Langa Letter: How To Build Better Passwords - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:14 PM
Fred Langa
Fred Langa

Langa Letter: How To Build Better Passwords

Stronger passwords don't have to be hard to create or use, Fred Langa says. Here are tools and tips that can help.

Good passwords are essential for PC security. Even the world's strongest encryption algorithms or logon procedures won't protect you if you use the wrong kind of password.

And even if you once were safe, you may not be today: Passwords that were fine even just a few years ago may now be vulnerable to attack because of huge advances in hardware and software: Malicious hackers have tools that can make hundreds to thousands of guesses in seconds. Passwords that might once have taken months or years to crack can now be cracked in minutes or hours.

It takes very little skill to mount a password attack. The simplest form of attack is based on dictionary lists: The cracking software simply tries every possible word listed in an online dictionary. Any password found in the dictionary will thus soon be discovered. This type of software is extremely simple to create because no deep analysis or cryptographic skill is needed. It's high-school level stuff, and yet it can defeat many passwords!

Similarly, passwords based on common phrases are very weak. A malicious hacker can use a dictionary of famous quotations in much the same way as using a dictionary of individual words: Any password based on familiar quotes is likewise easily discovered.

It's only a little more complicated for a malicious hacker also to cover the most common permutations of words and phrases. For example, some people choose a password or phrase, and then touch-type that word or phrase, but shift their hands one character to the right, left, up, or down from the normal typing position. The resulting output looks like gibberish, but really isn't: It retains a regular pattern that a computer easily can sniff out.

So-called "elite" or "l33t" speak was once a useful way of increasing a password's complexity, but the rules of "l33t" substitution are now well known. Similarly, taking a common word or phrase and trying to make it more complex through random capitalization and by appending numbers does little to add real security: For example, a lowly P3 PC running a widely available cracking tool at just 500 MHz was able to guess the password "ChEcK12" in only 26 seconds; and today's top-of-the-line PCs could perform the same crack almost instantly. (For more examples of just how quickly simple password techniques like this can be bypassed, see this page from McMaster University). It's scary stuff.

What Makes A Good Password?
So, what makes a better password? There are three major factors: length, complexity, and randomness. We've already touched on randomness. A good password will be a truly unique combination of characters, and that means that the password should not appear in any form in any dictionary, book of quotations, and so on. The password also should not be based on simple substitutions or transpositions of common words or phrases: If any underlying pattern remains -- the less truly random a password is -- the easier it is to be cracked.

Complexity also is easy to understand. For example, if you limit yourself to the lower-case letters of the English alphabet, each character in your password will have only 26 possible values. Simply allowing uppercase and lowercase letters means that each character in the password can have 52 different values. Add in numbers (0-9) and you have 62 possible values; add the punctuation and symbol characters commonly found on a US-English computer keyboard, and you have a total of about 92 unique (non-repeating) possible values. Clearly, using all the kinds of characters available to you significantly increases the complexity of a password.

Length also is hugely important: A two-character password, where each character could be any of 92 possible values, affords just 8464 unique combinations. Three characters allow 778,688 possibilities; four yields 71,639,296, and so on. So clearly, longer passwords are better because the number of possible character combinations increases exponentially with length.

But note that while something like "71,639,296" password possibilities would be daunting in human terms, it's nothing to the brute strength of a PC. This online calculator lets you play with variables to see how long a "brute force" password-cracking program would have to run to defeat passwords of varying lengths and complexities. Note that the "speed -- thousands of passwords per second" figure depends not only on the speed of a given PC, but also on the efficiency of the cracking software, which is hugely variable in itself. But the calculator is seeded with an exceedingly low number, which significantly under-represents the power of today's PC's and software. For a more realistic view of contemporary threat levels, crank up the "speed" variable by several orders of magnitude. (For a hardware-based starting point, you may wish to note that the common Intel P6 is capable of processing hundreds of millions of instructions per second. Note also the real-life cracking results reported earlier by McMaster University.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 3
Comment  | 
Print  | 
More Insights
IT Careers: Top 10 US Cities for Tech Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/14/2020
Predictions for Cloud Computing in 2020
James Kobielus, Research Director, Futurum,  1/9/2020
What's Next: AI and Data Trends for 2020 and Beyond
Jessica Davis, Senior Editor, Enterprise Apps,  12/30/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Flash Poll