Most of us have had an account of ours hijacked. Maybe it was a friend playing a prank on our facebook page, or maybe it was a malicious hacker using software to crack our online bank account. We know the importance of a good password. We know not to make it “qwerty”, or anything on this list. So how do we make a good password?
Two things: make it hard for a human to guess, and make it hard for a computer to guess. The first is pretty easy to deal with. The suggestions we usually hear are: MORE SPECIAL CHARACTERS! MORE RANDOM UPPER CASE! MORE NUMBERS! That’s great and all, but is it really necessary to make it unguessable by a human (or a computer programmed to check the obvious passwords)? What are the chances of someone guessing “magentallama”? Making a password something completely unrelated to your life is just as good as having a bunch of confusing characters (and its less annoying for you!). What about the second part of a secure password: making it hard for a computer to guess. Well, most password cracking software uses brute-force: “aaaaa”, nope, “aaaab”, nope.... So, yea, maybe some caps and and exclamation point will stall that computer a little. But what really matters is length. “af!7#” (5 chars) will be guessed long before “zzzzz” (5 chars) even though we know “zzzzz” seems like a worse password. Adding 2 characters would make it take 100 times longer; 6 more, a million times longer (actually much more, this would be assuming you only use numbers). Image a password like, “dogfridgecaropera.” A program has to go through trillions of combinations before it reaches that. No caps, no special characters, no numbers, and I seriously doubt any human could ever guess it. Add in a hyphen, or replace a letter with a number, and even advanced password-guessers that use dictionaries would be stumped for a long time.
The point is, LENGTH is what makes a good password. So stop with these bogus number, case, and special character requirements, and just up the minimum length of passwords.
Excuse me here again. This is the third comment I believe. You have a good point that length is actually what makes more bruteforce-proof. That's very true if the fact that the password only consists of 26 lower alphabet characters was not known by the attacker, which will be almost always the case. However, if it's known, the attacker only have to bruteforce the 26 permutation * the password length, which is more crackable. Overall, it's a great insightful article.
ReplyDeleteHi Andres,
ReplyDeleteYou raise very valid points in this blog post. Additionally you give really good tips to create passwords. Length will indeed delay brute force attacks and the addition of random characters will foil dictionary attacks. Although length will provide more security one also needs to take into consideration the end user. A normal human being wouldn't have the capacity to remember password longer than 8 - 10 characters if the character are random. This is the reason why passwords need to be made scure by other means. A good way to make passwords seemingly random would be to use the first letter of all the words in a phrase. An example " A Bird in Hand is worth two in the bush" would give us 'abihiwtitb'. So although this is seemingly random it is still easy to remember.
Over all a well written blog post !
Hey Andres, Thank you for writing such a nice post. We all know the importance of the Password. Today we have created our virtual identity on the social networking site. It is our responsibility to create a strong password for our social networking and baking accounts. As I computer science student I know many rules to make a strong password. However I am very lazy while creating a password. I guess most of the people try to create a password which they can easily remember. So they end up choosing password which can be easily cracked by the Hackers. Thanks for reminding me about password security, I am going to change my passwords today
ReplyDelete