When people find out that I’m into application security, it happens quite often that they will follow up by asking me how to create a secure password.
I tell them to use a password vault and a random password generator.
But, if they can’t quite stomach that, then I tell them to get out some dice and use the dice passphrase method with at least 5 words.
But, if they don’t have the time for that, I tell them to use a random passphrase generator. (I like nbvcxz, but I’m a nerd.)
Of course, each of these requires a bit of time and effort, which we don’t always have, and which we never seem to have at the moment that we are asked to select a password for this or that account.
And once we’ve set the password, we have even less time to ever consider changing it to something more secure.
Now, more often than you might think, this password conversation transitions into the questioner explaining a method that they heard about or do to create secure passwords and asking me what I think.
Here are two examples.
I had a friend tell me that what she does is take what password she wants to do, like say “happybirthday,” and then she shifts her fingers one character to the right on the keyboard.
So, instead of typing “happy birthday”, she types “js[[unotyjfsu”.
This actually looks pretty secure. It has special characters.
But here’s a quick exercise to see why I wouldn’t recommend this approach.
Let’s say that you know (or you think you know) that I like to do the Finger-Shift technique for creating my passwords. Go ahead and look at the first part of this password:
[… s… d… d… e…
What do you think the next letter is?
If you guessed “p”, then you’re right!
Using the Finger-Shift technique didn’t really help in making my password unguessable.
And the reason that it doesn’t help is that computers are great at applying transformations.
All of these passwords:
Are nearly as bad as “password” because all I need to do is dream up the same transformations that everyone else dreams up and codify them into password cracking software to unravel all your hard work.
If you think you are the only one to come up with your crazy transformation, remember that humans all have virtually the same DNA and that you’re probably wrong.
What does make for a strong password? Entropy.
Entropy is the amount of randomness, say, in a password. The more entropy (randomness) in a password, the harder it is to guess the nth character given the first n-1 characters.
The password “password” has really low entropy because as soon as I say my password is “p… a… s…” you immediately guess that the next character is “s”.
So, another idea that someone asked me about was again very clever.
Actually, it’s the most clever thing I’ve heard of so far, though it has the same flaw in the end. See if you can spot it.
I have a friend who creates musical passwords. He takes a song, like “Happy Birthday to You,” and translates the notes into keys on the keyboard, and that is his password.
For example, Happy Birthday to You goes like this:
G3 G3 A3 G3 C4 B3 / G3 G3 A3 G3 D4 C4 / G3 G3 G4 E4 C4 C4 B3 A3 / F4 F4 E4 C4 D4 C4
And so, his password would be “ggagjbggagkjggnljjbammljkj”. (The mapping is a bit more complex than this since he needs at least 88 keys to map all possible piano songs, but I’m simplifying here.)
I think this is pretty clever, and I love the beauty of taking something from music and turning it into a password.
But, it suffers the same problem, which is that such transformations are easily codified.
And then, he said something that showed he was catching on: “But what if it was a tune that I invented on the spot?”
Now, for him to actually do that consistently with every password, my friend would need to be a piano prodigy, but his question gets to the heart of what makes a good password: Entropy.
The more random the input is, the harder it is to guess the password.
For every bit (0 or 1) of entropy, a password is twice as hard to guess.
So, if it is a “song I invented on the spot” then it is a great deal more random then a well-known song like “Happy Birthday to You”.
And, of course, I’m using “Musical Passwords” as a bit of an analogy for what I’m really driving at.
What makes a password strong is randomizing the input.
Say the attacker knows your exact strategy for generating passwords. If he does, how much help does his knowledge give him?
Take the following strategies and consider which, if an attacker knew which one you employed, how much it would help her to figure out your password:
1. Take a common dictionary word and l33t-ify it
2. Take the first letters of the names of me, my wife, and my kids, and reverse them. Then add my marriage year.
3. Roll some dice five times, and for each time, look up a corresponding dictionary word. Concatenate them all with hyphens.
Clearly, the attacker gets almost no information about the contents of your password using the third strategy. And that is because, with the third strategy, the input is random (because of the dice).
Now, it is less random than a completely random password since we have a built-in mnemonic to help us remember it (the dictionary part). Though, this is similar in nature to the fact that passwords are, in the end, mapped to keys on the keyboard instead of us entering in a truly random series of ones and zeroes that may or may not map to a type-able set of characters.
It gets us pretty close, though.
And then, if I want to add a little bit more “musical” entropy, I can add all the transformations I want.
We must begin, though, with randomness.
And, (shameless plug,) if you want to learn more about password strength, check out my latest Pluralsight course on Java Web Application Security (paywall).