Very frequently, our users ask us what makes a password good, and how they can select a secure password that will help safeguard their online accounts from hijacking. In this post, I will attempt to detail why passwords are useful, how they are usually attacked, and how to protect against these attacks.
What constitutes a good password?
It’s really hard to choose a good password when you don’t know what “good” means in this context. Most people have a vague notion that “a good password contains numbers, lowercase and uppercase letters, and symbols”, but this is just rote repetition from every signup page that is telling them that. It’s right, by the way, but it’s not the whole story.
To learn what constitutes a good password, you must first learn how attacks on passwords work. Here’s the secret:
What is a Brute Force Attack?
Mathematicians, cryptographers and other very smart people have, fortunately, given us a very useful tool in the battle against password theft: The one-way function. Put simply, it’s a way to scramble some text in a specific way, making it impossible to unscramble, but very easy to reproduce, if you have the original text. This way, services you give your password to don’t have to store the actual password, they can scramble it and store that. When you try to log in, they take the password you’re giving them, scrambling it again, and checking if the scrambled text matches the original one you created when you signed up. If it does, it’s the same password, and they let you in.
This means that, barring any other forms of password theft (e.g. people looking over your shoulder, viruses recording the keys you press, people getting you to tell them your password, etc), the potential attacker pretty much has to try every single combination of letters to see if that is your password.
Performing the attack
There are various ways attackers can do this (usually, attackers write a program to go to a site’s login page and try passwords all day), but they can also break into a service and steal their password directory with the (hopefully) scrambled passwords, and try as many passwords on as many accounts as they want.
The difference a security-conscious provider makes here is significant, as the one-way function people use has tremendous impact on mitigating this attack. Some sites use fast functions that allow attackers to try hundreds of billions of passwords per second, others (such as us) use slow functions that only allow attackers to use two or three passwords per second.
Password complexity and how it helps
Now that you know how attackers try to compromise passwords, you can probably see how longer and more complex passwords help. If the attacker has to try “1”, “2”, “3”, …, “10”, “11”, etc as passwords, all in a row, a password that is long and includes letters or symbols will mean that the attacker will have to spend more time to hit the winning combination. It’s a bit like playing the lottery, only this it (potentially) done billions of times per second, greatly increasing the chances of “winning”.
Since many people use passwords that only contain numbers, attackers will frequently start with only calculating numbers, because it’s the fastest (there are only ten digits, after all). In the best (worst?) case, attackers can find all 15-digit-long passwords in a few minutes. Adding lowercase letters forces attackers to use an extra 26 characters, adding uppercase adds another 26 to that, and symbols add another 30 or so.
The gain here is that attackers don’t know which symbols a password is using, and where, so they have to add the entire set, thus making their lives much harder, and the password more secure. This is the principle that most password strength estimation meters you see on websites (the things that always say “your password is too weak” when you try to sign up) work. However, what if attackers do know what users use?
Humans are very, very predictable, and attackers use this to their advantage. Given the above, you might think that “Passw0rd!” is a good password, but it’s one of the first things an attacker will try, precisely because people think they’re being smart and using all of the character sets, but doing so in a very predictable way. To make things worse, that password isn’t even very easy to remember (“Which was the capital letter? The P or the D? Did I include a zero or a one? Was it an exclamation mark or a period?”), while being terribly easy to crack.
Armed with the knowledge that people will generally use predictable passwords, attackers select the most predictable passwords themselves. They first start with simple password lists of 100 most common passwords and permutations, moving on to full dictionaries of English (or whatever other language people may speak), with some combinations/permutations of those, etc. By the time that’s done (it only takes a few minutes to hours), an attacker may recover 80-90% of the scrambled passwords.
Password strength meters
Most password strength meters take the naive approach, and only count the number of letters and increase the complexity based on how many different characters are in the password. Thus, the password “Passw0rd!” above would score very highly, even though it will probably be the first thing an attacker will try, and it can be trivially broken in a second. The password strength meter we use on our Join page is the excellent zxcvbn, which was developed by Dropbox and uses much more realistic methods to estimate passwords.
For example, the password “qweRTY654#@!” might be judged by a conventional estimator as very strong, but it’s actually very weak, because it is a common keyboard pattern (“qwerty654321” with shift pressed for half the time). zxcvbn correctly identifies such patterns and adjusts the password cracking time accordingly, making for a much more accurate estimate of password strength.
Picking a good password
Armed with all the above knowledge, how can we pick a good password? Well, the best way is to get a random password generator to generate one for us, as that is guaranteed to be completely unpredictable. The problem is, though, that that way does not make for very memorable passwords. This popular XKCD comic analyzes the common password generation techniques and proposes a better way: Simply use four completely random common words (obviously, the more words the better) from a suitable generator, since they are both relatively memorable and adequately complex.
Custom password generation methods
Some people have their own password generation methods, perhaps by coming up with a memorable phrase and changing it again and again until it is suitable for use as a good password. These methods are generally good, if they are sufficiently complex, because they are uncommon. It doesn’t much matter how you arrive at a plausible-looking password that you can remember, as long as the method is not very obvious or common.
Taking a phrase or a long word or some other seed, changing it again and again until it looks complex is fine. Taking a dictionary word and changing letters to numbers is not, because it is one of the first things every person will think to do. Taking a phrase and changing it again and again until it looks complex, posting it to your blog and convincing every person in the world to use it is, again, broken, because the attacker will now add support for your scheme in their process, making everything vulnerable again.
When it comes to passwords, unpredictable is better (also, longer is better, simply because almost everyone uses short passwords, so attackers won’t bother with long ones), with the absolute best being completely random passwords. Try to make your password as unpredictable as you can, while still being able to remember it.
After reading the above, you should have a much better idea on how to properly create strong passwords and what a strong password actually is. If you are currently using any passwords that are weak, I’d advise you to change them immediately.
If you’re worried about your online privacy, you might want to give our services a try, we take care of as many aspects of your security as we can so you don’t have to. Above all, though, exercise common sense, don’t share your passwords with anyone, and stay safe!
Additional reading material