Trying to find a balance between security and usability can sometimes be problematic. Passwords are a great example of that. If you have no password rules people can make their password the letter “a”. On the other hand we all have a site or two where the password requirements are so strict that logging into that site is a 25 minute ordeal. All too often once you remember which set of at least 20 lower case letters, capital letters, numbers, special characters, Egyptian hieroglyphics, and interpretive dance moves unlock your account, your password needs to be changed because each password is only good for a fortnight.
There are some basic things you want to avoid with passwords:
1) No single words. No pet names. Not your name. If your password can be found in the dictionary, a book of baby names, or on your facebook profile, change it now. An imperfect, but decent enough way to think about passwords is that they should be at least 8 characters, contain a Capital letter, a Lower case letter, a Number, and a Special character. (punctuation, etc). From now on I will refer to this as CLNS.
2) Don’t repeat passwords. Your twitter password should not be your hotmail, gmail, and/or facebook password. It’s often not the “big guys” falling that do the damage. Some of the biggest problems are from smaller and less secure sites getting hacked, and now the attacker has 100,000 email/password combinations to try on the “big guys”. If even 2000 work, that’s a huge security issue. They don’t have to hack facebook to get your facebook password if you use the same email and password elsewhere.
Aside 1: Types of attacks
There are 2 main kinds of ways someone can get your password.
They search for the low hanging fruit in a large collection of users.
Sometimes the passwords are stolen in mass, and sometimes an attacker just tries logging in, in mass. While your account might have been compromised in an attack, they weren’t after you. They wanted to steal something, anything, and went for a drive down the street looking for people who left their front door open.
They’re after you.
They’ve cased your place. They know your dog’s name. They know your kids’ names. They know your favorite sports teams, bands, and TV show. This type of social engineering attack is generally done on celebrities, and probably much more rare for the average person, but it can happen. Especially if you’re terribly unclever.
We’re All Bad At Passwords
The first issue is often handled for us. You can’t use your dog’s name straight up anyway, because most websites enforce some take on CLNS and you probably didn’t name your dog “~mUffi.n5t”. Here’s the big problem though: Forcing users into CLNS rules can lull people into a false sense of security. When told we can’t use our dog “Scooter” as our password because it doesn’t conform to CLNS rules, we don’t go “oh, right, that’s a silly password.” We make it “Scooter73!” or “Sc00t3r!”. We’re not nearly as clever with our passwords as we think we are, but we think we’re safe because of the number and punctuation. If your dog’s name is Scooter, then Scooter73! is not a good password either. That goes double when “73” is the year you were born.
Now, of course “Scooter73!” is a better password than “password”, but that doesn’t make it a good password. So the problem with passwords like “o.5ty8-uib3d” is that you would have to devote a month of your life to memorizing that. The problem with something we can memorize is anyone could guess it given a few guesses. That's a conundrum.
Making a Good Memorable Password
What if I told you that any four random common words (by which I mean random in a true sense, not look-around-the-room random) is actually a really good password? Passwords like "west wind live variety” and “town ants anywhere because” are almost certainly better passwords than most of us are using.
At the risk of getting too technical, all that password requirements like CLNS are actually doing is increasing the number of things a would-be password breaker has to guess. For a truly random 8 character password there are something like 6,096 trillion possible passwords. We get that because there are about 94 possible characters for each slot, and 8 slots. Four random common words comes out to around 17.6 trillion possible passwords. Now, at first blush that sounds like a huge difference. After all, that’s 350 times less secure, but lets analyze “Scooter73!” type passwords. Let’s even make it hard, and assume I didn’t go on facebook to find the ample evidence of your dog/son/daughter’s name. A little googling turns up that there are baby books that claim to have 100,000 names in them. So, lets start with that worst case scenario. Assume: 100,000 names, that people capitalize the name, that people put the punctuation at the beginning or end, and that people will either begin or end it in a number, or make common o to 0 style substitutions. (There are a lot of assumptions there, but honestly, how many passwords you consider “safe” does that sound an awful lot like?) That’s more like 410 million or so passwords. Now lets say I know you have a dog named Scooter, a cat named Felix, and a son named Steven. I’ll even allow a few more bits of randomness to enter the equation with a couple numbers or one number before one after. In this case you’re more on the order of 200,000 potential passwords. That might still sound like a lot, but see my Aside 2 for how truly pitiful this is.
Aside 2
Assume a password cracker gets 1000 guesses per second to crack a password. This is actually very conservative. This assumes automated attempts to login to a website with no failed attempt lockouts and such.
Random 8 Chars
6,096 trillion passwords
194,000 years
Random Four Words
17.6 trillion passwords
550 years
Scooter73! (Any name)
410 million passwords
4.75 days
Scooter73! (Name options known)
200,000 passwords
3.3 minutes
Assume a web service has been hacked and the would be attacker downloads the user accounts and all the encrypted passwords to their own system. This actually happens fairly often, and is usually what happens when you hear a story about it. The big takeaway is that in those cases password crackers get to guess at rates more along the lines of 100 million times a second. (Again, very conservative.)
Random 8 Chars
6,096 trillion passwords
2 years
Random Four Words
17.6 trillion passwords
2 days
Scooter73! (Any name)
410 million passwords
4 seconds
Scooter73! (Name options known)
200,000 passwords
.002 seconds
So There You Have It - The Perfect Passwords...Right?
Ok, so, four random word passwords are more memorable than the standard approach, and a tremendous upgrade over what we can actually remember and think is secure for us right now. You'll have to pass CLNS rules on lots of sites, but in this case the four random words are doing the "heavy lifting", so just capitalize all the words, and add "2015!" to the end and you'd be set. So, go forth and start changing your passwords. Just keep in mind we still haven’t addressed that other major thing you need to avoid with passwords, and that is password repetition. So now you need to make an individual four word password for your bank, google, amazon, facebook, twitter, work, hotmail, windows pc, credit cards, etc etc etc.
So, you could come up with one good base password and some way to tailor that to the site. Say g67fk!3.ge.c for GooglE.Com and g67fk!3.tr.c for TwitteR.Com, but someone else might figure out the scheme, not to mention that only lasts until the first time any site asks for a new password, but doesn't allow old passwords to be reused. It seems no matter what we do we can't make good passwords, unique passwords, and remember them all.
And that’s the Problem
See, the fundamental error we’ve been making in our password schemes for years is that everything we do revolves around the premise that we have to remember our passwords. Writing them down anywhere, ever, is a cardinal sin. In reality no matter how memorable our passwords are, it doesn’t matter, because we all have 20-200 passwords in our lives. We can’t remember that many distinct passwords. Certainly not that many hard to crack passwords. This an area where you need to let technology step in.
Chrome, for example, can remember your passwords for you, and then will sync those passwords to all your devices that also use Chrome. As such, you only need to remember one strong password, your google account, and everything else will be remembered for you. You can add extra protection to your google account by enabling 2 step verification. By doing so you could basically tell someone your google password, because they’d also have to have your phone for it to do them any good. (Although, it should go without saying, don’t actually tell people your password.)
You can, and should, even go one step farther with a service like LastPass. LastPass can generate as well as remember passwords for you, plus sync them across devices, and browsers. This is very powerful, because by also removing password generation from your hands, it removes all possible social engineering from the equation. You can generate random passwords of any length and as such shoot well past eight characters and easily hit complexity that would take all the computers that will ever be all the time in the universe to crack. After all, if you don't have to remember it anyway, your bank password could be "zBhsLy!eB&4JI&n-DlDrH1kOSRf4*barWQ5r1a24-fOy9KNdzkl^%tm$vdqVBU".
In this case you’d only have to remember one good password, your LastPass password. I recommend LastPass only because I personally use it and it has done its job well so far. However, there are numerous companies and programs that provide the same type of service. There is sometimes a small fee for some of the more “advanced” features, but many, including LastPass, do all the important stuff for free.
I would highly recommend checking one of them out. If you aren’t ready to put all your most important eggs in one basket, start small. The next time you sign up at a random forum to make one comment, instead of reusing a password from your past, let LastPass handle it. If that forum gets hacked, you're protected. Just remember that if you're reusing passwords, you've already got all your eggs in one, or a handful, of much less secure baskets.