or just behind the times; but i don’t like to worry about a third party provider to whom I would entrust the most important pieces of information I have. To me, the idea of a password is not something to be stored in any other place than the owner’s wetware. That is, in the gray fatty gel snuggled tightly in their skull. And for that, I am willing to sacrifice a bit of my comfort.
However, his topic is rich enough that a separate article on password managers is probably necessary.
The Good, The Bad, and The Ugly
Whether you use a password manager or not, you need to select strong password(s). Before we go analyze the bad password picking practices, have a look at this Wikipedia article showcasing the most commonly used passwords. You’d be amazed what you can find there and hopefully it’s not a selection of your own passwords that you find.
Let’s list some of the password methodologies widely used and which don’t provide any added security. I tried to exemplify where possible passwords from the Wikipedia article cited above.
Using simple-to-remember numbers, or sequences of letters
Such passwords are very easy to crack today and there are entire databases with pre-computed hashes for all of the words and names (at least for the most commonly used languages).
qwerty, qwe123, 1qaz2wsx, zaq1zaq1, !@#$%^&
For a person, these look very complicated and almost random. However dictionary attacks are also pre-computed for sequences of keys that are located in certain patterns on the keyboard.
Too short passwords
Anything shorter than 16 characters (in 2020)
This is the trickiest one to define properly, since as the power of computers grows, so does their ability to brute-force more combinations. If your bank account password costs less than $200 to brute-force on AWS, it’s TOO SHORT.
Using names or birthdays of yourself or your relatives
Someone who studied you might be able to guess what you have used.
Replacing certain characters with numbers or symbols (‘o’ with 0, ‘i’ with 1, ‘a’ with @, etc.)
While these may seem “clever”, and a cheap way of going around password rules of using numerals or symbols in the password, this won’t make your password any stronger against automated scripts, as common symbol substitutions are coded for as well.
How Are Passwords Usually Cracked?
Most people imagine password cracking as it’s depicted in those bad Hollywood movies, where a computer junkie sits at a console connected to a corporate or military network of some kind, and typing furiously many passwords on the keyboard until finally yelling “I’m in!” a few minutes later.
The more tech savvy people think of automated scripts running on many machines, all trying to concurrently get access to the target system and trying many combinations of passwords until a successful login happens.
While in theory this can happen, in practice the reality is slightly different, and varies depending on the target account.
The most common way passwords are cracked, simply due to the sheer number of accounts compromised at a time, is by attacking popular services. These may be banks, social networks, game platforms, online shops, or other such lucrative online services. They’re usually breached by using zero-day vulnerabilities (basically newly discovered and not-yet-patched bugs in the underlying system) to entirely bypass the security checks. Then they infiltrate the system until they get access to the user database. The user database is a database that holds the login information of all the users of that system. It usually holds critical information such as user names, passwords and email addresses (for password recovery reasons, or is actually used for the username).
The hackers then “dump” (download) the entire database which they can later sell on the dark web to whoever is interested. The buyers of those databases are then the people, organizations, or even countries who would then use the login information to do the actual harm or identity theft to achieve their goals.
But wait, aren’t passwords encrypted? Yes, nowadays all the online service providers should store the hash (encrypted) version of the password, not the actual key sequence that you type on your keyboard. There have been breaches where passwords have been discovered to be saved in “plain text” (unencrypted) or very poorly encrypted, such as was found in a recent Facebook breach. Most of the time though, a database dump does not have your actual clear-text password. This makes it slightly safer for you, as your actual password wasn’t leaked to anyone.
But not if you are using a weak password!
The fact is that those guys that buy the stolen login databases are also running specialized software for years, pre-computing hashes for all the possible passwords they can think of. For that, they continuously generate passwords in automatic scripts and save the password and their corresponding hashes in huge databases.
The actual password cracking happens when they take the stolen hashes bought from the dark web and compare them with the set of self generated hashes to see if they can find a precomputed match, and when they do (when, not if), they cracked your password. And since they also have your email and username, it’s game over!
This brings us to another systemic problem: most people tend use the same password everywhere. All hackers have to do then is to try the same username/password combination they found by cracking LinkedIn accounts to the most popular banks and the world is their oyster.
However, if you use long passwords with a wide character set (lowercase, uppercase, numbers and symbols) then brute-forcing all the combinations is not feasible. So, to make their life easier, hackers perform such things known as dictionary attacks. This means that they don’t generate every possible letter/number/symbol combination, but rather they use only words, names and numbers and certain commonly used symbols and substitutions. This method greatly reduces the field of possible values, and is very effective in catching the vast majority of passwords that people use. It’s much more likely people will use something a dictionary attack can find (such as “Secur1ty!”) as their password, than something difficult to remember (like “k$sF4_9!voA”).
Lastly, and usually after these previous methods fail, the hacker can resort to using brute force to guess your password. This can be done with relative ease using readily-available “research” software such as hashcat, to iterate through sequentially-generated passwords until a matching hash is found. These are usually brute-forced in on GPU-equipped rigs or in a cloud service.
I find this YouTube video to be an easy to follow description of how password cracking is done.
When Are You At Risk?
Believe it or not, even using a bad password provides a rather high level of security against attackers trying to force their way into a system through the security measures. This may give most users a false sense of security, hence the popularity of passwords like 1q2w3e4r which to most people looks like a stroke of genius for a password.
The situation changes dramatically when – as described above – somebody gains access to the system by means of going around the security measures put in place. Once the user databases are stolen, most of the passwords that people commonly use can be found in a matter of seconds.
You have heard of news like “X million passwords have been stolen from Y!” Every single news event like that represents a situation where a large part (if not all) of the user database has been copied by someone who shouldn’t. This can be a disgruntled employee or your classical hacker archetype.
Please note that in most all of those cases, the security breach exposed is a few months if not a few years old. That means the hackers had those user databases for months or years before you even found out.
So as we speak, many passwords you use (hopefully you don’t use the same password everywhere) are already probably cracked and even stored publicly, attached to your username or email address. Want to see if you’re on a list? Check out Have I Been P0wned and get to changing those passwords! Like I said, the majority of passwords are so simple that they take only a few seconds to crack, and that is because we have not been taught what is a weak password and what is a strong one, so maybe finish this article first before setting off to change your passwords just yet.
How To Pick A Good Password?
Obviously I’m not going to be able to give you a password to use, but I’ll teach you a (hopefully) good set of techniques you could use to generate your own unique and good passwords. And instead of learning long strings of text, we will try to remember the technique instead. We will do that in only 5 steps, while actively making sure we do not fall in any pitfall described above.
Step 1: Select Your “Root”
To start with, we need to actually memorize a portion of the password. I call it root because we will use it in all the passwords we generate. As such, we need this root to be a strong password in itself. So it has to be a totally random sequence of characters and we also want to use a wide character set.
Many systems require the use of lowercase, uppercase, numerals and symbols, so we’ll be sure to make our root portion satisfy this requirement. However, when picking the symbols we should be careful because certain services limit what symbols are acceptable in the passwords (in fact it’s for system security reasons, but this is an entirely different topic). Therefore, we won’t be using all the crazy symbols we can type, but we can safely assume that most of the symbols located on the numeric keys on a US-layout keyboard are safe to use. For example any character in the !@#$%^&*()_+ sequence. If you are aware that some of these may not be accepted, you could decide to reduce this set.
Above, I selected a sequence of 10 characters, using symbols, numbers, lower and upper case letters and I excluded ambiguous characters like braces, quotation marks, and such. Then I pressed Generate Password button and I got the sequence below. You can press that button as many times you like until something comes that for some reason you like.
I don’t recommend using too many characters for the root, as it will make it difficult to memorize. But preferably the longer, the better. Anything at or above 8-10 characters long will do just fine for today.
Helpfully, this website generates a mnemonic phrase to help you memorize it. And remember, you must memorize this root (do not write it, screenshot it or save it anywhere, or else the whole effort is in vain). This is your homework. Use the mnemonic, it should help in the beginning.
Step 2: Pick an “Extension”
An extension is another portion of the password that looks random, but which you can generate in your head based on a rule that makes some sense to you, instead of simply memorizing it. It should also be similar in length to the root (let’s say 6-10 characters or so). You can use longer than 10, but avoid using less than 6. Again, size matters here too.
In order to generate that sequence of characters, you should come up with an algorithm that is secret to you. For example it could be the first and last letters of the words in the title of your favorite book, or the initials of your secret crushes you had in high school, a number that makes sense to you (but not your birthday since that is not secret), or anything else that is apparently random to a third person, but which has meaning to you and it’s easy to remember every time.
The only reason for this portion of the password is to make the root shorter and thus easier to memorize. A properly random root will always be hard to memorize and a properly chosen extension algorithm will harden the password by means of applying logic to constructing even more complicated and longer pseudo-random strings.
Step 3: Invent a “Salt” Algorithm
A salt is a term used when we want to generate a sequence of characters that are unique. So far, in steps 1 and 2, the root and extension are fixed and even if one was completely memorized and the other you generate in your head, once chosen they never change. But this would mean that you would end up with the same password to your Facebook and Twitter accounts, which is a very bad idea.
So a salt is a sequence of characters that is unique for every different service that you use. This is another string that you will generate in your head, and you need to come up with another rule on how to generate it.
Ideas might include using the number of letters in the name of the service combined with something from their name or from the URL, take into consideration the predominant color of their logo, or use acronyms, etc. Or use a combination of rules. Please be as inventive as you can. The more unique rule you come up with, the better.
Make sure that whatever rule you come up with has a low collision rate. In this context, a collision is a case where your algorithm will generate the same character sequence for two different services. For example if you chose to use the number of letters in the name of the company and use the long form for it, you will generate the “five” sequence for both “apple” and “yahoo” since they both have 5 letters in their name. This is a bad algorithm to use, since the chance that every service you use has a unique number of letters in the name is practically zero.
The salt doesn’t need to be long in terms of characters. The only important thing is that it generates unique (non repeating) character strings.
Step 4: Select A “Sequence” Algorithm
A sequence is another part of your password which you can easily generate. The sequences are handy when we want to renew the password for a particular service. Since the root and extension are fixed for all the passwords, and then the salt is unique per service; we need to have something else that can change based on a sequence.
Sequences can be any sets that have a certain order that is obvious to you and which you can calculate on the fly. The obvious sequence is to start with 1, 2, 3, … or a, b, c, … but you can also use sequences based on a certain arrangements of countries or cities on a map, or words from your favorite poem, planet arrangements, months, geometrical shapes, etc. Anything that has an intrinsic order that you know immediately what follows what. Use increasing or decreasing sequences, use skipping rules (2, 4, 6), or progressive rules (1, 3, 9).
Step 5: Put Them All Together
Now that you have all the constituent parts, you need to put them together to form your final password. The easiest way is to always build your password in the same order. Pick your order yourself, don’t necessarily use the order as I listed them in the steps. Start with the salt and end with the extension or start with the sequence and end with the root. Just pick an order and be consistent with it across all your passwords so you can remember them easier.
If you picked your components and algorithms right, you should end up with passwords having 20 or more characters, which don’t use dictionary words or names, which don’t use long, naive numerical sequences, and which ultimately look completely random to anyone else but you.
In the beginning, you will find that typing these passwords is tedious as you have to think about it, but over time typing them will become very fast since the root and extension don’t change and you only have to think about the relatively shorter salt and the sequence portions.
Is This System Producing Good Passwords?
Let’s imagine the situation that the user database with the hash of your password has been already leaked. This should be the default assumption anyway. You should always assume that the hashed version of your password is leaked the moment you use it. Whether the service is as big as Yahoo! or supposedly secure like Equifax, or even password manager sites are not immune to breaches.
So let’s try to analyze whether this system produces strong passwords by means of an example. Following the steps one to five described above, I get this:
Randomly generated and memorized.
This is simply generated by a random string generator using a wide character set.
Data that makes sense to the user.
Using the first letters of the week in three different languages. I could later on expand on this rule if needed.
Data that is service dependent.
Gs6el Ah6el Ys5oo Fs8ko Tv7re
First letter of the provider, the first letter of the logo color in a language of my choice, the number of letters in their name and the last 2 characters of their name in reverse order.
Data representing a set of words or concepts with a given order
+0Jm +5Mw +21Am
The ‘plus’ symbol followed by the n-th number of the Fibonacci series, followed the first letter of the n-th month in upper-case and lastly the first letter of the n-th day of the week in lowercase.
I’ve chosen the order: sequence, root, salt, extension
Before I continue, please note that the above table represents an example only. I used simple algorithms which are rather ineffective in giving proper random results. I personally use stronger algorithms for my own passwords, and I encourage you to do the same. None-the-less, this system should produce stronger passwords than most people use, even when using relatively simple algorithms.
First, we observe that the passwords we came up with look like gibberish at a first glance. We have not used any words that could be used in dictionary attacks. This means that for all intents and purposes, an attacker would have to brute force it in order to guess the password. Good!
Secondly, the password length is large and we have used a wide character set. This means that there are very many combinations of characters that a brute-force algorithm would have to crunch through to guess it. Good!
In fact, let’s calculate the number of possibilities. We could have used any combination of 26 lowercase letters, 26 uppercase letters, all 10 digits, and the 12 symbols located on the numeral keyboards, for a total of 74 characters. The total number of combinations is given by the formula (character set size)(password length). So in our case it is 74(26 or more) – as the salt has variable length higher or equal to 4. This number is greater than 1 followed by 48 zeros.
At this solution space, even if you are able to break 1 quadrillion passwords (1015) per second in a large datacenter, you still need 1048-15 = 1033 seconds, which is more than 1025 years, or in other words more than 10 million billion billion years. Rather good I would say.
Now, you might notice that we are obviously not using anything close to so many combinations with our password system. But the attackers don’t know that. Yes, they know that we might be using some system, but if you simply look at a single password and try to break it up in portions, and then figure out how each portion is generated, it is rather impossible. That is… if they even realize that the password has portions in the first place, and where a portion ends and another starts. They’ll likely just assume it was computer-generated anyway and thus why it wasn’t easily cracked by their other methods already.
Only when one sees many of your generated passwords would they be able to recognize certain patterns and try to narrow down the scope of the solution field. But that would assume that they manage to get several passwords from you and that they run pattern recognition software on it. This kind of effort is likely to happen only when they want to target YOU specifically, instead of a generic mass attack on millions of passwords. When somebody with such resources at their disposal is so interested to attack you personally, or if you represent such a high-value target that this whole thing is worth the effort, then you likely have bigger problems than selecting a good password.
Most likely, your password will be part of that small fraction of un-cracked passwords which they simply ignore, having cracked millions of other passwords after every attack. Exactly where you want to be!
Moreover, even if they manage to break your password via brute-force, you can always update it without changing your password generation system, by simply using the next sequence string in your sequence portion. And they won’t be able to guess your next generated password or another password you used on a different system. And since in this particular example our sequence portion is growing in size as we go up the sequence, their work will be harder and harder each time they brute-force their way into it.
In any case, our new passwords are way harder to crack than “monkey”, “superman”, “iloveyou” “password1” or “12345”.
And I promise you, even if such passwords look nightmarish to type, it’s not that hard after you get used to it. I’ve been using variants of this system for almost 20 years now, and combined with the finger-memory, my hands just fly over the keyboard and only slow down when I need to type the salt and sequence. In fact, it’s always in the salt or sequence where I can make a mistake as I type the password. During the 20 years of use, I only had to lengthen the root and extension once.
For those who want to try this system, maybe start using the new passwords on some non-essential services until you get the hang of it; before you go on and change the passwords to your banking system.
20-something character long passwords should be strong enough for some time, but as time goes by, even they will also have to be upgraded. In that case, you can choose to grow the length of your root and/or extension by adding more characters to them; or change the salt algorithm to generate longer sequences. Or simply change the algorithms or field order every couple of decades, if you prefer that. But you can still keep the system around, and possibly improve it.
If you will choose wisely your algorithms, this simple system should ensure you have equally strong passwords to any password produced by a password manager. I hope that this will give you ideas on how you can easily generate virtually impossible to crack but unique and easy to remember passwords for all your services.
The one downside of this entire method is usage on a cell-phone. You’ll have to swap between the numeric/symbol and alpha keyboards frequently and that can be quite cumbersome. To help overcome this, you can reduce your salt and sequence to only one or two symbols total, preferably next to each other, and reduce the overall number of upper-case letters used to limit the keyboard switching required. Or you could try another system, described below.
Other Popular Password Systems
Another easier and popular system for password selection, is to construct your password by choosing a number of random words, with mixed capitalization and also sprinkled with numbers and symbols. This leads to passwords that are much simpler to memorize and type, while still being relatively strong.
However, this type of passwords are more susceptible to dictionary attacks. If the constituent random words are not properly chosen (properly random), are to few and/or are too short, then the strength of the password is greatly reduced.
Considering that most of you reading this article are native English speakers, you will very likely use English words to construct your password. Since English is the most popular language on the Internet, it’s safe to assume that its dictionary has been thoroughly attacked by now, so it’s very likely that such a password has already been hashed. You could argue that this is not true for less popular languages, but how many of you are willing (or find it easy) to remember words in a language you don’t speak?
Another problem is that you cannot easily create a large set of unique, easy to remember, associative and sequenced passwords while keeping the constituent words random. For this reason, such passwords are more suitable to use with password managers. For such use cases, these passwords should provide a decent amount of security.
Nonetheless, to make myself clear: this system generates passwords that are incredibly more secure than “s3cuR1ty”.
But since we like comparisons and computations, let’s calculate just how strong these passwords can be. For the English language, we can safely assume that there are not more than 200.000 words that are longer than four letters (obviously, we should ignore short words like ‘a’, ‘or’, ‘the’, ‘this’, etc).
If we consider words that are five letters or longer, the minimum amount of words needed to obtain passwords roughly 26 characters would be 5 (remember, you should also sprinkle some numbers and symbols in between or in the middle of your words).
So for five random words and roughly five sprinkled numbers and symbols, we would have around 200.0005 * (10+12)5 = 200.0005 * 225 possible solutions to crunch through during a dictionary attack. This number is in the range of 1 followed by 33 zeros, which – while still BIG – is one quadrillion times (1015) smaller than the number of possible solutions with the previous system for a similarly long password of roughly 26 characters.
Of course, you could always use more words or languages with more words, which would then increase the strength of the password. But you got the gist of it: for similarly long passwords, this system offers a slightly reduced solution field.
I hope that this article convinced you that it’s already too late to continue using naïve passwords, and regardless which system you prefer, you will start changing the way you generate your passwords now. Have a nice weekend!