Picking a good password

The security of your electronic data is only as good as your password. Why? Why is this such a big deal?

The main reason is there are at least two rudimentary “attacks” one can perform against your password: a dictionary attack and a brute-force attack.

  • Dictionary attack: use combinations of words found in the dictionary to find your password.
  • Brute-force attach: use all combinations of letters and numbers to find your password.

Let me give you a real example. I just whipped up a very basic program to calculate all the possible combinations of all of these characters, up to 6 characters long:

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz`~!@#$%^&*()_-+={[}]|\:;<,>.?/

Let me emphasize the significance of this. This includes everything from single letters or numbers, up to the word “Bike” or “zeBrA5” and every other combination of ALL of those characters.

On my 8-core processor, it took 5 minutes and 22 seconds to calculate ALL of those combinations up to 6 characters. Now, when you assume it takes perhaps a 10th of a second or more to “try” a password, you’re talking a long time – but it’s not unbreakable.

What is interesting, is this is all about numbers. Adding additional characters onto your password increases the time to break it, exponentially! So, you go from minutes, to days, to months, to years with each character.

The danger of using words:
I want to really make this clear. The approach above was talking about a 6-character password – a string of nonsense characters. If you replace those nonsense characters with words, you may feel a false sense of security.

In other words, you might think “my password is ‘GoatChicken10’, so I’m safe! My password is 13 characters!”

However, that is where dictionary attacks come in. That is where instead of testing every character, you test every word. So, in your case, that GoatChicken10 password is really like a 3-character password – in that it’s made of up 3 parts: “Goat”, “Chicken”, and the number 10. This password could be discovered in seconds, if not sub-second!

So, if you have any dictionary words in your password, it can be compromised very quickly.

What should I use?
Hopefully you see that anything short of a strong password can be broken in seconds, to minutes, by a knowledgeable attacker. So what should you use?

The guidance is typically:

  • Ideally 15 or more characters
  • Include upper and lower case letters
  • Include numbers
  • Include special characters (like: !@#$%^*(, etc…

An example might be: 6%j2#y#Ii$4)7_d

I can’t remember those hard passwords!
You are not alone! In fact, everyone struggles with this. There is one universal way this is solved – and that is to use a mnemonic device. Use a sentence to remember your password.

“jim is ALWAYS a #$% because he NEVER brings donuts on the 1st!”

That would be the sentence to remember a password of: “jiAa#$%bhNbdot1!” – a 16-character password that would take hundreds of years to break!

If you need help with creating a good password, there are sites like this:

http://strongpasswordgenerator.com/

This gives you a strong password and words to remember it with. For example:

cu%136+0139>ypA

Great password, right?! But yikes, how do you remember it? With this mnemonic:

charlie uniform % 1 3 6 + 0 1 3 9 > yankee papa ALPHA

That would take a few times to memorize, but that’s relatively easy, right? You can remember that in pieces. For example “136 plus 0139 is greater than yankee papa”.

One comment on “Picking a good password

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Archives
Categories

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 3 other followers

%d bloggers like this: