A lot of opinions about what makes a password strong have been thrown about lately. Unfortunately, a lot of them are wrong.
If you only take away one thing from this article let it be this… Don’t believe everything you read about password best practices. Today I’m going to dispel some of these myths and I want to tackle 2 approaches in particular that concern me.
Correct Horse Battery Staple – http://xkcd.com/936/
This comic has been linked to a lot since its release and at least gets points for trying. The only problem with it however is that it relies on common dictionary words. According to Oxford Dictionary there are 171,476 words in current use in the English language. If we were to assign a unique number to each of these 171,476 words and use a 4-word combination of them we’d end up with a truly staggering amount of combinations to exhaust! Problem solved right?
No. The average English speaking person can’t even spell “hippopotamus” correctly and is limited to a vocabulary of 25,000~50,000 words (this number varies depending on demographics, education level etc… and is still disputed). And of these, most people limit themselves further to words dealing with their daily lives: “coffee”, “office”, “stapler”, “fire” and other equally common words. That is if they are not completely lazy and go with “password123″.
What we end up with is maybe 500 highly common words that would form the pool from which to construct such pass phrases. 500 words in 4-word combinations is just under 62.5 trillion combinations. Sounds great right? “My little brother will have to pass the work onto his grandson before my password will be discovered!” I hear you say. Except with a technique called brute force searching, 62.5 trillion combinations can be computed in significantly less time. In fact, the more patterns a hacker can discern from your word choice the smaller the search space and the process will speed up accordingly.
Furthermore this approach does not scale. There are only so many nonsensical word combinations a person can remember. After a while they begin to diverge and soon you can’t tell if it was “house ball sky dog”, “ball cucumber torch pin”, or “house pin sky torch”.
Memorable Passwords – http://lifehacker.com/184773/geek-to-live–choose-and-remember-great-passwords
First let me say that I have a tremendous amount of respect for Gina Trapani. But this time I’m afraid she is wrong. Why? Again, patterns.
What makes the password memorization technique she advocates easy for you to use makes it equally insecure for hackers who anticipate that you’ll follow her advice. Using public knowledge like a spouse’s name or your anniversary date is questionable at best. If I know you, chances are I know your spouse. Even if I don’t know you I can dig through your trash and find out.
The only way this excels compared to the XKCD approach is that it’s easier to associate a password to a web site because there is an underlying pattern uniting them, not that this is a good thing remember. It’s just harder to get confused.
What Makes A Password Safe?
The short answer: randomness.
The long answer:
Remember, from whom are you trying to keep your password safe? Your nosy siblings and coworkers? Or somebody more nefarious like a hacker? Your password is only as safe as it is unknown to people who would attempt to discover it. Understanding the discussed tools and knowledge they possess should demonstrate why just about all the advice flying out there is flat out wrong.
But It’s Still Too Hard To Remember “e$-UqPs3″
That IS hard to remember, there’s no contesting that. But again, what makes it hard for you to remember makes it more secure. A hacker is still going to pull out the brute force search here and will perhaps arrive at your password. However this password is stronger if for no other reason than it has no discernible patterns.
Moreover, if you occasionally change your password it becomes a moving target. By the time the hacker finds your password, you’ve already moved on to a new one!
How should you remember this password? Don’t. There’s an iPhone app for that! All you need to do with this app is create one memorable login password behind which all your hard-to-remember passwords are protected. This memorable login password is encrypted with an algorithm called BCrypt which is extremely resilient against brute force attacks because it takes an inordinate amount of time to encrypt each password. So even if you lose your iPhone the likelihood of your login password being discovered is near zero.
There is no magical solution that will result in memorable and safe passwords. But we can up the ante against hackers by equipping ourselves with the tools and discipline to combat theirs.