Password Strength and Quality: How to build, and use, a password that holds

You may have seen the recent headlines about hackers pilfering individual user passwords from public websites. These reports may make you concerned about your privacy and the security of the personal information that you enter into these sites. If so, you’re paying attention; which is good because there are some basic things you can do to help protect yourself against these kinds of sweeping attacks.

Hackers frequently are able to pilfer passwords that are simple. There are of course the obvious no-no’s; passwords such as “Password” or “1234” are easy to remember, but also easy to hack! Despite the obvious risks involved, you may be surprised that people actually do use such passwords (in fact, these are both on the top 10 list). The argument is that it’s difficult to come up with a password that is complex enough to hold up against a concerted attack, but still easy enough to remember so as to be practical. While there is some truth to this complaint, the unfortunate reality is that we are probably well past the days of simple, easy to remember, security measures.

Here are a few tips for building secure passwords for the modern internet.

Length

Microsoft recommends that your password be at least 8 characters long, anything shorter isn’t even a “real” password. Of course, the longer the password, the more difficult it is for a hacker to come up with the combination of characters that make up your password. Specifically, each character of your password adds a layer of complexity. Run the math, and after about 15 characters, even our best modern computers will have to work a long time (in the range of many years) to crack those last few digits. Though watch out, just a couple of years ago, it was assumed that 12 properly random characters would take practically forever to brute-force crack. Today, it can be done in a matter of hours if you’re clever. The point being, what holds today, might fall tomorrow.

Complexity

Combine upper case letters (ABCD), lower case letters (abcd), numerals (1234), and special characters (!@#$%^&) to get the strongest passwords. While the math can get fairly complex from a lay perspective, each different type of character essentially operates as a multiplier on the complexity of the password by requiring a hacker to “test” every character from every possible set, for every possible position in the password. As you can see, 15 characters randomly drawn from four different sets of possible characters (which contain anywhere from 10 to well upwards of 128) becomes appreciably hard to guess. In other words, the statistical probability of correctly guessing any one of the characters decreases dramatically with the addition of each possible set of characters from which a hacker must choose. Which essentially means that many more guesses (in the range of many billions) must be made before the hacker approaches a reasonable mathematical likelihood of actually getting the whole password right. Making that many guesses, even for a fast computer, takes a good deal of time; which ultimately means the hacker will probably move on to lower hanging fruit.

Random

When hackers attempt to brute-force crack a password, they start simple. Their first attempts are going to be drawn from the dictionary, starting with the shortest (or perhaps most common) words. They’ll work their way up from there. If your password is in the dictionary or would turn up results in a Google search, any hacker worth their salt probably has it on a list of things to try. Such passwords are easy to crack, even through random-guess type attacks. To avoid this, strong passwords must be truly random (or at least as close as is reasonably possible). Take care however, random doesn’t always mean what you think. Picking letters out of a hat isn’t actually random, nor is any method that relies on anything which in any way repeats (which rules out almost everything you’re thinking of right now). What this means in plain English is that random must be done right, meaning you probably can’t do it at home.

Fortunately, there are any number of great random number generators available from reputable sites. These generators use things like stellar radiation, the movements of electrons around particularly unstable atoms, and other crazy things like that to generate lists of truly (for all practical purposes) random numbers. From these, properly random passwords can be developed.

If this all sounds complex, that’s because it is. Fortunately, it doesn’t have to be for you. Check out the following links for some great resources that will help you get up and running with a strong password in no time.

Variation

Even the strongest passwords can become compromised with time and neglect. Experts recommend that you change your password at least once every three months; especially for important sites such as online banking, sensitive work websites and the like.  It’s easy to remember if you set up an automated 3-month update in your digital calendar to remind you to change your password. While frequent changes are cumbersome, the most commonly hacked passwords aren’t hacked at all; they’re snooped (read stolen). Frequent changes help to keep you one step ahead of the competition.   

If you are the administrator of a website that collects and stores customer data, you’ll want to be extra cautious about what you use as your administrative password. You should also take special care regarding just how many of your staff have access to administrative privileges. If a hacker gains access to your site with your admin credentials, they can do a lot more damage than any simple user.

Variety 

Try not to use the same password for everything.  If a hacker is able to pilfer your password from a social media site and then is able to use it on your banking website, and a variety of other websites you use, you’re in for a bumpy ride. Again, we know it’s a bit of a pain, but using a variety of passwords across your online profiles helps to minimize the damage of having any single one of them hacked, stolen, or lost. In fact, some hackers don’t even bother with a computer or any software code; they just make phone calls. It’s called social engineering and it’s a process of gaining access to sensitive information just by asking the right kinds of “innocent” questions. It requires some acting skill, but if done well, can be very effective (sadly). If you use the same password or other security details across multiple accounts, you’re leaving yourself wide open to this kind of fishing expedition.

Password Use

So now that you’ve created your ridiculously long, incredibly secure passwords, what do you do next? Remembering what you used where is a major pain, even remembering one of your passwords can be a challenge. Naturally, you write them down; right?

No so fast. While writing your password down on a piece of paper at your home, and hiding it in your closet in case you forget, might work fine for your banking password, doing the same thing in your office probably isn’t a good idea. Generally, recording digital passwords on analogue tools such as paper helps to keep hackers away from their prize; however, leaving those papers open to physical access can be just as damaging as not bothering with a password in the first place.

One trick is to rely on security through obscurity. We’ve written before about the old Greek tale of the guy who tattooed a message onto his head and then let his hair grow out to cover it; that same trick can actually work for your passwords. Especially if you’re clever about it.

Here are some ideas:

  • Write parts of your password in different places only you know
  • Don’t label it as a password
  • Write it down with an intentional typo (like switching a 1 for an I) that you’ll easily remember when you look at it later
  • Keep the written password in a separate location, like at home, where you can access it but where an office snoop won’t easily find it.
  • Write yourself a memory charm or monogram for your password; something that will trigger your memory only.
  • Write the password out of order (just make sure you remember the correct order, and backwards is probably too easy to guess).

Two-Factor Authentication

Ultimately, passwords may actually be dying out as our primary means of identification and authentication. The reason is that, while mathematicians can engineer passwords that are, for all practical purposes, unbreakable (even given advancing technology), the humans who use these passwords have limitations that get in the way long before the math becomes any real problem. In short, we simply can’t remember truly secure passwords.

This is not to say that you shouldn’t use a password, that would be crazy, but please do consider some of the rapidly developing alternatives. One great option that is quickly becoming common place is the two-factor system. Under two-factor authentication, something more than the password is required for account access. While these methodologies are not without their faults, they do dramatically reduce your chances of falling victim to some kind of social engineering “hack” or snooping effort.

Let us help

We realize that we’ve thrown a lot at you in this article; and it’s meaty stuff to boot. Never fear, we’re here to help. Ottenhoff Consulting has a strong background in IT security and we’d be happy to lend you our expertise. 

Editor

Kjeld Lindsted Kjeld Lindsted
Content Architecture, Copywriting, and Editing
Full Bio >


Recent Articles

Did the “PC” Really Die?

Who Needs Net Neutrality Anyway?

Rise of the Visual Web

Microsoft Is Retiring Windows XP This Year

Email Marketing Part V: Back to basics

Mobile Is King: But you knew that already

Website v. Web Presence

Password Strength and Quality: How to build, and use, a password that holds


Tools



Topics

Security
Marketing
Coding and Design
e-Commerce, Privacy, and Legal
Hosting and Technology
OC Updates and Announcements
New Projects