Guide to Creating Secure Passwords
In the last decade, the number of services requiring a password has grown exponentially. This has changed the way we use the Internet. Some reading this guide may not remember a time when the primary purpose of logging onto the Internet was to find information, news, and free entertainment. The most social media you'd see at the very beginning of this century was anonymous chatting on IRC or Yahoo! Chat as well as various list serves and the like.
- 1 The History of the Password
- 2 The Inherent Weakness of Passwords
- 3 The Characteristics of a Strong Password
- 4 Methods
- 5 Last Pieces of Advice
The History of the Password
Passwords or passphrases have originated in military situations from ancient times onward. The Romans called them "watchwords," and they were a way of traveling friendly units to verify that they were not spies or enemies.
One of the first uses of passwords in computing was at MIT's Compatible Time Sharing System. In order to login, users would identify themselves and then their password. Not long after the advent of the early Internet – an event which took place in 1969 between four computers – Robert Morris of Bell Labs developed a secure method of storing encrypted passwords in databases. In his white paper, he describes, even then, the drive for ease-of-use.
An underlying goal has been to provide password security at minimal inconvenience to users of the system. […] Password security is of course only one component of overall system security, but it is an essential component.
In the intervening years, cryptography has come a long way. The NSA and other organizations intimately dependent upon strong cryptography have developed new algorithms and have had ongoing contests for the cracking of these algorithms. You may be thinking, Why would they want the security broken? The answer isn't so much that they want the security broken, but they want to know whether or not it is currently possible to do so. In this way, they can develop stronger security by examining the methods used to break the previous versions.
A good historical example of this was when Distributed.net cracked RSA Labs' RC5-56 56-bit secret key. The cracking process took 1,757 days to complete using a distributed network of computers all over the world and at the end of 1997, the mission was successful. The award for this achievement was $10,000 – closer to $15,000 in today's money.
Cryptographers all over the world are continually trying to crack existing algorithms and develop more secure algorithms. They are important to this discussion of password security is that cryptography is used to store the passwords securely in a way that prevents attackers who gain access to databases from being able to use the data without having the private key – the key which allows one to decrypt anything in such a database.
In many cases, such a key doesn't exist in this sense. The user must instead create a new password if they have certain credentials. Two-factor authentication involving the server sending a text message to the user and verify a code has become a common way of setting new passwords.
The Inherent Weakness of Passwords
The previous paragraphs may have brought up a concern – if the passwords are stored somewhere, regardless of if they're encrypted or not, aren't they vulnerable? And the answer is yes, they are. A large state actor with a great deal of computing power could, for instance, find its way into Adobe's database and then, using the same computing power, eventually brute force encryption until it was able to read all the passwords in plain-text. With large-scale attacks like these, a question of motive and profitability comes to mind. Traditionally hackers and crackers are more about scientific advancement than they are about personal gain. The biggest targets are therefore accounts that have access to sensitive information.
In more recent years, a movement has begun which foresees the end of passwords. Two-factor authentication and its gaining prevalence are a first major step in this direction. With a Google account, for instance, the user is able to enable device-specific passwords, so that a hacker who is not able to emulate all the characteristics of the user's devices is also not able to successfully access their data. Google Authenticator and a similar application, Authy, both require both use time-sensitive authentication codes in addition to traditional passwords to secure accounts. A new company called Clef skips the code entering altogether and simply has the user wave a mobile device in front of the screen.
Universal two-factor-authentication or biometrics, or any of the replacements/augmentations of password security, is years away. If you have the ability to enable these methods now, Hacked.com suggests that in all cases, you do. Application and device-specific passwords are very hard for even the most motivated hackers to get around.
The strength of these methods hinges on the strength of your passwords, and what follows are some good methods of coming up with secure passwords. Lastly, we will recommend a particular private service that has become very popular, LastPass. It allows the user to implement strong passwords without having to remember them. It is called LastPass because the user only needs to know or have access to the password they used to create their LastPass account.
The Characteristics of a Strong Password
Minimum of 12 characters long
Also, minimize the use of any service that has a maximum password length. They should be encrypting and storing hashed versions of them in the first place.
- Includes symbols, lower and uppercase letters, and numbers.
This can make them hard to remember, of course. It may help to have them written in a place that only you have to access to, such as your wallet or a safe.
- Is not – repeat is not – a word that appears in any dictionary (even a foreign-language one)
Computers are very good at searching databases such as dictionaries. Using a dictionary word just makes it incredibly easy for an algorithm to find your password.
- Does not involve substituting alternate characters for letters – (l1vel0ve is not secure just because the I and the O are replaced by 1 and 0)
Obvious substitutions are almost as bad as dictionary words. With only a few keystrokes and lines of code, the bad actor can program his cracker to search for such substitutions. For instance, he could just make it so that every appearance of the letter O in the dictionary was replaced by a 0, and in varying ways. It will take longer than if you use a dictionary word, but it's still possible for a computer to eventually guess the right password.
Method 1: Hash a Known Phrase
The hash of a document is its encoded sum according to a given algorithm. It is most commonly used to verify that files sent between computers are genuine and untampered-with.
The famous hacker Adrian Lamo is on record as saying that the use of any personally identifiable information in a password is a recipe for getting hacked. Thus, try to avoid this. Your spouse's first name or your child's birthdate are both out of the question. In the age of more and more personal information being available for public consumption, it's best to use something random.
Perhaps a line from a novel that only you know is one of your favorites. Let's go with that. For this author, we'll go with a line from The Perks of Being a Wallflower.
So, this is my life. And I want you to know that I am both happy and sad and I'm still trying to figure out how that could be.
The Sha256 hash of this text is:
Now, this in itself, is insecure, because anyone could take that line and hash it and then they have the string that led to your password. So a safer method would be to alter the known phrase in a way that you won't forget.
uuSo, this is my life. And I with%ant you to know that I am both happy and sad and I'm still trying to figure out how that could1 be.
This outputs a different hash:
You can now take the entire hash and use it for your password. Obviously the entire 256-character string would be difficult to remember, so try to identify twelve characters within it and remember it. Or just use it as a base for further password development. Technipixel.com and Online-Convert both have easy-to-use hash generators.
Alternatively, you can hash entire documents. In Linux, this is as easy as using the sha256sum command. Create a text file with randomized data and a random filename. Hash it like so:
And use the output as the basis for your password. Then move file.txt off your hard drive, to a USB stick or something else. Better yet, print it out with the filename showing so that you can create it again from scratch if you ever need to. You can do this with any file on your computer, and sha256 is just one possible encryption algorithm to use.
Passwords generated this way are very difficult to crack because simply using a program to guess them could in some cases take decades. Unless the attacker gets access to the basis of the hashed passwords, they will have to use other ways to find them. And this in itself is difficult enough that you must be a high-value target or engaging in the use of services owned by a high-value target to worry about it.
Method 2: Old School
Some users may not want to go through the drawn-out password hashing process. For these users, though it is obviously less secure, there are other methods that date from the days before cracking programs were quite so sophisticated.
Mix words together
Take two to five words and combine the letters of them. A two-word example:
Jean-Paul and Breanna becomes Jbereaan-nPnaaula
Remember, the longer the password, the better. So if you can combine more words into this, or add other characters, you're going to have a safer password. This author does not recommend this method at all, especially for accounts that the user considers sensitive in nature, like e-mail or financial.
Take the first and third or second and fifth or some other combination of letters from each word in a sentence and begin with it.
To use our earlier phrase:
So, this is my life. And I want you to know that I am both happy and sad, and I'm still trying to figure out how that could be.
That's using only the first letter. For a human, the password would be impossible to guess, and it might take a cracking program longer. However, if this author were going to use that method, he would do something more like:
This involved randomly adding some of the other characters and then adding some random other keyboard characters. This password would pass most requirements and may even be considered secure. However, it is also generated from a rather obscure line of text, and that contributes greatly to its security.
Method 3: Use an Online Password Generator
There are several online password generators. Some of them are not secure, meaning the server logs what it outputs. In any case, never directly use the passwords generated -- always modify them by at least a couple of characters to ensure they are genuine.
Gibson Research Corporation's password-generation page generates three options each time you visit it. It is always a good place to start.
If you don't like that, this generator from SafePasswd.net is a bit more user-friendly.
Method 4: Use a Secure Password Manager
So you're not a security expert; you're not interested in investing a lot of time learning to be. That's understandable. The experts have been hard at work developing ways to help you.
You may not know this, but the built-in password managers that come with Google Chrome and Mozilla Firefox are insecure. In the case of Chrome, the passwords are not encrypted. With a few commands, you can easily dump all the passwords stored in a Chrome or Firefox browser. Using the information on those links to dump any password that doesn't belong to you is technically illegal, just so you know.
In any case, the most popular secure password manager is LastPass. Before we get into using LastPass, let's provide a list of alternatives:
Some of these options cost money. Or, a security expert might argue, some of these options require investment – to save money. Because having your password compromised can be very expensive in both time and money.
To install LastPass, you just install a browser extension, same as you might have AdBlock or something enabled. Go to 11their website11 and get the download. It is not recommended to go the usual route, by going through the download stores of either browser, because these stores frequently have false flag software available and you could easily wind up giving over your data to hackers. It's much safer to install it the manual way, going to the website and installing the extension from there. With Firefox, you simply download the XPI file and drag it over to the Firefox browser (if it doesn't automatically ask to install.) You should then see this screen:
Next you'll create a master password. This is what all your passwords on the internet will be hashed against. It's very important that 1) this password be secure (using one of the above methods could help) and 2) that you remember it, or have access to it, because the people at LastPass won't be able to find it or access it for you.
LastPass does a lot more than just remember your secure passwords for you. It can also securely store credit card and other information, so you don't continually have to enter this data in plain-text (a possible risk in the case of key-logging or Trojan Horse software being installed on your computer). It also has a built-in password generator:
LastPass can make password management a lot easier, but since it's run by a private company that must stay in business, it is generally best practice to know all of your passwords and not rely on any third-party.
Last Pieces of Advice
- Avoid using passwords to important accounts on other accounts; if possible, avoid using the same password twice ever.
- Change passwords as often as makes sense. Potentially, set up a calendar reminder to change them once a month.
- Do not share your passwords with others under any circumstances. If your spouse must know your password, make sure only to share it with him or her in situations where you cannot be overheard.