January 6, 2020

Creating Secure Passwords

By Ron Comeau

Passwords are a quick and convenient way to identify who you are to allow assured access to your account and data.  But passwords are the weakest link in the defense chain, providing the way in for hackers in at least 70% of attacks.  We should use robust authentication systems when we can (like multi-factor authentication).  But when a system is only designed to use a password, we better make those passwords as strong as reasonably possible – recognizing a tradeoff between convenience and security.

Strong passwords need to be long and complex to make them harder to guess.  They become complex by allowing the use of upper case and lower case letters (26 + 26 = 52), digits (0 through 9), and multiple punctuation symbols (usually 8) – giving a user over 60 options for each character.  The objective is to make the password complex enough so it cannot be easily guessed by a hacker.  If the hacker knows things about you (birthday, spouse’s birthday, middle name, dog’s name, etc.), they can try variations as your password.   Serious hackers will use automated tools to try thousands of passwords (i.e., entire dictionaries) in seconds.

Since dictionary attacks are rather routine now, a better method is to take a favorite phrase or poem or prayer and use the first letter from each word.  I would recommend alternating upper and lower case and throwing in a number here and there to help make your password harder to guess.  For example, you could use the Our Father (substituting numbers and punctuation for certain letters).  “Our Father, who art in heaven, hallowed be thy name” yields 0Fw@!hhbTn.  It’s complex, yet relatively easy to reconstruct.

Another point is computer scientists determined it takes MUCH longer to guess a 16-character password (60¹⁶) than an 8-character password (60⁸) since there are 10²⁶ possibilities rather than only 10¹³.  That is correct, but other computer scientists figured out that you can use your 8-character password to generate another 50+ characters (called “salting”) to make it harder for anyone else to guess.  It automatically turns your 8-character password into a 64-character password (for example), but you only have to remember the first eight.  This is what many banks do now to protect your account since they cannot rely on all customers to develop strong passwords.

One hacker claimed he can now crack any 8-character password within 2.5 hours.  How do we defend ourselves?  We used to be told to never write down a password for fear that someone could read it and get into your account.  Today, it is rare for a hacker to be anywhere near his/her victims.  Thus, many experts are now recommending that you DO write down your password (or multiple passwords for the multiple systems your busy life demands) and because you are writing them down, you can make them VERY complex (e.g., 20 characters long and randomized).

The bottom line is you need to realize that your accounts are being probed as you read this and your main defense is your password.  You should make your passwords as complex as you can stand (12 characters minimum) and keep them safely away from everyone.  The inconvenience you may suffer is so much better than recovering from identity and bank account theft or losing all your company’s data.