Picking Apart Passwords

Clearing up some misconceptions on passwords and some suggestions on picking stronger passwords.

Decorative Image, password textIf you want to interact with a website rather than just browsing, you’re probably going to have to create an account and that account is probably going to be protected with a password.  Some websites ask for more information than the average census but a username and password will be the basics.

Typically then we each deal with several passwords on a daily basis but passwords are not without risk.  Here I look at the problems with passwords and a few tricks for picking strong yet memorable passwords…

One password to rule them all… No!

Some people pick one password and use it for all of their accounts.  Considering the growing number of websites that have been hacked and leaked password information, it is becoming increasingly likely that one of the websites you use will be compromised.  The website that is hacked may be fairly trivial such as reader comments on a news website or a hobby discussion forum, but if you use the same password on other more important websites then you should consider those to be compromised as well.

Decorative Image, same keyA recent study compared the usernames and passwords that were common between two hacked websites.  It showed almost a third of people had used exactly the same password, rising to almost half that had used only small variations.  While the test group was fairly small (456 users) the websites that were used (RootKit and Gawker) would typically attract a more technical audience who we might expect would be more considerate of security.

If you have several accounts which hold no personal or sensitive information, which you absolutely do not care about losing, and which would not cause any harm or offense if someone else were to use them, then it is okay to use a common password as much as you can consider those accounts to be disposable.  However, it is strongly recommended that you use a distinctly different password for every account that you have any reason to care about.

Find a good one and stick with it… No!

Another common mistake is to choose a password (or collection of passwords) and use it for a long time, sometimes even years.  People that get into this routine tend to only change a password  when it’s too late.

A website being hacked is only one way that your password might be compromised but one thing that most attacks have in common is that they take time.  As with picking one or several passwords, it is reasonable to take a flexible approach depending on the sensitivity of the account in question, but you should aim to change the passwords for on-line banking, emails, social networks or other important accounts every few (two to three) months at the longest.

Is more complex more secure? Not necessarily…

Recent developments have reduced the time taken to crack a password from years/months down to days/hours (slightly techy article) using only high street equipment.  It used to be that a random combination of upper-case, lower-case and numbers (maybe even some symbols) would protect you from a ‘dictionary attack’ simply because brute-forcing every possible combination was far too time consuming.  However with these emerging levels of processing power, an attacker can check every combination of numbers, letters and symbols in a fraction of the time.

That’s not to say you should give up on mixing letters, numbers and symbols.  A more complex password will be more secure but it should no longer be considered secure enough.

Does size matter? Yes!

Longer is better!  One way to make a longer password that is still easy to remember is to use a phrase instead of a single word.  It need only be a few short words and can be gibberish or sensible.  Any pass-phrase longer than a dozen characters will typically take a very long time for a brute-force attempt and most systems will happily accept passwords up to twenty characters long.

Size helps because an attacker will probably not know how long your password is based on the garbled version that they will have so they will try all passwords of four characters first, then five characters, then six and so on.  It would likely take several years to get up to nine or ten characters with current technology.

Any more advice?

Taking all of these snippets together it can seem unfeasible to come up with a variety of passwords, that are memorable to you, are not simple single dictionary words, are not guessable as being immediately associated with you, are relatively long and use a mixture of characters…

Decorative Image, lots of keysTry to pick a theme of something that you’re familiar with but not something that you’re openly keen on otherwise you leave yourself open to being guessed.  As for using a mix of characters, come up with a consistent pattern like capitalising every word or the first and last word, or replacing E with 3 and A with @.  Combining these two tricks will mean that provided you can recall your theme and your pattern you should be able to recall several reasonably secure passwords with relative ease.

Adding the date or time in between the words of your pass-phrase is another easy way to include numbers and symbols.  Transposing your password or pass-phrase on the keyboard makes it less likely to fall to a dictionary attack; once you’ve picked a password, shift your fingers up or across by one key so that the pattern is easy to remember but the password becomes almost random.

What other risks are there?

If you are unfortunate enough to be targeted, the attacker may know quite a bit about you and start guessing at your password.  If you log on from a computer that has been infected there may be a keylogger that keeps a record of every key that you press.  If you’re in an open office or internet cafe there may be someone looking over your shoulder or peering across from the computer next to you.

A long and complex password is likely to make it more difficult for someone watching you type it in, and avoiding obvious choices would help to protect you against guessed attempts.  In short, there are numerous ways that your password might be compromised which can render secure passwords useless, but it is still worth taking whatever precautions you can to protect yourself.  Just because a thief might steal your house keys doesn’t mean you may as well leave your door unlocked!


Hope this helps 🙂

Image Attribution: Thanks to Suat Eman @FreeDigitalPhotos.net for the old keys image

1 thought on “Picking Apart Passwords

  1. Anonymous

    I like this blog, one of my favourites so far. Something that loads of people don’t even think about. Like the idiots that use “password” then wonder why they’ve been hacked *palm head*

Comments are closed.