The importance of strong Pa$$w0rd5

In an age where individuals can have usernames and passwords to dozens of websites, forums, PCs, and mobile devices, and with increasing concerns over personal data security, it’s perhaps incredible that the number one most popular password is…’password’.

Yes. Seriously.

First of all, if you’re one of the many people out there using that eight character word as your password, go and change it and then come back to read the rest of this blog…

Ok, let’s continue.

So what makes a good password? It’s a question that will no doubt continue to plague humanity as more and more data is uploaded and stored online, whether that’s bank account details, embarrassing photos on Facebook, or plain old emails – well, it certainly something plaguing those individuals using the likes of ‘password’, ‘12345678’, or ‘abc123’ as their password.

Recently one of our IT department bods made an impassioned call for improvements to be made to employee passwords, and offered some top advice on how to create some robust examples:

Good passwords are over eight characters in length and contain a mix of the following:

  • Alpha-numerical characters (A-Z, 0-9)
  • Upper and lower case characters
  • Symbols

It’s also a good idea not to use dates of birth or names of friends and loved ones, or even favourite movies and TV shows. Instead create passwords using a number of word combinations, for instance “T-he S-ecurity G-uard D-ownstairs I-s A G-rumpy P-erson translates into the following mix of characters and symbols: 't$gd1aGp'.

Also, when you’re on the move, try not to log into bank sites or social media sites using a 3rd party public computer or free Wi-Fi point, and do not save passwords on public computers (Café’s, Hotels, Airports) as key logging scripts could be running.

Oh, and it’s a nice idea to change key passwords on a fairly regular basis too.

So how secure is your password? Do you use a heady and complex mix of alpha-numerical characters and symbols? Recently I stumbled on a site that claims to estimate how long it would take a desktop PC to crack any password. All you have to do is enter it into the input box, and howsecureismypassword.net does the rest – revealing the length of time, offering advice on how to make your password more secure, and whether it appears in the top 10,000 most popular passwords.

For the record, there’s definitely a wide gap in the security of my passwords, with one apparently capable of lasting up to just 3 hours against a hack from a single desktop PC, and another said to be strong enough to last up to 39 thousand years (and no, I’m not telling what they are!) However, if one of your passwords checked on the site is capable of holding off a hacking attack for 6 noventrigintillion years, then the chances are you’re probably being a tad too paranoid…

Further reading:

 

Comments

Good advice...

TimGraham50 | | Permalink

...that idea about using complex acronyms ('The Security Guard...' etc) because the big problem here is that need for security and the need to be able to remember lots of different passwords are in direct conflict with each other.

(And I hate to nitpick but " it’s perhaps incredible that the number one most popular password is…’password’." - It's not incredible at all. Something has to be the most popular password and it would be far more incredible if it was something like "f$ggblah67". It is, however, incredible that anyone would still use 'password' for anything sensitive.)

pastyboy's picture

flip side password generator site.    1 thanks

pastyboy | | Permalink

http://strongpasswordgenerator.com/

Always use https:// securely encrypted links when available.

Look for the padlock on your login page.

Check facebook and google security settings and set to https:// (SECURE ONLY).

Is revealing your password to an unknown website a good idea?

christopher_knight | | Permalink

Since the "howsecureismypassword" site can tell you whether it is in the top 10,000 passwords it presumably has a database which could be hacked. Is it really a good idea to add your nice secure password to a large database of known passwords?! Do you know who is running the site?

davidwinch's picture

Revealing your password

davidwinch | | Permalink

If my password was "EdMiliband" then on the 'howsecureismypassword' site I would enter "DavidCameron" and see how that fared.

Incidentally I tried "TSGdiagp" (based on The Security Guard downstairs is a grumpy person) and it fared reasonably well - and it is much easier to remember than t$gd1aGp as suggested in the article!

David

Jon Wilcox's picture

How secure

Jon Wilcox | | Permalink

Hi Christopher_Knight,

Thanks for your comment, I hope you enjoyed the blog. In answer to your question, there's no context for the passwords to be used.It's also worth remembering that if your password isn't on the list of 10,000 passwords the chances of it being used via a database hack on the site is pretty slim. I'm also sure the site doesn't save the entries...and even if it did as there's no context I would hope the security of the password would remain high.

Best,

Jon

 

How Secure

christopher_knight | | Permalink

Jon,

I agree there is no context from this site for the password to be used but my comment was a more general one about giving out passwords. The site you gave seems genuine but I'm sure some people could be persuaded to check their password on a site which also asked for their email address ( so they could be sent a "whitepaper" about password security for example) which clearly could start to provide a context for a hacker. Fixed IP addresses could also give a context in relation to company employees.

Having looked at the javascript behind the page the password list contains such items as 4ng62t and pyf8ah as well as rather more obvious ones and Mark's blog at xato.net indicates that a lot of these have been collected by hacking (by other people) so there is certainly a case for using a different password for each site you visit. You could use a common root password and add the site name (in some modified form) to create the unique password which could still be remembered.

Chris

Old Greying Accountant's picture

I did like that joke...    1 thanks

Old Greying Acc... | | Permalink

The website said I needed an 8 character password so I chose Snow White and the 7 dwarves!

Depends upon levelm of security required ...

JC | | Permalink

'.. and do not save passwords on public computers ..' - Do not save on ANY computer

Having a single password is also a vulnerability and additional validation such as Captcha (currently possible to crack) or Question/Answer (i.e. result of 1 + 1) is always going to be better protection. Two methods (Two-factor authentication) of validation increases the odds of security considerably; as do tokens, one way hashing, period lockout after n tries etc.

But at the end of the day it is all down to practicality and having upwards of 100 login/passwords to rememeber is absurd and perhaps one needs to take a view on the individual site and the effects of compromising the security

For instance would one really care if someone obtained you Aweb password - although one might be rather more concerned if they obtained your bank account login

Windows Login Passwords

ianlawrance1 | | Permalink

An interesting discussion....clearly important for more "sensitive" sites at least....

But in a business Client/Server environment, where there are, say, 20 PC's/Users attached via LAN to a Server, what is the advice for Windows Login Passwords?

My view is "no different from anywhere else", however, my practice currently uses shared Windows passwords for "all staff", "all managers", and "all Directors" (so 3 passwords in total)... I just made a recommendation to change to individual "personal" passwords, which was rejected...

Is this common practice, and I'm paranoid?

 

 

"try not to log into bank

MatthewSteeples | | Permalink

"try not to log into bank sites or social media sites using a 3rd party public computer or free Wi-Fi point"

If you are on your own laptop then logging into these sites is fine on a free wifi point as long as you are using https (and can see the padlock icon in the address bar).

very good

The Black Knight | | Permalink

Or you could just request a new password each time you forget yours, or write them down on a post it note on your computer, the HMRC passwords are so long and stupid that this is the resultant behaviour needed to get the job done.

I occasionally have issues with pin numbers,

I have one Card I cannot use because I have never remembered the pin number.

The other I use for fuel etc and have forgotten that too, Trying to explain to the sales assistant that this was not the only number running around in my brain that day and that my short term memory had absorbed thousands that day to do my job was not an effective chat up line and made me look like an accountant.

She did eventually take sympathy on me (after shouting at me first) when I offered to do the washing up. Instead she pulled a machine from under the counter and we used a method of the previous century to process my credit card transaction and I was released a free man apart from the CCTV that is still keeping an eye on me ! LOL

I think most peoples attitude is that there is no such thing as secure data or privacy anymore, you only have to look at the posts on facebook to see that most are unconcerned by this as comments range from the daft to malicious defamation.

We do try and comply with password torture but if theres an option I revert to old fashioned methods and will purchase a book in preference to some online substitute or will simply live without.

Looking forward to an excess of space debris and less satellites !

Jon Wilcox's picture

Top tip!

Jon Wilcox | | Permalink

The use of a common root password plus the site name is a great tip Chris!

Jon

 

next generation passwords

The Black Knight | | Permalink

May well be TCSOTM or HNBC or TR1$FM0TP

Can you guess what they are yet?

Surely the hackers will move on to develop their software to look for sayings using $ for S's etc

There must be some science on what expressions (passwords) you will use based on Age, gender, backround and education. Does hacking software take this into account or have I spotted a marketable opportunity ?

even the number you choose may be influenced by your culture 8's for chinese, 7's for UK

never a 13 if you are a christian or 6's if you are not LOL

How many of us never issued invoice number 13 ?

108 days

The Black Knight | | Permalink

for one of the above ! The hackers software needs some improvement !!

Roboform

Robjoy | | Permalink

I have no connection with the owners of Roboform, I'm just a long time fan. I use Roboform Pro.

I have loads of login information stored on it, and I use it to generate (very quickly and easily) good new passwords. It also allows me to store "Safenotes" of other vital bits of info, apart from logins, and I keep my Bookmarks (aka Favorites) on it.

So my logins, other secure info and bookmarks are computer and browser-independent, but private. The only risk is if Roboform's server were seriously hacked - there's no life without risk.

Pa$$w0rd5

The Black Knight | | Permalink

scored 108 days as well !

DMGbus's picture

Special characters not acceptable in some cases

DMGbus | | Permalink

I favour the use of special characters for inclusion in passwords, but there is at least one bank doing business in the UK that will not accept any password that includes a special character!

 

 

This is fairly standard advice...

phoare | | Permalink

... and is unfortunately very misleading if not downright inaccurate.

Yes, it's common practice to suggest, or even insist on an eight-char password including digits, special symbols etc. All of which is much better that an eight-char password made up just of letters especially if that's a dictionary word but it is still an order of magnitude easier to break than a non-dictionary word of 12 lowercase characters.

What would you find easier to remember, some of the suggested passwords above or:

- allyouneedislove

- iamthewalrus

- iwanttoholdyourhand

- thelongandwindingroad

(replace with any other title or lyric from your favourite song)?

The above are all MUCH more secure than an eight-char password made up from any combination of upper & lower case plus digits plus symbols and - certainly in my case - hugely quicker to type and remember. 

Just to be clear though, we're talking about security in terms of a brute-force, try every possible permutation. You're far more likely to suffer a security problem due to rogue software capturing keystrokes of whatever length or capture of passwords over the network (especially WiFi). 

Rubbish

DavidH | | Permalink

phoare wrote:
...wall of text....

I'm sorry to say this but this is complete nonsense. Do you actually understand what a brute force is?

Lets put it in simple terms for those who would not understand me if I starting getting into bit sizes and character encoding and keep it basic.

Say I have a password which is 10 characters long and is all lower case. This means a brute force attack will try all 26 alphabetic characters for each of the 10 characters in my password before it would eventually brute force it.

By simply adding upper case characters I am doubling the attempts to 52 * 10, if I add numbers I increase this by a further 10 (63 * 10) and so on until I get into special characters which raises the ceiling exponentially.

So lets take your example that a 12 lowercase character password is more secure then an 8 character password which, in this instance will only use the added complexity of uppercase.

Your password is 12 * 26 in strength (312), the later is 8 * 52 (416). How is yours more secure? Simple answer. Its not.

For those of you finding it difficult to remember complex passwords there is a very simple way of remembering them, come up with a memorable phrase or song lyric.

So for example: Droning in the shrine of the sea monkey

As long as I remember that my phrase starts with a capital letter and that I always substitute i for the number 1 and s for a $ sign I can create the password.

D1t$ot$m

Simple, strong, secure.

@DavidH

phoare | | Permalink

Sorry DavidH, but it's your maths that is wrong.

Assuming that you even know that my password is wholly lowercase, a 12-char password is 26^12 (NOT 26 times 12) which is in excess of 95 quadrillion possible combinations.

A 8-character password made up from lets say 96 possible characters (thus 26 upper, 26 lower, 10 digits and a heap of symbols) has a possible 7.2 quadrillion combinations (96^8). Hence an order of magnitude difference.

Your "strength" calculation derived by simply multiplying the number of possible characters in any position by the length is meaningless.

dare I ask ?

The Black Knight | | Permalink

Is the PC that is cracking your passcode by trying every permutation, hampered by a 3 attempts and you are out rule or a time out function ?

And why is a 4 digit number a suitable password for your credit card ?

pawncob's picture

Bunkum

pawncob | | Permalink

This is bunkum. I got a crack time of 169 days and by adding one digit increased it to 600 years. Must be a pretty slow computer when it gets to 10 HEX.

Also, it may be possible to crack the password, but then there is the small matter of testing each one on my bank's secure site. As it dumps me after three attempts, it would take several million years to test the derived passwords.

BUNKUM.

John Stokdyk's picture

Less of the "nonsense", "bunkum" & "rubbish", please

John Stokdyk | | Permalink

Some of this discussion has taken me out of my mathematical comfort zone, but could those taking part in the debate try to keep away from personally belittling those with whom they are disagree.

There's a fine line between robust debate and personal abuse and I wouldn't want anyone to cloud an otherwise fascinating exchange by crossing it. Thanks.

@kalden    1 thanks

phoare | | Permalink

kalden wrote:

Is the PC that is cracking your passcode by trying every permutation, hampered by a 3 attempts and you are out rule or a time out function ?

And why is a 4 digit number a suitable password for your credit card ?

Good points which bring me to the other point which I was going to raise. What constitutes an adequate password is also determined by what it is that you are protecting. Any decent online system will permanently lock an account after a few attempts (although there's a good study somewhere on Microsoft's website which discusses why the three-strikes-and-out is somewhat arbitrary and should really be loosened to allow at least five in an attempt to lessen the support processes around unlocking a password (which in themselves often present a security risk)). For such a system, there is little point using a complex password - you just need something which no-one is going to guess in their first three attempts, although this assumes that no-one is looking over your shoulder as you type. That's why a four-digit number is deemed suitable for your credit card although it's partly a compromise between security and being easy to remember.

But password protecting a file say, which someone can then copy and attempt to crack the protection at their (possibly-infinite) leisure, is a whole different ballgame.

I stand corrected! phoare is

DavidH | | Permalink

I stand corrected! phoare is indeed correct that to work out all possible permutations the calculation is actually:

complexity ^ length

For some reason I had it in my mind as the other way around. I believe I may have misinterpreted what phoare was getting at in his post. In fact he is still using the same complexity but just increasing the length from 8 to 12. This in essence will always allow you to use less complex characters as the length increases (he could have used all uppercase and got the same result) but to actually enforce users to create a 12 character password that is not a single word is one reason why complexity rules are enforced.

My initial thoughts from reading phoare's post was that he was suggesting removing the complexity rules made things more secure, just by increasing the length. In essence though that's not quite correct since you could have a complexity of 1 and a length of 10 billion, the result would always be 1 permutation.

If I changed the example so that I use a complexity of 96 (uppercase/lowercase/numbers/specials chars) and just increase the length by 1 to a 9 character password this is then in turn more secure then the password using only 26 (lowercase chars) with a 12 character password.

LastPass.com

RichHolt | | Permalink

I'd recommend looking at LastPass. Whilst it will not solve network passwords it will give you strong passwords for any web sites you use without having to remember them. All you have to remember is your central LastPass password and it looks after the rest.

The security and encryption it uses is military grade and it also has a password generator.

The site describes all the features much better than I can so take a look. I've been using it for several months now after it was recommended to me by an I T Consultant and now find it invaluable.

I agree with RichHolt

VegasMAK | | Permalink

Lastpass.com is my weapon of choice in the password wars.

I also think it's value as a secure method of storing passwords is massively increased by lastpass giving the option to add multi-factor authentication (though there is a small charge for this)

You not only need the password for your "vault" you also need your USB key fob to access your passwords.

@Jon my only concern with the root password + web site name is that should your email address and one of your passwords become compromised, it wouldn't take the 'compromiser' too long to try out all the "big" sites (amazon, paypal etc) to see if you had used the same formula there.

 

What if LastPass....

JC | | Permalink

and what happens if LastPass is compromised?

http://pcper.com/news/General-Tech/Potential-LastPass-Break-Disclosed-La...

http://threatpost.com/en_us/blogs/lastpass-asks-users-change-password-af...

Also there are things to be aware of

http://forums.lastpass.com/viewtopic.php?f=6&t=50539

As a hacher why would one want to go anywhere else but a place where all passwords were held - in one fell swoop you have everything

Indeed

VegasMAK | | Permalink

Some good points @JC

 

Taking your second point first if I may. You can't rely on someone or something 100% to hand hold you and I agree the log out after 15 minutes option should be the default.

1st Point

Lastpass.com is only a start but so it being careful what you download (http://www.howtogeek.com/59103/important-warning-be-careful-downloading-...), locking your screen when you leave your desk etc. Combine lastpass, with some of the advice from the article and contributors above and you are making a good start.

I also think if you "put yourself in harms way" (so to speak) before Lastpass, you'll likely be at risk when you do use it.

As for the secutity breaches, I recall reading about that even before I signed up. As far as I can remember User names and hashed passwords may have been taken. I'd venture that unless you have a very simple password, hacking the hashed password to get at your stored passwords would take a long time.

That said, you'd think you'd be safe giving Sony your credit card details, wouldn't you................

 

Numerous Passwords

pjd17mini | | Permalink

Of course, in an ideal world, you would have different passwords for anything, but the sheer number of sites needing passwords makes this very difficult if you do not resort to writing them down.

Perhaps this blog would be a good place to review some of the software available with assisting you with this, or even simpler software for securely recording notes/passwords etc?

I am ok at picking memorable words and making them less obvious for password purposes, but it all falls down when I am asked to include x many upper and lower case letters - whilst I remember the password, I do tend to forget the upper & lowercase mix.

P

Password related (almost) humour...

Jason Piper | | Permalink

http://xkcd.com/936/

I always try to sneak in a £ sign if possible having once heard that most brute force cracking programs are American & therefore don't check it. May or may not be true...

I've also found car number plates a handy alternative to dictionary words; with new style ones, just hold the shift key down for the first 3 characters to get your symbol/UC/lc mix, and add the stock letter of your choice, ie first letter of the site name... 

Add comment
Log in or register to post comments