Pick anyone in the world who uses a computer now and then and chances are they’ve had to think up a password somewhere along the line. Regular computer users will have stacked up quite a few, your work pc, Web mail, online banking, blogs, etc. It’s no wonder that a lot of people get overwhelmed by the sheer weight of things to remember and forget why they’ve got the passwords in the first place.

It’s not uncommon to see a Post-it note with a password written on it stuck to the top of the computer that it accesses, and when that happens it’s easy to see that something has gone wrong somewhere down the line. For users, it’s important to remember why passwords exist in the first place, and for administrators setting a password policy, who tend to err on the side of paranoia, it’s important to remember that sometimes too much security is just as bad as none at all. To understand what makes a good password, we need to first look into how passwords get broken.

People trying to break your password will generally fall into one of two categories. The first will be professional cyber criminals, indiscriminately trying to gain access to accounts for their own gain. Maybe it’s access to your bank account and your funds, maybe it’s control of your computer so they can add it to their botnet, maybe it’s an attempt to gain access to your work account for the purposes of industrial espionage, or maybe it’s just some bored kid looking for something to vandalise.

Whatever the situation, the common factor is that they’re not necessarily singling you out and you haven’t necessarily done anything to draw their attention. You may just be one of a thousand hit, or one of a hundred thousand chosen at random on the Internet, and the only thing protecting you is the strength of your password.

The second group are people who have chosen to target you; either they know you or they have the means to find out. They may have chosen you for any of the reasons above, or through curiosity or spite. Many people choose passwords that relate to personal information, such as birthdays, addresses or family names — thinking that either nobody knows these little facts, or that those who would know would never try to use them.

Most people aren’t aware how much information ends up being available about them on the Internet, one way or another — and with search engines getting better all the time, it’s getting easier to find out more about people.

How are passwords broken?

There are a number of different ways in which passwords are broken. The oldest, and least sophisticated method is called the brute force attack. An attacker runs through every possible sequence in the set of possible passwords until they find the right one. While it’s not clever, the advantage of the brute force attack is that given enough time it will always work. The key factor here is time, but to understand this, let’s take an example: cracking a four digit PIN number.

Now in this case, there are four characters and each character has 10 different options — meaning that there are 10 ^ 4 possible combinations. Or 10,000 attempts to generate every possible password in the set, but since on average you only need to go through half the set to find a given password, a cracker will need only 5000 attempts per password, which a computer can run through in a matter of seconds.

That was a simplistic example, but let’s take something a little more commonplace: six digit password, letters only and not case sensitive. This means that there are 26 options for each character, giving us 26 ^ 6 or 308,915,776 different options. Now clearly this is going to take a lot longer, but it’s still not going to be enough to discourage an attacker.

At the 2005 Ontario Universities Computing Conference, Johnathan Graham claimed an optimised copy of a password cracker running on a 2.7Ghz G5 Mac had managed to generate 900,000 encrypted passwords per second; a six letter password space could be entirely generated in only five minutes (presentation notes). An eight character password, using the full printable ASCII character set, including uppercase, lowercase, digits and punctuation, would take 200 years of constant computation to crack at this rate.

The second method is the dictionary attack. In this kind of attack the attacker has a big list of possible passwords, so that rather than having to try every possible combination of letters and numbers, they need only try combinations that are likely to be someone’s password, somewhere. Don’t be fooled by the name into thinking that this list contains only words found in a common dictionary, although that will certainly be part of it.

Your typical password cracker will have several dictionaries, ranging from a short list of only the most common passwords, up to a comprehensive dictionary containing obscure words, names, places, phrases and common misspellings. Oftentimes a cracker will use this dictionary with itself to generate a list of concatenated words, including the addition of digits and punctuation. A password cracker’s largest dictionary may run into the 10s of gigabytes, and may run for days.

The last method is the simplest — trying passwords manually is the sort of attempt your little brother might try. Normally this is a negligible threat — few attackers have the patience to sit and type out 10 thousand different passwords. The danger here is when the attacker already has the password, even sticking to low tech approaches there are plenty of ways an attacker can get the password of a careless user. The easiest is to just read the password, either on the traditional Post-it note, or on the list of usernames and passwords to company accounts stuck to the side of the secretary’s desk — if you put your password in plain sight then you’re trusting everyone who steps into your office to respect your privacy.

Another common trick to look out for is the fake e-mail asking you to “verify” your account by sending your username and password through e-mail — in fact delivering it right to the attacker who’s trying to compromise your account. The success of this scam has led many online sites that use password verification to place warnings to inform users that they will never request a password through e-mail.

How do you create a good password?

Now that we’ve identified the who and the how, we can start to think about what makes a good password. Clearly the best password is the one that provides the most defence against password attacks. For brute force attacks, the key factor is the size of the key space, that is, the amount of passwords that are possible. The more characters that make up a password, the better, and the more characters that a password can be made up of, the better.

For a dictionary attack, the important thing is that the password is as random as possible, so that it is unlikely to turn up in any generated dictionary of likely passwords — avoid passwords that contain dictionary words, names, places and even dates. For the last type of attack it’s important to make it memorable enough so that you’re not tempted to write it down anywhere. This is the big problem with passwords, keeping it memorable enough so that you can keep it in your brain, but complex and random enough to not be easily generated by an attacker.

One popular method is generating an acronym, pick some phrase you’ll remember and take the first letter of each word, throw in some punctuation and you’ve got something that’s easy for you to remember, but looks completely random to someone who doesn’t know how the password was created. For example, say you’re a Bob Dylan fan, you’re terrible at remembering passwords, but you know all the words to Highway 61 Revisited — you take the first letter of each word in the first line (“God said to Abraham: “Kill me a son”) add the name of the song and end up with a password that looks like GstAKmash61r.

That’s a 12 character password with lower and upper case letters, as well as digits that looks pretty indistinguishable from any other string of characters to anyone who doesn’t know where it came from. This makes the method you used your effective password, since it’s all you need to regenerate the password. Even if you don’t happen to know all the lyrics to your song, you can stick them to your cubicle wall and no one will think anything of it.


The Good

  • The more possible things your password can be, the harder it is to brute force — so be creative: use a mix of letters, numbers and punctuation.
  • Change your password from time to time. While this doesn’t make any single password more secure, it can decrease the damage done should someone get a hold of it and means that old password information gives an attacker nothing.
  • Use memory tricks such as acronyms or mnemonics to help you remember a complicated password.
  • Use different passwords for different accounts. You wouldn’t use your PIN number as your video store password, would you? So avoid having the same password for Web mail and Internet banking.
  • Break your password up into sections and have a different rule for each, this will help make a more random looking password.

The Bad

  • Don’t assume that because you’ve done nothing to draw the eye of a password cracker you’re safe; most password cracking attempts are made by people who neither know or care anything about you.
  • Don’t use words that exist in any dictionary in any language anywhere in the world.
  • Don’t use names, even if they’re uncommon.
  • Common misspellings, or replacing letters with numbers that look similar, eg. 1 for L or 0 for O gives you a negligible increase in password strength.
  • Don’t leave your password as the default, lists of default passwords for a whole range of systems are commonly available on the Internet.
  • Don’t use sequences of characters that appear in a run on the keyboard, such as qwerty or asdf.

The Ugly

The top 10 passwords found in a UK study, as published on the blog Modern Life Is Rubbish are as follows. If you see your password here, or something similar, you might want to think about a change:

  1. 123
  2. password
  3. liverpool
  4. letmein
  5. 123456
  6. qwerty
  7. charlie
  8. monkey
  9. arsenal
  10. thomas