3 August 2021

How to Choose a Password

Some people reading this will have good passwords. Some people will have thought about picking a strong password, but not everybody has thought about it. Hopefully, after reading this article you will be to pick a stronger password. In a previous video, it was showed how to crack your password using pretty basic techniques. Some people know more about this and run other custom dictionaries. Normal passwords are cracked very fast, especially when using custom dictionaries.

Password strength
Figure 1: password strength (from https://xkcd.com/936/)

Picking a good password is a lot easier than people make of it. XKCD alluded to this and talked about that in a minute (see figure 1). Not every question was answered but it did get a good message across. Other aspects that also will be discussed are, for example, if you should reuse passwords.

Password entropy

Password crackers and password security researchers call it password entropy, which is the amount of information held in a password. The idea is that if you’re not holding much information, a password is going to be cracked very quickly because there’s not a much search base to go through. You need to look at two things.

Can it be brute-forced? Is your password equal to eight characters or less? If your password is nine parts characters and you’re using symbols, you’re probably okay. That’s fairly straightforward. As GPUs get faster, these barriers go down. Secondly, is your password dictionary crackable? Those people in the last video didn’t think so. And yet their passwords got cracked and they had quite good ones.

It comes to doing the following two things. Make sure your password is long enough and uses interesting characters so they can’t be brute-forced. Next to that, make sure that you can’t be vulnerable dictionary attacks. You can test your password at https://howsecureismypassword.net/

Weak passwords

Let’s be very clear. If your password is the word “password”, you probably want to close out your browser right now and change your password. After that, hang your head a little bit. If your password is any variation on the word password or has any of the numbers 1234 in order in it, you need to delete those passwords. Maybe delete your account out of shame. Let’s not focus on bad passwords, but on what a good (or strong) password would be.

Password systems, in general, are not a very useful way to authenticate. A lot of people think this because they’re hard to remember. Unless you pick an easy password to remember, in which case it is easy and not secure. In some sense, the challenge is to find a way of authenticating ourselves. Using a password that is hard for humans to remember and easy for a computer to guess. And people do it badly.

There are lots of reasons why passwords are terrible. Google thinks passwords are going the way of the dodo because they’re bringing in this new authentication system. Where it tracks the movement in your pocket and other things. Maybe that will work. But at the back, you’re always going to have some kind of password, because you don’t want to be pulling your phone out of your pocket and Google saying you moved your phone weirdly. And ask you if you can enter your PIN-code? You’re going to have something backing it up at all times.

For now, we’re going to have passwords for a while longer. And so we have to think about what they should be. By using obvious rules. Eight characters or seven characters is not long enough. If you have an eight-character password, and you assume just for a minute, that the website you’re hosting it on is storing them in MD5. It will be able to be trying passwords at 840 billion hashes per second. How long would it take to get through eight? When using a smart character set, less than a day. Probably a few hours.

How not to improve your password

Let’s talk about a better approach or the nearly perfect approach of XKCD and how it can be improved. XKCD suggested a situation where you had a decent password, but it was hard to remember. Say you use the word troubadour for your password. You change a few letters around for numbers and you capitalized some letters. Then you stick in a symbol somewhere. The argument is that this isn’t a good password because there’s not much entropy, because you’re doing standard things that people do in passwords.

Right now that’s true, in the sense that if you replace an E for 3. Everyone does that, that’s number one on the list. Don’t think that’s clever because it’s not. If you replace Ed for three, it still not very good. Let’s pick a better one. If you replace an O for a 3 that’s slightly better, but someone’s still probably going to win that war. Because it so fast to try all possibilities.

Correct Horse Battery Staple

You’ve got one option which is kind of hard to remember. With a bunch of ways to remember symbol exchanges. There is an option in which you put append four words, like correct horse battery staple. Now everyone knows that password which means using that combination for a password is not very good. XKCD argues that if you pick four words and you stick them together, it’s inherently will not be vulnerable to brute force attacks. This is because it’s too long, even with all lowercase or without symbols. The combination of these words does not appear in any dictionary. This combination of words is rarely used. 

Keeping dictionary attacks in mind

There is now a set up for two passwords. The first used one is troubadour and the second one is correcthorsebatterystaple. So how breakable are these two passwords? Using all those exchanges made a word like troubadour slightly harder than suggested, because its entropy is not bad. There are 10 characters and there are some exchanges possible. Not all of them are immediately obvious. This means that the use of this type of password it’s not terrible and perhaps slightly better anything.

The changes made in words like troubadour are quite hard to remember. Certainly, a pain to type in. Words like correct horse battery staple are much easier to remember. No funny characters to press and you will be able to type those characters quite quickly. The issue is that we don’t brute force passwords about the length, we dictionary attack them. The question you have to ask yourself when appending multiple words, is correcthorsebatterystaple going to come up in any dictionaries? And the answer is probably not.

Once people start appending four words together, the changes increase. [This happens when services get hacked and hackers can crack the passwords used] Instead of using brute force attacks where the number of characters to the power the length of our password, it becomes the number of words we might use to power the number of words we are using. For example, the top 10.000 words to the power of four. Which happens to be a very big number making it kind of safe.

Set up the correct horse battery staple

But what if you only pick obvious words with only looking at the top 20.000 English words. Staple is somewhere around 12.000. Which means that we don’t tend to use it very often, that makes sense. Horse is much further up the list as is correct. Battery is further up the list as well. We all have phones, we talked about batteries all the time. If you hypothetically picked four words that were in the top 500, then suddenly the search base is 500 to the power four, which is much smaller and making your password crackable.

The advice to anyone wanting to use a password system like this, is to assume that the person attacking you knows you’re doing a password system like this. Pick hard words like a brand name or word that isn’t going to come up in a list of obvious words that people use. Staple is not a bad word, the other three are not great. So change it for something else. Lemming, for example, is probably not a very common word we use. Rubik is probably not in the top 10.000 English words, which makes a search space much harder to use.

Preventing brute force attacks

We’re changing the problem for a strong password. The question is if hackers can get the word you’ve used, not the structure of your password. A really good password is the use of three English words, with one word that’s rarely used or not existing. You can also use a password that is a made-up word because then you can’t be brute-forced because of the length. It can’t be brute-forced because of a combination of easy dictionary words, and you don’t need to put symbols in because it’s just too hard anyway. Using a system like this will make the password strong.

If you want it to be even stronger, you can use an underscore right in the middle of one of the words. If you use a random character in the words, this will be an action that not a lot of people will do. For example by putting an ampersand in the middle of a word like horse. H o & r s e, in the middle of correct horse battery staple. This will make it much harder to crack.

For a hacker to be able to crack that password, a lot of things have to go right. They have to know the four words you’re using in the right order. By also using the correct dictionary that has an ampersand into that exact position. And pick a word that other people don’t use very often like your favorite band name. Maybe not your favorite band and if you blog about them, because then they can social engineer password, but that’s a different question. This is what you do if you have to pick a password. 

Password manager

When working with many passwords, you should be using a password manager. Instead of remembering lots of passwords, you only have to remember just one. Which will be very good. You will need to use a password policy that will increase your entropy and helps you create your master password. What a password manager does, when well-programmed, is to encrypt a database of your passwords. Where the database contains your websites and accounts. Therefor your master password has to be good and it needs to be over a level previously talked about. You also need to look into what encryption is used and where the decryption is done. Make sure it’s not done on the server, but done locally. Look into it and find out how the security is done.

They use hashes that are very difficult to break with lots of iterations. This means that even if your password was released on the internet, they’re in encrypted form and they can’t be obtained.

Temporary passwords

Imagine that you only are going to use a website for five minutes and need to register. You can use the password manager and generate random 16 characters. And this is a win-win situation. If you never use the website again, it doesn’t matter anyway because you’ve got a random password. And if it is released later in a hack. It doesn’t matter because it’s random.

Never reuse passwords

That brings us on to our last point. Never reuse passwords. Never ever do that. Someone can try to use a leaked account (for example Facebook) to sign in. That leaked account can be used again to check if you are still using the same account. The account will also be tested for other services, like Twitter, Skype, etc. This is the most important reason to use different passwords.

If a password gets leaked, nothing really terrible will happen when using a randomly generated one. After the leak, you change it and you’re secure again. If your master password for your database is weak, it makes it easier to get hacked. And after hackers get in, they get all your passwords. So your master password has to be strong.