Thursday, December 29, 2011

Selecting a Secure Password

 


















A password is the most popular way to authenticate users of websites and online services.  Although other authentication methods exist (such as biometrics and smart cards), they typically require the user to own a special piece of computer hardware.  Because passwords do not require any special hardware to log in, it is the simplest and most ubiquitous authentication method used today.  Passwords are required to log into computer operating systems, email accounts, bank accounts, online shopping websites, web forums, subscription-based services, databases, private networks, and even blogs like this one.  It is important to select strong passwords to access your online accounts that have sufficient length and complexity to thwart hackers who may attempt to guess or crack your password.


Password Strength

Password strength can be defined as the effectiveness of a password against guessing and brute-force password cracking attacks.  Some websites will automatically determine your password strength when creating a new account.  For example, Gmail will tell you if your password falls into the categories:  Too Short, Weak, Fair, Good, or Strong.  The password strength is determined by its length, complexity, and predictability.

Password Length

Generally, the longer your password is, the more secure it will be.  This is to prevent hackers with password cracking software from trying all possible passwords to obtain access to your account.  The longer the password, the more possible combinations there are for the attacker to try.  Here is a table of the number of possible password combinations, which increases exponentially with the length of the password.


You may believe that 1 billion password combinations is good enough for a 5 character-long password, but brute-force password cracking software is capable of cracking passwords at speeds of 10 million passwords per second.  This would take a password cracker 1 ½ minutes to find your password and gain access to your account.  Compare this to a 10 character password which would take the same password cracker 3,654 years to crack!


The absolute best security practice is to make your password as long as the website or database will accept.  Some websites like Google (including Gmail, Blogger, and Youtube) accept 32 character-long passwords.


Password Complexity

In addition to selecting a password of decent length, it is important for your password to be complex in nature.  Passwords that are also words in the dictionary can easily be discovered by a password cracker.  Advanced password cracking software will use a dictionary file (also known as a wordlist) containing all words in the English dictionary to attempt to discover the password.  This is a much more efficient method than a brute-force attack that tries all possible passwords from “a” to “zzzzzz”.



The password cracker may also attempt variations of dictionary words using common substitutions as seen below.


Likewise, a secure and complex password should also not have an inherent pattern.  These include sequential numbers and keyboard patterns as shown in the table below.  Such passwords are so commonly used that a password cracker will include them in his wordlist as well.



Password Predictability

Predictable passwords can be easily compromised by simple guessing.  Of course, if the attacker knows you personally or has done some research about you, it will be much easier to guess some possible passwords.  You should never use a password that matches your username, relatives or pet’s names, romantic links, favorite sports team, or biographical information such as birth date, telephone number, or Social Security Number.



Related Links

An excellent free website to help you generate random complex passwords according to length and selectable fields (characters, numbers, symbols, and uppercase letters).

Provides very detailed calculations of how long it would take a computer or a cluster of computers to crack different kinds of passwords.

The United States Computer Emergency Readiness Team (US-CERT) National Cyber Alert System on choosing and protecting passwords.