Passwords
Passwords are one of the simplest way to allow a person to prove that they are who they say they are. We use them for everything, from logging into our computers and email accounts to protecting our credit card information on online shopping sites. Unfortunately, most passwords that people choose are not very good — the most common password in the world is the word “password”! Bad passwords make it easy for other people to access to your information and do bad things with it. Below are some suggestions to stop this disaster from happening.
This page was last updated on 2012-08-21
What are the Risks?
In one study in the UK in 2004, 70% of people gave away their computer password to a stranger on the street in exchange for a chocolate bar! This is craziness, but not hard to believe.
I am constantly typing passwords. Passwords are used so frequently nowadays that it is easy to forget just how important the data that they protect really is. Some of these passwords are protecting things of little value, like accounts in forums for example. Others are for instant messaging or email accounts, and the one I type most of all is the one that lets me log in to my computer.
The password to your account on your computer, and the password to your primary email account are your two most important passwords. All computers should ask for a password when they are turned on. My laptop requires a password to log in, so that if I ever lose it or leave it idle for more than a few minutes, nobody else can turn it on. If you lose your computer, you can’t retroactively change your password to be more secure, so it’s important to use a good password for this and to keep it secret.
My email account is protected with an even more complicated password, because in some ways it is even more valuable. Don’t underestimate the risks here: a person who gains access to your email address can do much more than just read your email. They can send messages pretending to be you. But more critically, they can use a website’s “I forgot my password” feature to change your password to any other online service you use, as the password reminder that they request will be sent to — you guessed it — your email account which they now control. Once this happens, it’s game over. Your email, in a sense, is the gateway to your online identity, so it should be protected as well as possible.
Attacking your Password
So how would this grim event come about? How do outsiders get to your passwords? Let’s pretend that some dastardly person wants to get access to one of your accounts. Maybe they want to steal money, maybe they are trying to steal your identity, or maybe they’re just doing it for sport, it doesn’t matter. They will probably use one of the following methods.
Guessing your Password
The simplest way to break someone’s password is simply to guess what they might have used. If you have a dog named “Poochie” and the attacker knows about him, then that’s going to be one of the first things they try. This is the reason why using your own name, the name of any pet, your birthday, the name of the street you live on and so on are all bad choices for passwords. As distasteful as it may seem, you need to protect yourself against people who know you in the real world. They are as likely to try to get access to your account as a stranger is. Even if the attacker doesn’t know you, some of this personal information could probably be found out by reading your website, and if so, it is a vulnerability.
A second caveat to watch out for is the feature on many websites of a “password reminder” question. The site will ask you to fill in the answer to a question, and if at some point in the future you forget your password, you can just fill in this answer again and your password will be sent to you. This is bad because the answer to these questions (“What street did you grow up on?”, “What is your mother’s maiden name”) are often easier to guess than your password might have been. The best strategy here is to leave these answers blank, and focus on developing a strong password that you will not have any trouble remembering, which I’ll discuss later in this article.
Cross Pollination
You probably use a password on many different sites, like Gmail, YouTube, delicious, flickr or Facebook. You may also use a password to log in to various forums, message boards, and other services which you use less frequently. Each of these websites has to store your password on their end, and so each of these passwords can be discovered. The services like forums or blogs in particular can be much more easily hacked, and when this happens, the attacker can get access to every user’s password.
If this happens (and it will probably happen without your knowledge), you want to minimise the damage. If an attacker has gained access to the email address and password that you use to enter a forum, it would be pretty crazy if that password was the same one you used to access your email account.
This is called password cross pollination, and the best way to avoid having it happen to you is to use different passwords for each site you are a member of. Change your password every once in a while so that attacks like this can’t affect you. Later I’ll show you how to generate easy-to-remember passwords for multiple sites by using a common password root.
Password Cracking
This is the most common form of password attack, and is generally used to decrypt a document or hack a computer. The attacker will quite simply try every password possible until they happen upon one that works. There is software available to bad guys that will automatically cycle through every password in a huge list. Nowadays an attacker with even an average computer can try thousands of passwords a second, and computers are only getting faster. This means that if an attacker has access to your machine, and you have a poor password, they may be able to access your computer in minutes or less.
Password Strength
A password can be considered strong or weak, depending on how difficult it is to crack. To understand the distinction, we need to look at how password cracking programs work. All they do is build a list of possible passwords and then try these one after the other until one of them works. Even though they can try many thousands a minute, there are still a lot of possible passwords that they have to check. Often, if a password crack is taking more than a certain amount of time (say, 20 minutes), the program will stop and move on to the next account.
So, how do you make sure that the program will have to give up on your password? You make it strong! A “strong” password is simply one that the program is very unlikely to attempt, unless it is running for months. For example, anyone using a password like “monkey” or the perennial favourite “password” can expect to be cracked in only minutes. These passwords are poor for a number of reasons:
- They are short. The password cracker starts with “a”, then “b”, until it gets to “z”. Then it tries “aa”, “ab” and so on. As this pattern continues it will get to “monkey” soon enough.
- They use all lowercase letters. These kind of passwords are checked early, because most people have all-lowercase passwords.
- They use words found in the dictionary. A good cracking program will store the entire English dictionary, plus a lot of slang words and common names of people and places and try all of these in various combinations.
- They are common. Good password crackers will always try the list of common passwords first. In fact, the password “monkey” would probably be cracked in milliseconds!
A good password has a number of qualities that make it difficult to crack. The first, and most important, is length. Your password should be at least 10 characters long. This will make a big difference to your chances.
Everything else is about adding in uncommon elements to your password. Firstly, numbers. It is nowadays common to append a number to the end of a word to make up a password, as in “monkey1”. This is very slightly more secure, but as it is common, it is also checked for quite regularly. What is less common is to have the number in the middle of the sequence somewhere. So, something like “mon91key” is an improvement.
But we can do much better! Next let’s add capital letters. Your password should have a mix of lowercase and uppercase letters. People commonly add a capital letter to the start or end of their password, so we are going to do the opposite. Mix in capital letters into the middle of your password, to get “mOn91KEy”. This is now a significant improvement, and will fool many password crackers.
But we can go even further! Add in punctuation marks, like !,@,#,$,%,{,},^,*,?,_,~ or even hit your space bar. “mOn!91KEy{}” is an excellent password. If you want to go further, this online password checking tool is an excellent guide for testing your new password’s strength.
Techniques for Memorable Passwords
If you’re not used to using strong passwords, “mOn!91KEy{}” might still look like an intimidating password to remember. Trust me though, once you’ve typed it a dozen or so times, it’ll become automatic, there won’t need to be any thinking or memory involved.
There are a few tricks that you can use to make your password easier to remember though. First, is the use of a passphrase. Rather than a single word, you just write out a brief phrase, punctuation and all. If you were to enter “Hooray, I am happy!” as your password, you would be nigh-on unbeatable. This password is long, it uses a mix of lowercase and uppercase letters, with uncommon characters like spaces, a comma and an exclamation mark.
Another technique that results in more typical-looking passwords is to use a “keyboard pattern”. This is a way to type keys across the keyboard in a pattern that is easy to remember. For example, starting at the “W” key on a typical QWERTY-style keyboard, as in the image on the right, trace a line down to “X”, then up to “D” and down again to “C”, then back up to “T”. If you mix capital letters in there you can end up with something like “WsxDcFt”. Type that twice and add a number and exclamation mark in the middle (“WsxDcFt0!WsxDcFt”) and you again have a wonderfully impossible-to-crack password!
Site Salting
As I said earlier, using the same password for more than one site is likely to get you in trouble at some point. But you couldn’t possibly remember one of these strong passwords for every site you need to log in to. This is where this technique I call site salting comes in. You develop your own strong password through the steps I’ve described above, and then add in a unique part for the current site to make it different to all the others.
For example, for my Google password, I could take the “Goo” from the start of the domain name, reverse the characters to get “Oog” and insert this into my strong password. So my password for Google services becomes “WsxDcFt0!OogWsxDcFt”. Or I could split it across the existing characters so it becomes “OWsxDcFt0!oWsxDcFtg”. My Facebook password following this pattern would be “CWsxDcFt0!aWsxDcFtf”. Remember, nobody will ever see two of your passwords beside each other, so they are unlikely to work out your memory aid, and now you have unique (and very strong!) passwords for each site you use!