Wednesday, March 21, 2012

How to Make Your Passwords Not Suck

In today’s online and connected world, passwords are a painful but necessary part of life. As an I.T. professional, I see someone almost every day that’s frustrated by some kind of password problem. I see many people who just don’t understand good passwords and have no concept of how to make them easy and secure. A little understanding and planning prior to being asked to select a password can alleviate some of the frustration that leads to weak and unsafe passwords.

Why Your Passwords Suck

Your passwords suck because passwords suck. Passwords, as a solution to the problem of authenticating a user, are a spectacular failure on a cosmic scale. They must be complex but easy to remember. We're not supposed to write them down. You must use a different password on every system. I can’t, for the life of me, think of something analogous to passwords that would help illustrate how terrible of an idea they are. Passwords suck and we're stuck with them because they’re the only solution we have. Go ahead and shift the blame. It’s password’s fault.

People get bogged down trying to raise their simple, go-to, password to the requirements of the current system. Boring people with “best practices,” does not help. The term “best practices” is one of the most overly used terms in the information technologies field. “Best practices” are methodologies that... blah blah blah... snore… password1. Mostly, “best practices” are how things should be done in an environment that no one ever uses. They’re an ideal to work toward. Here’s a few time-honored ones for passwords:

  • Don’t use dictionary words (using a dictionary is one of the easiest ways to crack a password)
  • Don’t use the most commonly used passwords (this IS the easiest way to crack someone’s password)
  • Your password must be longer than x number of characters (x is getting bigger all the time)
  • Your password must be upper and lower case (this expands the number of possible passwords – more on this in Part 2)
  • Your password must contain a number (this also expands the possibilities)
  • Your password must contain a symbol (you know... punctuation and stuff – more expanding possibilities)
  • Don’t ever write your password down (finding the word “pencil” on the bottom of a pad of paper next to the computer is how I changed my grades in high school – or maybe that was a movie)
  • Make your password something that’s easy for you to remember (yeah, right!)
  • Don’t ever use the same password for different sites, systems, etc. (this could be the worst mistake, ever)

The expectation that a new user is going to be able to come up with a password that meets these requirements, on the spot, is laughable. Sure, on their own these requirements are pretty simple to meet but when combined, especially the last two or three, they’re nearly impossible. As with many “best practices,” most people don’t even come close. They're not impossible because someone set the requirements too high, these requirements are exactly what are needed. They're impossible because we have been beaten to death with the wrong approach or no approach at all.

How to Make Your Passwords Not Suck

Passwords that don't suck aren't passwords at all. Stop using passwords. Instead, use a passphrase that meets or exceeds the requirements for just about every system. Passphrases can come from anything in our lives that we remember. Especially those things that get stuck in our heads like songs, lyrics, movie lines, nursery rhymes, memorable quotes, and so on. If we need a password that’s 8 or more characters and must have a capital letter, MarysLamb1 is much more secure than Password1, for a number of reasons, and just as easy to remember. #MaryHad1Lamb is astronomically harder to crack and not much harder to remember or type.

The hardest password to guess would be a maximum length string comprised of all the possible types of characters on the keyboard in a completely random and unique order. This super password would be comprised of upper and lower case letters, numbers, and symbols combined in an order that’s absolute gibberish. While this might look like the best password on paper, when looked at from the perspective of how passwords are cracked, it's not much different than a password of the same length containing dictionary words, upper and lower case letters, numbers, and symbols. This makes sense mathematically, and it has been validated by others including Steve Gibson of the Gibson Research Corporation and Security Now podcast fame. He’s created a webpage called Password Haystacks that illustrates this theory and his own clever way of creating passwords that don’t suck. We’ll go into this in depth in Part 2 if you’re interested in the nitty gritty. Beside all that, almost no one could remember that super password and no one would want to type it in all the time.

Incorporating symbols into a passphrase can be relatively easy to do and remember by using “l33t” speak. l33t is a geek culture way of dressing up words with symbols, numbers, or abnormal capitalization. You can use a zero to replace the letter o, the number 3 for e’s, an @ symbol or the number 4 for a’s, etc. See the examples below. The somewhat tenuous premise that the zero’s look like o’s and 3 look like backwards capital E’s can make it easy to remember how it’s used in your passphrase. Use as much or as little as you like. While I’m willing to bet a large sum of money that everyone trying to crack your password knows about l33t speak, they don’t know if or how you’re using it and it wouldn’t much matter if they did. What you cannot do is take common words or passwords and add l33t speak to them in a predictable way. Mathmatically, "P@ssw0rd" is much harder to crack than just "password". However, they're both common enough to be on a list a of passwords to try first.

I can't emphasize this strongly enough: Strong passwords or passphrases that you use on multiple systems or sites are still passwords that suck. For example, if you use the same password on your Bank of America account and Facebook, someone that has your Facebook password has your banking password. As you can see, being forced to change all the passwords that are the same as the one that got cracked might be the least of your worries. The solution for this is LastPass. See the upcoming Part 3 of this series or just go to their website and find out for yourself. It’s the best thing on the internet, and it's free.

Build a pattern into your passphrases that is uniquely yours and share it with no one. For example, keep in mind that when you need a password you always use a few words from famous quotes, start it with a # symbol, and end it with three 7’s. Maybe something like #IHave@Dream777. That's a pretty strong password. Remember to use all the possible combinations of characters; symbols, upper and lower case, and numbers. This is orders of magnitude more important than password length, but length is important as well. It’s the only way to get a stronger password once you’re using all the options. Unfortunately, some systems don’t allow symbols or limit the length of the password to some small number. In this case, size really matters. You might have to modify your pattern to work on these flawed systems. Deciding on a plan before you're pressed into action, will go a long way toward success.

Frustration Free Technology 

We have a plan and our own, personal, "best practices" for passwords that meet or exceed the strength requirements of almost any system. If we stick to our plan, we’ll have strong and memorable passwords. Using strong passwords that are easy to remember can help make the Internet and much of today's technology easier and safer to use. Passwords that don't suck allow for less anxiety and a little bit more piece of mind.

“l33t” Speak:

elite (leet)  = 1337 (or eLitE)
The hackers are here = th3 hax0rs R h3r3

Passphrase Examples:


This is part one of a three part series. Part 1, which you just read, is about memorable passphrases for easy to remember and secure passwords. Essentially passwords that don’t suck. Part 2 is a more in depth look at how cracking passwords is done and why passphrases as described in Part 1 are almost as secure as random gibberish. Part 3 is about password management and the best utility on the internet, LastPass. All three parts stand on their own and can be read individually or in any order. 

image by: thanunkom