Creating Secure Passwords That You’ll Remember
There are 4 things that make a good password.
- Hard to bruteforce – It should be a certain length and/or contain certain characters.
- Hard to guess – It shouldn’t contain personal things, such as a birth date.
- Uniqueness – It should not be the same as all your other passwords.
- Unforgettable - You should be able to remember it off top of your head , and never write it down.
I am going to address each element of a good password in order, and show you my technique in accomplishing all 4 of these things, and allowing you to add your own little twist to suit your needs.
Hard to bruteforce
What doe’s bruteforce mean? Well it’s a technique that crackers use to figure out your password. The name goes well with the technique because what they do is have some software “guess” every possible combination your password could be. Lets say they think your password is lowercase letters and consist of atleast 3 characters. The software will then try to guess your password by brute force, that is it guesses your password to be aaa, and tries it..if it fails it moves on to aab, if that fails, aac…until it reaches zzz, and then it will move on to aaaa and start all over. It keeps doing this forever until the cracker gives up.
Depending on the protocol which is being bruteforce, each guess could take anywhere from 0.01 seconds to 1 second for online attacks, like your accounts. Or, if the attacker was able to get inside and retrieve the file with your password in it, then a modern PC could do as many as 10 million password guesses a second. This is why many sites require you have atleast 8 characters for your password, and that is the typical drop off for when a bruteforce attack takes many years to complete. The more combinations there are, and the more characters in your password, the longer it would take to bruteforce.
For example, the cracker knew you only used lowercase letters in your password, no numbers, no uppercase, no symbols. That would mean 26 letters, you would then take it to the expotiential of your number of characters in your password. So a password consisting of just lowercase letters with 5 characters assuming a delay of 0.01 seconds would take 26^5 * 0.01 seconds, or 26*26*26*26*26*0.01. You will be surpized to know that’s only a little over 33 hours, less than a day and a half. If we just add 3 more characters to the password (26^8), it goes from 1.3 days to 66 years! Yes, 3 little characters can make that much difference.
This is of course if the attacker is trying to guess your password through an internet protocol such as FTP, SSH, or HTTP. If the attacker has access to a file with your password in it, refer to this chart for times: http://www.lockdown.co.uk/?pg=combi. Which state a modern PC could find a 5 length password instantly, and a 8 length password in a little under 6 hours. Again, this is only for password that have known requirement of only alphabet characters (26 possibilities).
It is advised that your password contain atleast 8 characters, or use more than 26 combinations by including uppercase, numbers, symbols. uppercase (26), lowercase (26), symbols (~34), numbers (10). If you had one of each of the categories and your password was 8 characters long. you would have 7.2 Quadrillion (96^8) possible combinations…thats around 1.6 million years to bruteforce through an online protocol or 23 years through a encrypted file.
Hard to guess
The second technique and third techniques there are used with password cracking are dictionary, and social engineering attacks
Dictionary attacks are similar to bruteforce attacks, but instead of trying to guess every possible combinations the software will have a list of words (the dictionary) it will try. The most popular dictionaries contain the most common passwords (Top 500 most used passwords Warning: contains vulgar words). So the computer runs down the list of words in the dictionary and attempts to see if that is the password. If your password is common, or an english word that it will be likely to be guessed quickly. A lot of techniques include a mix of dictionary and bruteforce, where it would try each word in the dictionary, but then add a suffix or prefix. Such as a dictionary with animal species, it would try alligator, 1alligator, 2alligator…alligator1, alligator2 …elephant…elephant1 elephant2, etc.
Social Engineering is just a fancy word for manipulating people to gain knowledge. Such as getting to know the victim and acting as their friend to get information such as birth date, favorite food, mothers maiden name, etc. This doesn’t include just being friends with the victim, but also things like calling them at their house and acting like fraud protection service, saying there has been a compromise and they need to the last 4 of your social security. It also includes not talking to the victim directly such as acting as a investigation bureau and calling a victim’s Internet Provider for address information based on their IP address. If any of this personal information is used in a password, it will help the attacker.
Social Engineering is typically where an attacker starts. They will enter all your personal information into a dictionary, along with popular passwords and common english words. They then perform a dictionary/bruteforce attack, trying combinations of letters, numbers, popular words, and personal information. The combination of all these methods usually (probably 90%) end up in an attacker obtaining access to the site they are trying to enter. Many times people use the same password for everything, so once an attacker has the password to a site you signed up for 3 years ago and forgot all about, they now have the password to your email, your bank account, everything you share that password with. This brings us to the next important thing;
First off, we are going to tackle the problem of having the same passwords for all your apps/sites. The reason why this is insecure is that if a cracker/hacker was to gain knowledge of your password for 1 site, they would automatically try that password on other sites.
Now I know what you are thinking, if you are like me you probably have hundreds of sites you visit with accounts, there is no way you will be able to remember 100 different passwords. Well, there is. One of the ways I do it is by incorporating the name of the website/software into the password.