On Strong and Secure Passwords

Written by
Date: 2012-12-18 16:02:35 00:00
On Secure Passwords

A lot of words have been written about how to create secure passwords, and how to store them (or not to store them at all).

And still, people choose weak passwords all the time, a lot of them even choose weak security questions. So, I think some more can be yet written about the matter.

Alphabet size

When you choose your password, you can make it with only numbers, only lowercase letters, or mix them up with symbols and uppercase letters. This decisions will determine the alphabet size you are using.

For example, if you use only numbers, you will have an "alphabet" size of 10, as there are only 10 numbers, which you can combine to create all passwords made out of numbers. If you have chosen a password made out of 6 numbers, let us say 345098. This password needs to combine ten digits (0,1…9) in six spaces to guess it. Which means 1,111,110 combinations. Looks like a big number but a computer can do this really fast.

If we change the first number for a lowercase letter and make the password looks like this a45098. We have now added 26 digits to our "alphabet", now the guesser needs to combine 36 digits in six spaces to guess our password. Suddenly the possible combinations goes from 1,111,110 to 2,238,976,116 that is 2000+ more combinations. What if we add an uppercase letter? aB5098 57,731,386,986 combinations.

I am sure you understood how important is to use numbers, uppercase letters, lowercase letters and symbols.

Length of password

Go back to our original password 123098, now instead of adding more sets of characters we will add more spaces to the password, in other words we will keep it as an only-numbers password but instead of six digits we will make it seven digits long. New password 1234098, now the possible combinations are: 11,111,110. Adding spaces also increase the number of possibilities and make it harder to break a password.

Choosing a good password

Now that we know that there are two parameters to play with while creating password, and understand how they work, we need to find a good algorithm to create and remember password.

What I usually try to do is to pick a sentence which is familiar to you. Suppose you call your girlfriend "My blue bear" -I have never done that- and her name is Tina. You can create a password like this one: tinamybluebear. This one is very hard for a computer to guess, but not for your cousin (so to say). We need to add some more things.

  • Add uppercase letters: TinaMyBlueBear
  • Add numbers: 0TinaMyBlueBear0
  • Add symbols: .0TinaMyBlueBear0.

Now that password is easy to remember for you, hard to guess for your relatives and friends, and really hard for computers, it is not in any dictionary, and if the computer start guessing and try to brute-force break it, it will have to try with 4.01 x 1035 possible guesses. That is the number 4 and 35 zeros. It is a huge number.

That password is 18 chars long, and has an Alphabet of 95 chars. Its entropy is 90 bits.

Another way is to use symbols between the words, you have to be creative.

Do not repeat passwords

It does not matter how hard you work in creating your password, if you use the same one for every service you use in the Internet, it lost all its strength.

If somehow the password database of that small site you once tried and never log it again is stolen, the person who have it, will now have your login/password pair, and if he tries with it on Twitter or Facebook or Gmail, will he have access to your account? If the answer is yes, you are screwed.

So, create good passwords for every important site you sign-in you can have weak simple password for every other sites you do not care that much. For banks and Paypal use unique passwords.

Example for individual passwords

Facebook is your father "–John.Scott.Smith00" for Twitter you mother "–Tania.Lynn.Smith00", Gmail your Grandpa "–Oliver.Brandon.Balboa00" There you have symbols, letters in uppercase and lowercase and numbers, in an easy pattern to remember, and names you can easily remember. You can even write them down, using some kind of "secret code"

  • Dad facebook http://www.facebook.com/js-smith
  • Mom Twitter http://twitter.com/tsmith
  • Grandpa's email: oliver60@gmail.com

You now know that for Facebook you have to use your father's name in your pattern, for twitter your mother's name and for Gmail your grandpa's name. Any other person who find that will believe you were just taking notes of your relatives accounts.

Conclusion

To create strong password you have to try to use at least one lowercase, one uppercase letter, one number and one symbol. With that in mind make it as long as you can keeping in mind that you should remember it.

Finally, other option is to use Passworcard service, take a look at it.