Wednesday, March 28, 2012


Passwords are really hard to get right.  To be useful, they have to be memorable (so you can remember them without writing them down) and they have to be secure.  It's the second part that's so hard, because most non-technical people have no idea what makes a password secure. 

These days, the most common passwords fall into one of three categories. 

First there are the stupid, easy passwords, such as "password123" or "qwerty".  An amazing number of people (by some accounts, over 20%) use such passwords for things they really care about, like their bank account.  This is like removing the lock from your house.  If you do this, you shouldn't be allowed to touch a computer.  The bad guys have readily-available lists of common stupid passwords, and they will try them all to see if they work.

Then there are the passwords comprised of personal information of some kind: your kid's name and birthday, or the names of your two dogs, etc.  If these are well-chosen, and if (this is a huge if) the attacker has no other information about you, these kinds of passwords can be reasonably secure.  But you need to be very certain that the personal information you disclose isn't available electronically anywhere: not on Facebook, not at your bank, not even on your tax return.  A bad guy who hacks into your Facebook account might well know your kids names and birthdays.  The safest things to use for this kind of password are generally things in your distant (and hopefully pre-Internet) days.  Say, for example, the name of your fourth grade teacher (I'm looking at you, "Mrs.Dalrymple4th").  Good passwords of this type are relatively uncommon, though – most people make poor choices with easily discoverable or guessed information.

Finally, there are the passwords comprised of some memorable sequence of words, like "JamulGeekGeezer".  People, especially non-technical people, are attracted to these passwords.  They look secure, mainly because they're long and they look unlikely.  The problem is that they are usually made up of words from a relatively small list of common words: a few tens of thousands of ordinary words and place names.  That may sound like a lot of words to you, but to a computer this is a small list.  Most web sites don't have protection against an attacker trying thousands of passwords, so the bad guys simply try lots of combinations of these words from their “dictionary” of common words.  These attacks are depressingly effective.  A common variant of this type of password replaces all "o" characters with "0" (zero) characters, "s" with "$", or some such thing.  There are also relatively few variations of these, and the bad guys have dictionaries of them as well.  A more secure variation of this type deliberately misspells one or more words, like "JamulGekkGezzer".  That's far more secure, as the misspelled words are not likely to be in the dictionary.

Years ago, I read about another technique (mentioned in the linked article) that yields passwords that are both memorable and secure.  I've been using it ever since.  The technique is simple.  First, choose a phrase that is easy for you to remember, but is unlikely for anyone else to ever use or guess.  For example, I might choose "Miki is playing outside my red-roofed house."   You must be careful, when choosing a phrase, not to use some famous lines from movies or plays, etc. – those an attacker could certainly guess.  Then apply some simple rule (also easy to remember) to turn that phrase into a password.  For example, I might have the rule "Take the first letter of each word, plus any punctuation".  That would yield the password "Mipomr-rh."  Now that's a pretty secure password.  It's reasonably long (10 characters; a little longer would be better) and it certainly isn't attackable by a dictionary attack.  I've been recommending this to anyone who asks me, and I still recommend it.  For passwords protecing things that are really valuable to me, I use passwords with 12 or more characters, created from phrases like I used above. 

No comments:

Post a Comment