Friday, 21 January 2011

How to choose better passwords

If you have read some of my previous blogs, you will have an understanding that passwords are a very weak form of authentication, mainly due to the difficulty users have in choosing strong and memorable passwords.

Here I discuss four ways to improve your password choices.

This is the best advice I can give to help people choose stronger passwords.



A bit about poor password choice

Often users choose simple passwords, and use the same password for all their services, both at work and at home. These are both bad ideas.

Simple passwords are easy and fast to crack with widely available automated tools. I know from experience, as I have cracked many passwords recently under test conditions, many in under a second, and certainly most in under 5 minutes.

Using the same password in multiple places means that once a password is compromised on one system, say your home computer, an attacker could then be able to access your work login, your email account, Twitter, Facebook, Youtube, PayPal, eBay, Amazon, and any other online services you use with the same password.

Attackers would not be targeting you personally. Modern malware can automate many hacking techniques and attack many thousands of users at once, globally.

Malicious hacking is big business, and there is a whole criminal subculture geared-up to make money from stollen credentials.

Many people store a lot of information online these days. Imagine if you lost access to your personal accounts and profiles, or worse; someone copied, added or removed information, or sent messages to all your friends containing clever scams or viruses, or transfered some of your money through a series of stolen bank accounts.


So what can users do to choose better passwords?

Having cracked many passwords with a variety of different tools and techniques, here are the four best pieces of advice I can offer.


  • Password length is the most important factor. Try to use a "pass-phrase", i.e. a group of words that is longer than 15 characters.
    • This is a sufficient length to make brute-force and hybrid attacks unfeasible with todays computing power.
    • Using 15 characters or more also means that the password cannot be stored as an LM hash. (This is one of the weakest forms of password storage, that Microsoft still include on Windows systems today - for historical reasons, but it is a really big weakness)

  • Add some numbers and symbols
    • Though this does not affect password strength as much as length does, it can be helpful in making your password more unique, by using more of the available key-space.
    • Here are some examples
      • Friday%is&a4great*day!
      • #thisisareallyeasyonetoremember!

  • Use different passwords for the accounts you have
    • It may be impractical to use a different password for every login to every system, but try to use unique passwords for your core services such as
      • Home computer login
      • Email access
      • Bank accounts
      • Work login
      • Social networking

  • Test your choices, to see if the types of password you are choosing are strong
    • Try the Microsoft password strength checker, to get an idea of what makes a password stronger.
      • https://www.microsoft.com/protect/fraud/passwords/checker.aspx
      • Try putting your current password in. If it comes up "Weak" you're not doing very well with your password choices currently.
      • You should be aiming to get at least in the strong category for passwords you use for important accounts.
      • See if you can pick a memorable password, that meets the "BEST" category. Try several attempts so you will know what is important in choosing a strong password.

Now choose similar passwords for your own use.


PS: I use several password dictionaries of commonly used passwords, totalling over 200 million entries.

I find these very effective for password cracking, before attempting hybrid, rainbow-table, and brute-force attacks. They only take a few seconds to run for hash-cracking.

Most of these dictionaries are available on the web if you look, but if you are interested in me providing some copies, let me know in the feedback section.

No comments:

Post a Comment