You use passwords every day to access things like your phone, your email, and social networking. But are you really keeping yourself safe?
If there's one thing people associate with modern technology, it is the passwords. They are everywhere, and most of us use them for dozens of things every day. Yet most people are shockingly indifferent about their password security. Most of us probably know someone who uses the same password for everything, from their computer and email to their Facebook and bank accounts - and that password might be something as obvious as their birthday or the name of the street where they grew up. And we also probably know someone who has a sticky note on the side of their monitor labelled "Passwords" (in red, double-underlined) with a list of everything from Twitter to Netflix just sitting in the open for anyone to read.
These practices might sound like something from our grandparents' generation, but that's not strictly true.
Fortunately, there are simple ways to make passwords both hard-to-guess and easy-to-remember. Unfortunately, the technology industry sometimes gets in the way of using them. Here's a rundown of common password weaknesses and some ways you can improve your passwords and your online safety.
Obscurity versus complexity
A common truism about passwords is that they should never be easy to guess. Most tech-savvy people agree no one should use details about themselves as a password: That includes birthdays, addresses, and names of friends and family (including parents, siblings, spouses, children, and even pets). Similarly, password makes a singularly poor password - as do all other commonly-used throwaway passwords.
This evergreen advice often gets interpreted to mean that passwords should be obscure, or a term no one would ever think you'd pick if they had a million years. Yes, obscure can work-and it's a darn sight better than picking an obvious password. However, an obscure password only protects you from people who know something about you. Odds are, most people trying to crack your passwords don't know you.
Most password-cracking doesn't happen the way it's portrayed in movies, where Our Hero (or The Villain) sits at a keyboard, tries a phrase or two, rubs his chin, then spies a childhood photo on the desk. Aha! Type the magic word and presto, security circumvented. In the real world, the vast majority of password cracking is automated, with computers literally throwing every word in the dictionary (and then some) at a system in hopes of stumbling across the correct term. This approach can work because computers can try passwords much faster than humans can type them, and they can run 24 hours a day, seven days a week, without bathroom breaks. Automated password crackers don't know anything about the users they're trying to compromise: It's a brute-force approach.
So, it turns out that a key to a strong password isn't its obscurity but its complexity - things that make it less likely to be guessed by an automated password cracker. However, making a good complex password means knowing a bit about how passwords get broken.
In very general terms, password crackers typically have two approaches. One is to literally try a pre-compiled list of possible passwords. These usually start from very common passwords (like password or qwerty ) and work their way down to less common terms, and eventually use a list of words compiled from an online dictionary and other sources. This approach is more likely to find passwords that are valid words or variants on them, even if they're obscure.
Another password-cracking approach is to try valid sequences of letters, numbers, and symbols, regardless of their meaning. A password cracker using this approach might start with aaaaaaaa for an eight-character password, then try aaaaaaab then aaaaaaac and so on up the alphabet, through mixes of upper and lower case, and throwing in numbers and symbols. This approach is more likely to find passwords that are "machine-friendly" or randomly generated. A passcode like 4De78Hf1 isn't any more difficult to find this way than teenager would be.
So, what are the odds of a password being guessed? Most systems these days enable users to create passwords using letters (upper and lower case), numbers, and a selection of symbols. Allowable symbols often vary between systems (some allow almost anything, others allow only a handful), but for our purposes let's assume that means each character in a password can be one of about 80 values - two alphabets at 26 letters each, ten numerals, and 18 symbols. (In theory at least 127 values should be available for every character, but in practice it's a smaller number.) Using a purely brute force approach, that means it would take a maximum of 80 guesses to randomly figure out a one-character password. A four-character password could take over 40 million guesses (80 × 80 × 80 × 80 = 40,960,000) and an eight character password could take over 1.6 quadrillion guesses (1,677,721,600,000,000).
If a password cracker were able to make 1,000 guesses a second, it would need about a month to run all combinations of a four-character password, and over 53,000 years to run all the combinations of an 8 character password. That seems pretty secure, right?
Well, not really. In purely statistical terms, a cracker has a 50/50 chance of finding the password in half that time. More troubling, the folks who make password crackers have other ways of improving their odds. Remember how password was one of the worst passwords to use? Guess what's also a very bad password? Passw0rd, substituting a number zero for a letter O. While password crackers are running their common words from a dictionary, they're also trying common variants on those words, substituting zeros for Os, @ signs and 4s for As, 3s for Es, 1s and !s for Is, 7s for Ts, 5s for Ss, and so on. Similarly, 0qww294e is a terrible password - that's just password shifted up one row on a standard English keyboard. These techniques prey on users' preference for easy-to-remember passwords. Unfortunately, by substituting (or capitalizing) a character or two in an easy-to-remember term people are mostly making their passwords more obscure, but not much more secure. In fact, typical user-selected eight-character passwords with mixed case, numbers, and symbols usually only have about 30 bits of entropy, or a little over a billion possible combinations. Why? Because the list of terms on which people base their passwords is far smaller than the total possible combinations of letters, numbers, and symbols.
How fast can passwords be broken? Trying 1,000 passwords a second might seem impossible - after all, most services tend to lock us out of our own accounts if we mistype a password three or four times, often resetting the password and requiring us to answer security questions to make a new one. These "gateway" techniques do improve account security, and incidentally, are also a great blindingly easy way to annoy people.
However, attackers intent on breaking passwords aren't knocking on a service's front door and trying millions of times to log into the same account. They're either using less-public authentication methods that aren't subject to lockouts (like a private API for partners or apps), spreading their attacks across a broad range of accounts to avoid lockout periods, or applying password cracking techniques to stolen password data. Most systems encrypt the password data they store, but those encrypted files are only as secure as the system itself. If attackers can get their hands on the encrypted password file (through a security hole, compromised machine, or social engineering, for starters) they can attack it very rapidly once it's on their own systems. Once the encrypted data has been pried loose, attackers can apply much more powerful tools to crack it open.
In the real world, that means the figure of 1,000 passwords per second is extremely conservative. Typical desktop computing hardware these days can test millions of passwords a second against common encryption technologies. Similarly, there are now password-cracking tools that leverage graphics processors, and criminal botnet operators are also in the password cracking business. They can spread the workload across thousands of computers. Combine this raw power with sophisticated heuristics (like trying numbers-and-letters variants on common words) and it's not unusual to crack a typical eight-character user password in under half an hour.
Making complex passwords
The Holy Grail of passwords would then seem to be a password that is complex enough that it is impractical to crack using automated techniques, yet easy enough to remember that users don't compromise security by storing or managing them unsafely.
Here are some tips for making complex, easy-to-remember passwords:
- Use long passwords: If an eight-character password can have 1.6 quadrillion possible combinations, imagine how many a 16-character password can have? (About 2.8 nonillion, or 2.8 30 .) However, perhaps more importantly, the set of values for a 16-character password using common terms and variations is just under 1.2 quintillion, where it was just over a billion with an eight-character password. Using longer passwords is the easiest way to make passwords more complex and more secure.
- Use combined words: How to make easy-to-remember long passwords? One common technique is to use a series of three to five simple, unrelated terms. These are generally as easy to remember as PIN numbers; cognitively, people tend to remember whole words as single units. However, these passwords can be very complex, at least from the point of view of password cracking. And these passwords are easy to make just by looking around or flipping a book to a random page. Glancing left out of my window I see a toy frog, a car, and the window of someone's kitchenette. New password: FrogHubcapCupboard - that's 18 characters, but only three words to remember. Looking right: RunnerCameraGlueString - four short words, 22 characters. I've only used uppercase to help break out words. Adding more characters or substitutions can increase complexity - just don't get so complex that you fall prey to the weaknesses of tough passwords.
- Use phrases or lyrics: Another way of making long passwords is to use parts of phrases or lyrics. For lyrics, relatively common songs are perhaps better than ones particularly important to you since you don't want people who know you well to be able to guess your passwords.
- Use mnemonics: The downside of long passwords is that they can be difficult to type, especially on a mobile device. Another trick some people find useful for generating complex shorter passwords is using the first character of every word in a phrase or lyric. "How many roads must a man walk down" could become HmrmamwD -only eight characters, but relatively complex from the point of view of a password-cracking program.
A few other hints
Other things to think about when choosing your passwords:
- Use separate passwords for separate services: Don't use your social-networking password for online banking. If a password is compromised on one service, the others should be safe.
- Choose important passwords carefully: Single sign-in systems might be tremendously convenient, but also create a single point of failure for multiple services. Examples would be passwords to accounts at Google, Yahoo, and Microsoft services, where a single cracked password could give someone access to email, documents, pictures, social networking, blogs, photo libraries, contact lists, address books, and more. Similarly, with so many sites (even Digital Trends ) accepting Facebook and Twitter logins, a compromised social networking password can have far-ranging repercussions.
- Change your passwords: By changing your password regularly, you ensure that even if someone breaks in, their window of opportunity to exploit you is limited. The frequency with which you should change passwords varies with how you use online services. For anything involving real money, change passwords every 30 to 90 days - the more money, the more often.
No password is safe
Perhaps the most important thing to remember about passwords is that any password can be cracked. It's just a question of how much time and effort someone is willing to put into it. The tips here will help reduce the odds your passwords will be rooted out by random attackers and even friends and family, but no password is completely secure. If secure access to a service is very important to you, consider looking into various forms of multiple-factor authentication to further reduce the chances of unauthorized access.