We are always being encouraged to set a good strong password, but what is a good password and how do you create it?
Recently, advice on passwords changed – for many years the advice had been to choose long, highly complex passwords featuring letters, numbers and special characters, and indeed many password checkers still rely on this to decide if a password is a good or bad password. However this has been questioned recently for several inter-related reasons: namely it failed to take into consideration that people are predictable, so they either wrote the password down somewhere; or they used logical words with predictable substitutions (eg pa$$w0rd); or they simply used one of the popular passwords (eg 123456, qwerty, 1q2w3e4r, mynoob, password)
The logic behind the complex password is that it makes it harder to brute-force crack it by increasing the number of possible combinations, ie a 8 character password using just lower case characters has 208,827,064,576 possible permutations, if you include upper and lower case characters that becomes 53,459,728,531,456 possible solutions, include numbers as well and it becomes 218,340,105,584,896 possible solutions, if you were to include just the 10 symbols above the number keys it would expand to 722,204,136,308,736 possibilities. So each time the increase in complexity adds a higher factor of possible solutions, and hence will take a computer longer to cycle through the possible solutions.
The online password tester predicted times to crack these are using a modern desktop pc:
qscfthnj (8 lowercase characters) – 9 minutes
QscFthnJ (8 upper and lowercase characters) – 2 days
Q5cFthnJ (8 upper, lowercase and numeric characters) – 6 days
Q5cFthn* (8 upper, lowercase, numeric and special characters) – 6 months
However, as I pointed out before – these predictions of password strength are slightly misleading because they work purely on the complexity of the password and not the content. People are not computers and do not easily remember random strings, so they either use a ‘memorable’ password (such as a pet’s name, favourite team, etc) or they create one or two ‘strong’ passwords and reuse them for all their passwords (both bad ideas) – I am guilty of this too, I have created passwords based on memorable words and then used them on multiple sites. (Kl33nex is a lot easier to remember than Of7gcP6 for example)
So what is to be done? The current suggestion is to use word strings, eg onetwothreefour as they are more easily memorable and hopefully generate longer passwords. However this is a flawed idea, it overlooks the human tendency to still use memorable (ie predictable) words in the string, and most password cracking tools will use dictionary attacks, where they try known words in combination and with obvious substitutions first.
A better solution is to use a password manager in combination with password generator to create and store stronger, random passwords. There are many password managers available, with different features and price-tags. Different people will opt for different solutions based on their needs and attitudes towards risk and convenience.
But what is a password manager anyway? At its most basic it is a list of passwords and login details stored in a single location. Ideally you would want the storage to be ‘locked’ but still reasonably accessible. A simple, but effective enough solution would be spreadsheet or text document that is password protected, ideally without too obvious a name – eg passwords.xls might be a hint to someone looking through your files what is inside 🙂 Dedicated password managers can offer additional features, such as the ability to auto-complete website login forms, the ability to share the passwords between devices, the ability to generate secure passwords.
As I said previously there are dozens of password managers, each with their relative strengths and weaknesses, and what one person may consider to be a strength another person may consider a weakness. Things to consider when choosing a password manager:
How strong is the encryption on the storage?
Does it integrate with other software, eg browsers?
Will it generate passwords, and how much control do you have over this process?
Can it be used on just one device, or multiple devices?
Is it online or offline ie can you access it anywhere with an internet connection, or do you need to install it to the device first?
My preferred solution is KeePass because it is platform independent (works on just about anything – windows, linux, mac, android, ios, blackberry, etc), it is free, the app is separate to the password database, password databases can be secured by password or keyfile, auto-complete passwords can be sent in multi-pass mode (prevents keyloggers capturing the password en-route), uses AES encryption, is totally portable – can be run from a USB stick without installation on Windows systems, and is OSI certified. NOTE: for me the fact that it is not by default an online app is a bonus (although you could upload the password databases to an online file sharing service) but others may find this a drawback, not least the fact you manually have to synch separate copies if installed to multiple devices – horses for courses.
other password managers include:
1Password
Dashlane
LastPass
LogMeOnce
Keeper
Password Boss
Roboform
Sticky Password
True Key