Passwords

What's a STRONG password?

Quite simply, password strength is a measure of how easily a password can be guessed, by either humans or computers. A “strong” password contains a combination of letters, numbers, and characters that are difficult to predict.

According to Wikipedia, "password strength" is a measure of the effectiveness of a password in resisting guessing and brute-force [i.e., computer-generated] attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

Websites and software packages define their own specific password requirements in a policy. Though the minimum number of characters acceptable is typically eight, Webopedia defines a "strong"password as one that consists of at least six characters (and the more characters, the stronger the password) that are a combination of letters, numbers and symbols (@, #, $, %, etc.) if allowed. Passwords are typically case-sensitive, so a strong password contains letters in both uppercase and lowercase. Strong passwords also do not contain words that can be found in a dictionary or parts of the user's own name.

Guidelines for strong passwords:

Guidelines for choosing good passwords are typically designed to make passwords less easily discovered by intelligent guessing. Common guidelines advocated by proponents of software system security include:

  • Use a minimum password length of 12 to 14 characters if permitted.
  • Include lowercase and uppercase alphabetic characters, numbers and symbols if permitted.
  • Generate passwords randomly where feasible.
  • Avoid using the same password twice (e.g., across multiple user accounts and/or software systems).
  • Avoid character repetition, keyboard patterns, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past), and biographical information (e.g., ID numbers, ancestors' names, or dates).
  • Avoid using information that is or might become publicly associated with the user or the account.
  • Avoid using information that the user's colleagues and/or acquaintances might know to be associated with the user.
  • Do not use passwords which consist wholly of any simple combination of the aforementioned weak components.

Examples of weak passwords:

As with any security measure, passwords vary in effectiveness (i.e., strength); some are weaker than others. For example, the difference in weakness between a dictionary word and a word with obfuscation (i.e., letters in the password are substituted by, say, numbers—a common approach) may cost a password cracking device only a few more seconds; this adds little strength.

The examples below illustrate various ways weak passwords might be constructed, all of which are based on simple patterns which result in extremely low entropy (randomness or unpredictability), allowing them to be tested automatically at high speeds:

  • Default passwords (as supplied by the system vendor and meant to be changed at installation time): password, default, admin, guest, etc. Lists of default passwords are widely available on the internet.
  • Dictionary words: chameleon, RedSox, sandbags, bunnyhop, etc., including words in non-English dictionaries.
  • Words with numbers appended: password1, deer2000, john1234, etc., can be easily tested automatically with little lost time.
  • Words with simple obfuscation: p@ssw0rd, g0ldf1sh, st0ps1gn, etc., can be tested automatically with little additional effort.
  • Doubled words: stopstop, treetree, passpass, etc.
  • Common sequences from a keyboard row: qwerty, 12345, asdfgh, fred, etc.
  • Numeric sequences based on well-known numbers such as 911, 90210, 8675309, etc.
  • Identifiers: jsmith123, 1/1/1970, 555-1234, one's username, etc.
  • Anything personally related to an individual: license plate number, Social Security number, current or past telephone numbers, student ID, current address, previous addresses, birthday, sports team, relative's or pet's names/nicknames/birthdays/initials, etc., can easily be tested after a simple investigation of person's details.

There are many other ways a password can be weak, corresponding to the strengths of various attack schemes; the core principle is that a password should have high entropy (usually taken to be equivalent to randomness) and not be readily derivable by any "clever" pattern, nor should passwords be mixed with information identifying the user.

What else can I do?

One way to secure your password even further: Change it often. Password expiration serves two purposes:

  • If the time to crack a password is estimated to be 100 days, password expiration times fewer than 100 days may help ensure insufficient time for an attacker.
  • If a password has been compromised, requiring it to be changed regularly should limit the access time for the attacker.

Many systems either offer or require multi-factor authentication techniques, such as the use of security questions. Thoughtfully select questions and answers that are unique, known only to you, and hard to guess, and don't share them with anyone.

Online services often provide a restore password function that a hacker can figure out and, by doing so, bypass a password. Choosing hard-to-guess restore password questions can further secure the password.

Some guidelines advise against writing passwords down, while others, noting the large numbers of password protected systems users must access, encourage writing down passwords as long as the written password lists are kept in a safe place, not attached to a monitor, or in an unlocked desk drawer. If you do write them down, don't carry them with you when you travel, and don't share them with anyone. If you suspect your password list has been compromised, change your passwords immediately.

Though we often become exasperated when trying to meet all the requirements of a system's password policy, those guidelines are ultimately there for our own protection. Over time and with practice, secure password selection should become second nature. Take the time to create strong passwords to effectively secure your information online, and change those passwords often. It's the best way to ensure your safety against identity theft and other fraud.

Still curious as to how strong your password is? Visit www.passwordmeter.com or other similar sites to find out.