Skip to content.

Scott Arciszewski

Software, Privacy, Security, Innovation

Choosing a Strong Password

This was originally posted on a website I was developing over a year ago called Keenotes.

Which of the following passwords is more secure? 123456 or Tim3l()r[)z<pwn>Daleks

I think we can all agree that the second one is more secure than the first one, but what properties does it have that makes it that way?

Let's start with the fundamentals: A password is a mechanism for authorization. You use a password to earn access from a protected system, and only you and those you authorize are supposed to also know the password (in more reasonable and secure setups, each user will have their own password). From this, we can infer that a good password must not be easily guessed. After all, if anyone in the world could come along and type 123456 into the password field and trick the protected system into thinking they are you, then the authorization becomes meaningless and the whole system falls apart.

Hold the phone... what exactly does "easily guessed" mean?

It means that a password has one of two properties: it's either too common or it lacks length or complexity. Common passwords (123456, password, etc.) are a well-documented security risk, and the most likely cause of getting hacked. If you don't use a common password, you are more secure than 98% of the internet (and that's why if you try to register an account with any of the top 10,000 most common passwords on the internet, Keenotes will not let you proceed).

If you require greater security on your passwords than simply not being within the window of a 98% hit rate, you'll benefit from a longer password. If an 8-character password consisting of all lowercase letters takes an hour to crack using a brute-force method (aaaaaaaa, aaaaaaab, ... , zzzzzzzy, zzzzzzzz), adding a 9th letter increases the crack time past one day. That means it will take twenty-five more hours to deduce that your password is not juwqikbt but rather juwqikbts. Now imagine trying to crack a 32-character password.

But longer passwords aren't always an option. Sometimes their password policy* will restrict you to 8 characters at most, six at least. In that case, you have to hope complexity will save you. If it takes up to 1 hour to crack an 8-character password consisting of only lowercase letters, it will take up to 3 years to crack one that employs keys from the entire printable ASCII keyspace.

But when you think about it, three years isn't a terribly long time. Would you like it if your bank said, "After three years, your account credentials become public knowledge and anyone with an internet connection can access your bank account and withdraw money from any of our conveniently located ATMs?"

Additionally, technology is continuously advancing; always getting faster, always able to store and process more information at once, and do so smarter and more efficiently. The time it takes to brute-force attack an 8-character password was actually 16 minutes in 2008, and it's expected to continue to decrease as our technology becomes more powerful. So it's time to kick old habits aside and get smart about our passwords. Here are my recommendations:

Make every password you use at least 20 characters long.

As a rule of thumb, try to make your mimimum twice what the technology industry recommends for password policies. If they say 8, go to 16. If they say 10, go to 20. When they move on to 12 or even 16, meet them at 24 or 32. Technology experts know that most people are lazy and stupid, and they try to cater their advice to peoples' bad habits instead of giving them some much-needed tough love, so they'll nearly always wimp out and give really soft mimimums-- thus lowering the bar that black hats have to jump over. Their recommendation might as well be delivered with tears, they are so weak. Do you really want to risk your bank account on the populist pandering of someone who's never even ran nmap before? Not me.

As of this writing, the current industry trends have shifted from a recommended minimum of 8 characters to a minimum of 10, so I say go for 20 characters mimimum. Ideally, a hacker should have to wait until beyond the heat death of the universe to crack your password. Realistically, they should at least exceed human life expectancy. Longer passwords have the potential to be more secure than shorter passwords, exponentially. Every character you type is another 94 that a criminal has to test.

Make use of more than just letters or numbers.

Most people use numbers, letters, and the special characters that can be made by pressing shift and a number for their passwords. A password like Tim3l()r[)z<pwn>Daleks might seem intimidating, but it's actually quite memorable if you watch the hit television series, Doctor Who. Of course, if you're a well-known fan of that show, it would be wise to avoid using something like that. An even better password would be \aKI;QkU~9&5VTI`3$@_Xk*d(5p. The closer your passwords look to line noise, the harder it will be for a malicious hacker to guess it quickly.

Do not use the same password for more than one website.

If you don't think you can remember a lot of tough passwords, don't fret, there's an app for that:

Use a password manager.

Password managers (KeePass and LastPass, to name two reputable ones) were created because most people are unable or unwilling to remember a unique 30+ character password for each of the dozens of websites they access everyday.

As an added bonus, most password managers come equipped with a password generator, which will allow you to generate a 40-character mixed case + numbers + special characters password at the press of a button (as well as remember them all for you).

The downside to password managers is you're putting all your eggs in one basket. If your master password (and password database, in the case of KeePass) gets stolen, the hacker has access to all of your passwords. Which leads me to:

Choose a very strong master password, write it down on a piece of paper, and keep it in your wallet/purse.

This last bit of advice comes from security researcher and cryptographer, Bruce Schneier. The idea is that an Indonesian hacker working for the Russian mob will have an awfully hard stealing your master password from your wallet in the United States.

And last but not least...

If your service provider offers it, enable two-factor authentication.

This is technically removed from the scope of "passwords", but it bears mentioning. If hackers know your password but don't have your second authentication factor (Yubikey, a cell phone that receives SMS, etc.) they won't get into your account.

*Personally, I have mixed feelings about rigid password policies: A maximum password length less than 32,768 is ridiculous. If you want passwords to be secure, what's the point in limiting them to a few easily-guessed values? It doesn't make a whole lot of sense.

Blog Archives Categories Latest Comments

Want to hire Scott Arciszewski as a technology consultant? Need help securing your applications? Need help with secure data encryption in PHP?

Contact Paragon Initiative Enterprises and request Scott be assigned to your project.