Computer Security 101x - Topic 2: Passwords

Realistic Advice For Non-Experts

Passwords are nearly as old as civilization. If you want to get into the walled city after dark, then tell the guard the password. If you can’t, then you have to wait until the morning when the gates are open to everyone again.

Today, some instances of this still exist in the physical world, such as special handshakes used to identify fellow members of a fraternal organization or daily passwords needed to be admitted to exclusive bars or clubs, but most people encounter passwords online.

I: What Are Passwords?

In modern security, there are three categories of identifying information used for verification:

  1. Something you know (password, ATM PIN, mother’s maiden name, date of birth, etc.)
  2. Something you have (door key, driver’s license, mobile phone, etc.)
  3. Something you are (physical appearance, DNA, fingerprints, etc.)

We’re going to focus on the first one in this article. It’s the most common and the most easily compromised. We’ll discuss the others in future articles, as they are important tools relevant to your online security.

Anything we know and are asked to provide in order to be verified is a password. Our ATM PINs? Think password.Our first pet’s names? Think password. Our usernames to connect to a Twitter account? Yes, that’s a password too.

In theory, a password should be enough information to identify us. Of course, if anyone else knows that information too, then that password is ruined. But, there are ways of making the use of passwords much safer.

II: Password Theory (That You Can Understand)

In early computing, the threat model was a directed attack, someone wanting your information specifically. Today, the average person doesn’t really have that risk. The current model is a general attack, where large numbers of people are targeted in the hopes that some of them will be protecting useful information. Think of it as the difference between a person fishing with single fishing line from a pier versus an industrial fishing operation using a huge net from a large ship.

To protect against those individual attacks, the advice of the day (circa 1980s — 1990s) was to use hard to guess passwords, 8 characters with a mix of letters and numbers and symbols, and change them frequently. Why? Most computer systems couldn’t handle long passwords, so this was the limitation of the times. Let’s break down that advice and see what has changed (and what sadly hasn’t). A warning before we look at any passwords: any example password you see anywhere, in any article, should not be used exactly as presented, but only as an example. Things fall apart if lots of people use the same example password, no matter how seemingly secure.

Password length. A longer password is harder to guess. In case this isn’t intuitively obvious to you, let’s try a simple experiment.

Think of a short list of any things you like (let’s say fewer than 10 items). Maybe your children’s names, or countries in North America, or ingredients in tonight’s dinner. That’s possibly a little challenging, but probably not overly difficult for you. Now think of a longer list, perhaps 50–100 items or so. US states, elements on the periodic table, the films of Tom Hanks, or something else. Can you remember everything on your list? Maybe, eventually, especially if you study it for a while. But it’s obviously harder than working with the short list, right?

Passwords are like that too. The longer they are, the harder it is for you to remember, but it’s also harder for someone else to guess.

So why doesn’t everyone just have really long passwords? The limit for password length most often used to be 8 characters, thus the advice was to use the longest possible. That limit has grown, but it varies greatly. Some computers or websites might allow up to 12 or 15 characters, while others will allow 30, or even 100. Why this varies is a little complicated, but it pretty much boils down to money (What doesn’t?). There is a cost associated with rebuilding a computer system to accept longer passwords. While it may not seem to be that big of a deal, some companies would have to spend tens of millions of dollars to address this limitation. For our purposes, the general advice still holds though: use passwords that are as long as you’re allowed to use in each case. If a website doesn’t tell you the limit (this is actually a good thing, which we’ll look at in a moment), then 20–30 characters is a safe choice for most normal people.

Password complexity. Computer passwords are composed of printable characters. The table below shows all 95 that the average person would use. I’ve included only characters that appear on U.S. English keyboards.

GROUP                RANGE                                 COUNT
Lowercase letters abcdefghijklmnopqrstuvwxyz 26
Uppercase letters ABCDEFGHIJKLMNOPQRSTUVWXYZ 26
Numbers 0123456789 10
Space 1
Symbols `~!@#$%^&*()-_=+[]{}\|;:’”,<>./? 32

The Range and Count columns should be pretty clear — which characters are possible and how many there are. The Group column looks obvious as well, a collective term for each range, but there is a subtle problem with this way of thinking. This is the tricky part of the lesson; stay with me. I promise that as long as you can look at two numbers and pick the larger one, the rest of the math is optional for you to follow!

What if I told you that you had to think of the Groups as separate items, not just different types of the same concept (a printable character)? It’s hard to think of them that way, isn’t it? In early password theory, this idea made some sense. Most people chose pretty simple passwords (generally regular words you could find in the dictionary), so helping to add some variety to the mix was a good idea. Unfortunately, most people just added a number or symbol to the end, but the bad guys were just as clever, so they tried that too.

If I tell you to pick an 8 character password, using any characters you like, the math looks like this:

95 * 95 * 95 * 95 * 95 * 95 * 95 * 95 = 6,634,204,312,890,625. That’s over 6 quadrillion combinations! Wow!

If I tell you to pick an 8 character password, using at least one each of lowercase, uppercase, numbers, and symbols, it seems like I’ve forced you to use a lot more variety, but I’ve actually removed a lot of options. The math is very complicated (explained well, for the curious, at http://mathforum.org/library/drmath/view/52277.html), but ends up with:

3,025,989,069,143,040 possibilities. That’s “only” 3 quadrillion combinations.

I’ve taken away more than half your choices! Some of them weren’t very good, like elephant or 99999999, but Yu$(*r#Q looks okay.

By thinking of all the printable characters as one pool instead of several groups that we have to utilize, we’ve made guessing much harder. Websites attempting to help us by forcing variety are actually weakening security. The same is true when we’re forced to have passwords of a certain length like “at least 12 characters but not more than 18.” Someone trying to guess wouldn’t have to consider any of the shorter or longer combinations.

Unfortunately, a dedicated modern attacker can search all of those combinations, in either example, and crack your password in a short time. There are a few variables, but assume a short time equates to days, or less. That’s probably not what you were hoping to hear.

Password rotation. Remember the old recommendations about changing your password every 90 days? That’s obsolete. If you’re picking passwords in the range I will explain, time to crack is on the order of hundreds of millions of years. Changing them every few months is irrelevant. If you pick passwords well, you can stop doing this.

III: Choosing Strong Passwords

We’ve seen that longer passwords are better. We’ve seen that more complex passwords are better. So the combination of the two should be even stronger! It definitely is more secure, but there is a tradeoff of convenience. If I tell you that a good password looks like od]ZM53iq@K5rVP{DGT5"BwT would you be able to remember it? Me neither. So what do we do? I recommend not knowing most of your passwords.

To do that, we need a tool that can generate those long unreadable passwords and keep track of them in a secure manner. That’s what a password manager does, and we’ll cover those in the next article. Alternatives exist, but I don’t think the tradeoffs are that useful for most people. Let’s look at some of them so you can find out if you agree.

Use simpler passwords that you can remember. If you’ve read this far, I hope this isn’t actually something that occurred to you.

Picking one great password and reusing it everywhere. Password reuse is one of the top threats to our online security. Period. I’d rank it in the top three, along with phishing and the Internet Of Things, both of which we’ll cover in future articles.

Briefly, the problem is that if you have accounts on Target, Instagram, and Lyft, and then Target gets breached, the bad guys might try to use the information they found there to try to login to Instagram and Lyft as well.

This is called credential stuffing; the bad guys get a long list of usernames and passwords, collectively called credentials, and then try to stuff them into another site with repeated login attempts. This is why a breach of Target can lead to people’s accounts at Instagram being taken over. But if you have completely different passwords at each site, then that cannot happen to you. This is the new breed of attacks. The bad guys don’t want just your credentials; they want everyone’s.

Picking great passwords but storing them in a spreadsheet instead of a password manager. The upside is that you don’t have to learn how to use a password manager. The downside is that your passwords are not stored in a secure manner. Don’t be lazy; take ten minutes and learn how to use the password manager.

Writing all the passwords down. Let’s say you have a very secure physical safe at home, and you put the notepad in the safe whenever it’s not in use. You still have some problems. It’s not portable; if you want to use your accounts on a mobile device, or travel with your computer, then you have to take the notebook with you. What if you lose it? There is a more basic problem; entering those long passwords every time will be painful. Try typing out that password example from a couple paragraphs back. I’ll wait…. Was that fun? I didn’t think so.

Using a mnemonic to create passwords only you can remember. Some people are partial to the first letter method. So they might take a sentence like this:

My best friend Andy and his wife Beth want to buy a ski house someday, and when they do I hope they invite me to go skiing with them.

And take all the first letters and punctuation to create the password: MbfAahwBwtbashs,awtdIhtimtgswt.

That’s a sufficiently strong password. No problem there! But are you going to have a different phrase for every account you use? My password manager has about 300 entries in it at the moment. Even if I came up with that many phrases, how would I remember which went to each site? What happens when you get to a site that requires a number in the password or won’t let you have a password that long? There are tweaks that can be applied to make this approach a little more workable, but I don’t actually recommend it for the average person. It’s just too complicated.

So we’re going to need a password manager.

Next: Password Managers