Langa Letter: How To Build Better Passwords
Stronger passwords don't have to be hard to create or use, Fred Langa says. Here are tools and tips that can help.
Good passwords are essential for PC security. Even the world's strongest encryption algorithms or logon procedures won't protect you if you use the wrong kind of password.
And even if you once were safe, you may not be today: Passwords that were fine even just a few years ago may now be vulnerable to attack because of huge advances in hardware and software: Malicious hackers have tools that can make hundreds to thousands of guesses in seconds. Passwords that might once have taken months or years to crack can now be cracked in minutes or hours.
- A Smarter Approach: Inside IBM Business Analytics Solutions for Mid-Size Businesses
- Managing Threats in the Digital Age
It takes very little skill to mount a password attack. The simplest form of attack is based on dictionary lists: The cracking software simply tries every possible word listed in an online dictionary. Any password found in the dictionary will thus soon be discovered. This type of software is extremely simple to create because no deep analysis or cryptographic skill is needed. It's high-school level stuff, and yet it can defeat many passwords!
Similarly, passwords based on common phrases are very weak. A malicious hacker can use a dictionary of famous quotations in much the same way as using a dictionary of individual words: Any password based on familiar quotes is likewise easily discovered.
It's only a little more complicated for a malicious hacker also to cover the most common permutations of words and phrases. For example, some people choose a password or phrase, and then touch-type that word or phrase, but shift their hands one character to the right, left, up, or down from the normal typing position. The resulting output looks like gibberish, but really isn't: It retains a regular pattern that a computer easily can sniff out.
So-called "elite" or "l33t" speak was once a useful way of increasing a password's complexity, but the rules of "l33t" substitution are now well known. Similarly, taking a common word or phrase and trying to make it more complex through random capitalization and by appending numbers does little to add real security: For example, a lowly P3 PC running a widely available cracking tool at just 500 MHz was able to guess the password "ChEcK12" in only 26 seconds; and today's top-of-the-line PCs could perform the same crack almost instantly. (For more examples of just how quickly simple password techniques like this can be bypassed, see this page from McMaster University). It's scary stuff.
What Makes A Good Password?
So, what makes a better password? There are three major factors: length, complexity, and randomness. We've already touched on randomness. A good password will be a truly unique combination of characters, and that means that the password should not appear in any form in any dictionary, book of quotations, and so on. The password also should not be based on simple substitutions or transpositions of common words or phrases: If any underlying pattern remains -- the less truly random a password is -- the easier it is to be cracked.
Complexity also is easy to understand. For example, if you limit yourself to the lower-case letters of the English alphabet, each character in your password will have only 26 possible values. Simply allowing uppercase and lowercase letters means that each character in the password can have 52 different values. Add in numbers (0-9) and you have 62 possible values; add the punctuation and symbol characters commonly found on a US-English computer keyboard, and you have a total of about 92 unique (non-repeating) possible values. Clearly, using all the kinds of characters available to you significantly increases the complexity of a password.
Length also is hugely important: A two-character password, where each character could be any of 92 possible values, affords just 8464 unique combinations. Three characters allow 778,688 possibilities; four yields 71,639,296, and so on. So clearly, longer passwords are better because the number of possible character combinations increases exponentially with length.
But note that while something like "71,639,296" password possibilities would be daunting in human terms, it's nothing to the brute strength of a PC. This online calculator lets you play with variables to see how long a "brute force" password-cracking program would have to run to defeat passwords of varying lengths and complexities. Note that the "speed -- thousands of passwords per second" figure depends not only on the speed of a given PC, but also on the efficiency of the cracking software, which is hugely variable in itself. But the calculator is seeded with an exceedingly low number, which significantly under-represents the power of today's PC's and software. For a more realistic view of contemporary threat levels, crank up the "speed" variable by several orders of magnitude. (For a hardware-based starting point, you may wish to note that the common Intel P6 is capable of processing hundreds of millions of instructions per second. Note also the real-life cracking results reported earlier by McMaster University.