☑ Passwords: You’re doing it wrong

11 Jul 2013 at 3:55PM in Software
 |   | 

There are few technical topics about which there’s more FUD than picking a strong password.

chains padlock

I’m getting a little sick of how much misinformation there is about passwords.

More or less everyone who’s been online for any length of time knows that picking a “good” password is important. After all, it’s more or less the only thing which stands between a potential attacker and unlimited access to your online services. So, what constitutes “good”?

Well, many, many services will recommend that you make your passwords at least 8 characters in length, avoid words that you’d find in a dictionary and make sure you include mixed case letters, numbers and symbols. Now, if you need a password which is both good and short then this is probably quite reasonable advice. If you picked 8 characters truly at random from all letters, numbers and symbols, that’s something like 4 x 1015 (four million billion) passwords to choose from, and that’s secure enough.

However, these passwords have a bit of a drawback — humans are bloomin’ awful at remembering things like this: 1Xm}4q3=. Hence, people tend to start with something which is a real word — humans are good at remembering words. Then apply various modifications like converting letters to similar digits. This process gives people a warm, fuzzy feeling because their password ends up with all these quirky little characters in it, but in reality something like sH33pd0g is a lot worse than just picking random characters.

Let’s say there are about 10,0001 common words and that each letter can be one of four variants2. That gives around 6 x 108 (six hundred million) possibilities. This might seem like a lot, but if someone can check a thousand passwords every second then it’ll only take them about a week to go through them all.

So, if that’s a bad way to pick memorable passwords, what’s a good way? Well, there are a few techniques which can help if you still need a short password. One of the best I know of is to pick a whole sentence and simply include the first letter of each word. Then mix up the case and swap letters for symbols as already discussed. This at least keeps the password away from being a dictionary word that can be easily guessed, although it’s still a pain to have to remember which letters have been swapped for which numbers and so on.

But wait, do we really need such a short password? If we make it longer, perhaps we don’t need to avoid dictionary words at all? After all, the best password is one that is both secure and memorable, so we don’t have to write it down on a Post-It note3 stuck on our computer. Fortunately the repository of all knowledge xkcd has the answer4!

As it turns out, picking four words more or less at random is much better from a security point of view and, for most people at least, is probably quite a bit easier to remember. Using the same 10,000 word estimate from earlier, picking four words entirely at random gives us 1 x 1016 (ten quadrillion, or ten million billion) possibilities. At a thousand per second this would take over 300,000 years to crack. The beauty is that you don’t need to remember anything fancy like strange numbers of symbols — just four words.

Is it any more memorable? Well, a random series of characters doesn’t give you anything to get to grips with — it’s a pure memory task, and that’s tough for a lot of people. However, if you’ve got something like enraged onlooker squanders dregs or scandalous aardvark replies trooper then you can immediately picture a scene to help you remember it.

So let’s stop giving people daft advice about passwords and certainly let’s remove all those irritating checks on passwords to make sure they’re “secure”, when in reality the net effect of forcing people to use all these numbers and strange symbols more or less the opposite. Most of all, let’s make sure that our online services accept passwords of at least 128 characters so that people can pick properly good passwords, not the ones that everyone’s been browbeaten into believing are good.

As an aside, even with this scheme it’s still really important to pick words at random and that’s something humans don’t do very well. Inspired by the xkcd comic I linked earlier, this site was set up to generate random passwords. Alternatively, if you’re on a Linux system you could use a script something like this to pick one for you5:

import random
import string

with open("/usr/share/dict/words", "r") as fd:
    words = set("".join(c for c in line.strip().lower()
                        if c in string.ascii_lowercase) for line in fd)
print("Choosing 10 phrases from dict of %d words\n" % (len(words),))
print("\n".join(" ".join(random.sample(words, 4)) for i in range(10)))

One final point. You might be thinking it’s going to be a lot slower to type four whole words than eight single characters, but actually it’s often almost as fast once you don’t need to worry about fiddling around with the SHIFT key and all those odd little symbols you never normally use, like the helium-filled snake (~)6 and the little gun (¬)7.

Especially on a smartphone keyboard. Let’s face it, if you’ve just upgraded your phone and are seeking help with it in some online forum, there isn’t a way to ask “how do I get the little floating snake?” without looking like a bit of an idiot — clearly this is the most important advantage of all.

  1. While it’s true that the OED has something like a quarter of a million words, the average vocabulary is typically significantly smaller. 

  2. So o could also be O, 0 or (), say. 

  3. Although the dangers of writing passwords down is generally heavily overestimated by many people. I’m not saying it’s a good idea, but having a really good password on a scrap of paper in your wallet, say, is still a lot better for most average users than a really poor password that you can remember. 

  4. Note that Randall’s figures differ from mine somewhat and are probably rather more accurate — I was just plucking some figures in the right order of magnitude out of the air to illustrate the issues involved. 

  5. It’s written to run on a Linux system but about the only thing it needs that’s platform-specific is the filename of a word list. 

  6. Yes, yes, I know it’s called a tilde really. 

  7. OK, fine, it’s a logical negation symbol. Still looks like a little gun to me; or maybe hockey stick; or an allen key; or the edge of a table; a table filled with cakes… Yes, I like that one best. Hm, now I’m hungry. 

11 Jul 2013 at 3:55PM in Software
 |   |