Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.
If you value your privacy, you must learn how passwords work, how the attacks that attempt to break them work and finally how to choose a strong password that won’t break no matter what you throw at it.
Most people don’t have a proper system for managing passwords. They pick the easiest password that they can remember and probably reuse it in multiple places. In this tutorial we’ll take a look at why this needs to change and how to replace this ad hoc process with a secure and more convenient approach.
Rule #1: The longer the better:
The most secure website don’t enforce ridiculous password requirements such as:
- At least 1 upper case
- At least 1 sybmol
- At least 1 number
- At least 1 goat sacrifice
The last one makes about as much as sense as the other rules that are supposedly meant to protect you. Let’s see why.
What’s your name? Nevermind, I shall call you Kevin. Okay then Kevin, think of a password that’s easy to remember and adheres to the nutty rules above.
There. The website is happy, you are happy and NSA is really happy.
Okay, so that is clearly easy to guess. Let’s say if it wasn’t:
How about now? There’s about 7.7 million 5 character passwords that conform to the above rules. That doesn’t sound so little but roughly speaking, if you’re a gamer (if you own a decent GPU) your computer could brute force the password in about a heartbeat. So even a completely random password is useless if it’s too small.
You can play around with this tool to see the magic of combinatorial explosion.
Rule #2: It must not be related to YOU
Hold on a second. You didn’t choose a random password above. You are Kevin. You chose “Kev1n”. You know what that means? It means that the attacker wouldn’t even have to attempt a brute force (which is usually the last resort). With a bit of information about the victim, a smart targeted dictionary attack yields a list of password that the victim is likely to have picked.
So, how does this work? How does a hacker build a wordlist in 2017? Let’s take a look.
Let’s assume the attacker knows your name- Kevin. Now, one of the most common things people do is simply append “123”. What if the attacker built a program that automatically does this, our list is now:
And of course, we’re going to have upper and lower case:
Maybe the program also replaces all I’s with 1’s.
And don’t forget
Do you see where we’re going with this? Today, you don’t even need to program your own such tool, several are freely available on the internet (more)
Here’s a few more passwords. Think about how easily an automated tool could generate passwords like these.
There’s a common theme here. Passwords are difficult to remember, so we try to find tricks to help us remember. We use our name, our birthday, things we like, things that are important to us. And today, these things are easy to find. Are you sure you’ve tweaked your Facebook privacy settings just right? Does your email contain your name? Do you remember all the websites you’ve signed up for? Do you know if any of them have been hacked? Can you think of anyone you know who might want to take a peek at your messages? After all, it is far more likely that someone you know, someone who knows these things about you, would be far more interested in your accounts and private data than some random hacker on the internet.
But most of us do realize that these things make passwords insecure, so we don’t use them directly. We use patterns like ‘123’ and ‘qwerty’ and tricks like ‘Kev1n’ to try and obscure our passwords. And so we are lulled into this false sense of security and herein lies the biggest vulnerability in passwords, one that hackers can exploit.
Don’t take any chances. Your password must not be related to you in any way.
And this brings us to…
Rule #3: Just make it random
This is all that’s left. Gone are the days when clever password tricks could have offered us some sort of protection. I wrote another article on the same topic a few years back and I myself outlined several such strategies that were secure enough for the time. But things have changed now. These old habits are just that - old, and so they must be eradicated.
How should you choose a password in 2017? You shouldn’t. Just make it random.
A truly random password around 20 characters long would take all the computers in the world running together for trillions of years to break. I think we can call that safe enough for 2017 (and beyond).
Settle down, Kevin. I know what you’re about to ask.
How the hell am I supposed to memorize 20 random characters?
Wait a second, you’re not planning to use the same password everywhere right? How can you be sure that a website is storing passwords securely? Losing one password could mean losing all your accounts. We need to win every single time, they only need to win once.
Rule #4: Use a password manager
Think for a second, how many accounts do you have? Gmail? Facebook? Twitter? Paypal? Amazon? 10? 20? 30?
These last couple rules are how we finally address the longest standing vulnerabilities in any password based system (and arguably any system): Humans and our infinite capacity for laziness.
Using a password manager allows you to use secure passwords (that is, long and random) without having to remember them. Plus, modern password managers come with nifty features such as browser extensions that automatically type in the password for you. In most of these tools, a single master password (one that you do need to remember) is required to unlock all your passwords.
I recommend LastPass. It is one of the most popular password managers out there, comes with tons of features such as browser extensions and mobile apps and is very easy to start using.
So, Kevin, what are you waiting for? Here’s what you need to do:
- Get yourself a random password from here
- Pick your favorite password manager
- Change all your accounts passwords to new randomly generated ones
- Breathe a sigh of relief knowing that all your passwords are secure and from now on you’ll only need to remember one master password.
A few more considerations:
- Make sure that your master password itself is secure but still easy to remember
- Want to take it to the next level? Look into setting up self hosted password managers. You can think of these as being similar to LastPass except they run on your own private server. You can only be truly sure of an app or service’s security when it’s open source and running on your own hardware. Trusting other people’s code makes you vulnerable. Check this out for a collection of applications that you can run on your own servers.
- Feeling paranoid that you might get locked out of your accounts now that all your passwords are random? You can simply create a local encrypted backup, for example, using veracrypt, where all your passwords are safely stored.