Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice, because you can actually make usable, easy to remember and highly secure passwords. In fact, usable passwords are often far better than complex ones.
So let's dive into the world of passwords, and look at what makes a password secure in practical terms.
The work involved in hacking passwords is very simple. There are 5 proven ways to do so:
You cannot protect against "asking" and "guessing", but you can protect yourself from the other forms of attacks. A hacker will usually create an automated script or a program that does the work for him. He isn't going to sit around manually trying 500,000 different words to see if one of them is your password.
The measure of security must then be "how many password requests can the automated program make - e.g. per second". The actual number varies, but most web applications would not be capable of handling more than 100 sign-in requests per second.
This means it takes the following time to hack a simple password like "sun":
Note: "sun" has 17,576 possible character combinations. 3 letters using the lowercase alphabet = 263
This is of course a highly insecure password, but how much time is enough for a password to be secure?
But let's take a full swing at this. Let's look at "100 year - secure for life". It has good ring to it and it makes us feel safe. There is still the chance that the hacker gets lucky. That he accidently finds the right password after only 15 years instead of 100. It happens.
Let's step that up too and go for the full high-end security level. I want a password that takes 1,000 years to crack- let's call this "secure forever". That ought to be good enough, right?
Now that we have covered the basics, let's look at some real examples, and see just how usable we can make a password, while still being "secure forever".
Note: The examples below are based on 100 password request per second. The result is the approach that is the most effective way to hack that specific password - either being by the use of brute-force, common words or dictionary attacks.
First let's look at the common 6 character password - using different methods:
In this example complexity clearly wins. Using a password with mixed case characters, numbers and symbols is far more secure than anything else. Using a simple word as your password is clearly useless.
Does that mean that the IT-departments and security companies is right? Nope, it just means that a 6 character password isn't going to work. None can remember a password like "J4fS<2", which evidently mean that it will be written on a post-it note.
To make usable passwords we need to look at them differently. First of all what you need is to use words you can remember, something simple and something you can type fast.
Like these:
Using more than one simple word as your password increases you security substantially (from 3 minutes to 2 months). But, by simply using 3 words instead of two, you suddenly got an extremely secure password.
It takes:
It is 10 times more secure to use "this is fun" as your password, than "J4fS<2".
If you want to be insanely secure; simply choose uncommon words as your password - like:
A usable and secure password is then not a complex one. It is one that you can remember - a simple password using 3+ words.
It is not just about passwords
One thing is to choose a secure and usable password. Another thing is to prevent the hacker from hacking password in the first place. This is a very simple thing to do.
All you need to do is to prevent automatic hacking scripts from working effectively. What you need to do is this:
A hacker can hack the password "alpine fun" in only 2 months if he is able to attack your server 100 times per second. But, with the penalty period and the 5 second delay, the same password can suddenly sustain an attack for 1,889 years.
Remember this the next time you are making web applications or discussing password policies. Passwords can be made both highly secure and user-friendly.
Great points, Thomas.
I really hope that the rest of the web developmentment world finally gets that usability is not contrary to security.
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
Jacob, Indeed - the correct word for this is "pass-phrase". But, since many people do not know what that is I opted for simplicity and called everything for password.
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
Jesper, Thanks!
The problem, I think, is that IT often seem to be stuck in the dark ages when it comes to handling things like security. Instead of solving the problem, they lock everything down. To IT the best website is one that isn't connected to the internet... :)
I was wondering that using hash-algoritms to store pass-phrases could "weaken" some of them.
Although, using those penalty times between false login would make it "forever" to hack.
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
Tero, There is indeed a potential problem with Windows hash-algorithms, but it is easily solved.
The problem is that all Windows versions except Windows Vista, stores and transmits the obsolete LM hash for backward compatibility. It doesn't actually use it, but transmits it anyway.
There are three kinds of Hash-algorithms in use on Windows: LM, NTLMv1 and NTLMv2.
The only one to be concerned with is LM, which can potentially be hacked in a matter of hours if you got local access. It takes 19 hours with 1,000,000 requests per seconds, and you cannot create that many requests remotely. Thus the problem is not related to web applications, nor with any other kind of application where you cannot read the hash directly.
NTLMv1 and NTLMv2 is both "secure forever".
There are three ways that completely solves the problem with the LM hash algorithm (either one solves the problem)
1: Use a newer windows operating system (Windows 2003 server and Windows Vista), and if you cannot do that, disable LM hash backward compatibility (you do not need it).
2: Never expose the password hash to the outside world - handle passwords in your backend system. Do not involve the client computer in this process. Note: This is how most web applications work anyway.
3: Choose a password with 15+ characters - like: "there is a chance" or "inspired by design". The reason is that LM algorithms only work with passwords that are no more than 14 characters. If your password is longer, the LM hash defaults to "0" (or rather the hash of "0") and NTLM is used exclusively instead.
Hash hacking is not an issue for most people. A hacker needs local access to exploit it.
Excellent article, Thomas.
I loved that you quantified the risks - I'll be pointing users at the article, to convince them that their dogs name is not a good password... :(
Great article Thomas but maybe you should emphasize more that your recommendations are only true for web applications.
For example brute force cracking a password protected file can be much easier. No penalty period can be applied and the number of tries per second depends mainly on the CPU speed.
The CPU power increasing continuously the year needed today to crack the password could be a day next year.
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
Jean-Marc, While it is true that local access to e.g. a password protected file means that you can attack a password with much greater speed - a simple password like "this is fun" is still 10 times better than "J4fS<2".
and "Fluffy is puffy" is still 180,000 times more secure than "J4fS<2".
This is not related just to web applications - any system would be more secure by using pass-phrases instead of comlpex passwords. The main reason is that as complex passwords gets longer, it also gets harder to remember (thus will be writtin down which destroys the added security it provides).
While you can remeber "2>my", it is impossible to remember "fHe47yF#kd%sgjs&wk". But remembering a pass-phrase of the same length is easy - like "inspired by design".
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
BTW: It is true that never CPU's provides greater speed when hacking password. For the same reason it is essential that developers prevent this by adding delays - regardless if it is in a web application,, desktop program, or in a file.
Making password secure cannot be done by putting the burden on the person. It is the developer who needs to make it right.
Thomas, I was talking about the times announced. I agree that the ratios are the same.
I do not see how a delay can be added to a file, a zip archive for example.
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
I do not know how password in zip files work today, but the way to make a file secure is not store the password within the file, but instead use a e.g. 128 bit hash instead.
This means if you only got the file, you will to crack an insanly secure hash value.
The zip program is then the one who needs to have built in delay mechanism. It, simply put, will turn the password people enter into a hash value, which, un turn, it will then compare with the one in the file (with a delay). If it matches, then it unlocks it - if not... well...
Or if you unlock mechanism in embedded within the file - like with products like "LockNote" - it (the unlock mechanism) needs to have a a delay added to it.
I agree on the problem with using the term "pass-phrase". This is something we came across with PassPack too.
We encourage using pass-phrases, but people don't know what that means and get frightened. But "password" is just too misleading. In the end, we opted for "Pass" and then suggest using a "normal sentence."
Good choice or bad choice? Don't really know yet, but so far no one has asked "what's a pass?"
Nice article Thomas...
The use of a pass-phrase is definitely better than a password, but a lot of time is useless, because a lot of websites doesn't support spaces or punctuation characters in the passwords. This is very annoying because I have a pass-phrase that I want to use for all the website, but sometimes I can't register it with an account. That's why currently I have to use a pool of pass-phrases and passwords for the web... A simple list with a priority, depending on the password policy provided by the website on which I'm creating my account.
When I have to register an account I use the first pass-phrase (the most complicated, but simple to remember). If the website doesn't support the pass-phrase I use the second password (systems that don't accept spaces). The third entry is for websites that only support alphanumeric characters, the fourth for websites that only support characters and the last for websites that only accept passwords with a length lower that 8 characters (in this case the password is only 6 characters)...
I know that sometimes is difficult for me to remember what password or pass-phrase I've used in a website, but is the only one solution (for me) to contrast the problem in this password policy granularity...
Good article, thanks.
I want to know how to calculate the time to crack those password? I'm still newbie...
How about this password:
64.572.881.649
how much time to crack it?
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
Bambang, The way to calculate it depends on how much information the hacker has. If he knows that it is made up of 3 numbers separated with a dot, then it is going to be a lot easier.
Known structure: xx.xxx.xxx.xxx consists of 100,000,000,000 possible combinations: 10 numbers (0-9) and 11 of them is 1011.
Meaning it will take 32 years to crack using 100 attempts per second.
If the hacker does not know the structure, it will take a lot longer. Usually a hacker will try a password using different brute-force attacks:
a-z = forever (no match)
a-zA-z = forever (no match)
a-zA-z0-9 = forever (no match - no dots)
a-zA-z0-9+symbols = 5,062,982,072,492,060,000,000 combinations, or 1,605,461,083,363 years to hack (or 350 times longer than the current age of our solar system)
If the hacker knows that the password only consists of number and symbols, then that time can be shortened to:
0-9+symbols = 717,368,321,110,469,000 combinations or 227,476,002 years.
So the safety of the password depends largely on how much the hacker knows about its structure. But, it is generally extremely safe!
Wow that's very very long time to crack. Thanks so much for the information. Now I'm feel more secure :)
How about "password phrase"?
You know, I never even thought about using simple phrases for a password, mostly because I've always been asked to make a passWORD.
I think many people force themselves to stick to one word because they think that anything else will not be accepted.
If the whole concept of "password phrase" catches on, then I think password crackers are going to have a lot more trouble...
Will definitely be taking along the recommendation for login time-outs and such to slow down attacks.
Fabrizio - you should NOT use the same password / pass phrase for ALL websites. This is the same those websites "Asking"
You're potentially telling a non-trusted site how to access your email, E-bay, bank etc.. etc..
Have different "secure" passwords / pass phrases for e.g. payment / work / bank sites and possibly have a "low security" password / phrase for signing up to interest sites like magazine subscriptions and so on.
Thomas,
Thank you for the very thought provoking article.
Firstly I can't help but think that you are guilty of a bit of "spin", though. Have you worked in sales before, by any chance?
If I can play devil's advocate for a moment - the "3 common word" passwords "this is fun" could be described as "at least eleven characters including two spaces" in the traditional (IT) view of the world. So it's not correct to say that pass phrase is "more secure" than a password - only that it's easier to remember a longer set of characters.
As an IT person it would be a lot harder for me to sell to a visitor / user - "You need a password that is eleven characters long with at least two spaces" than to suggest "pick three words". So I applaud your suggestion of 11+ character long passwords in such a user friendly way :-)
Secondly I'm not sure that I agree with you about your comments on delays and fixed penalties for two reasons.
1) It would be very unlikely that I could sell to my UCD / User Experience team that we need to impose a deliberate delay of 5 seconds before responding to a password input remembering that it is important to enforce the 5 second delay even for successful attempts.
As a "hacker" knowing about the 5 second delay, I would give up waiting after 1 second and start another hack attempt unless I knew I had to wait 5 seconds to find out if the password was successful. Of course that delay would only take one thread out - I'd have hundreds of concurrent threads trying to hack.
I'd need your selling skills to get this past them!
A bit of an aside but there was an interesting article describing how hackers could work out if an ID was valid because of the difference in time between a "invalid user" and a "valid user / invalid password" response.The research was by "Andrew Bortz" http://crypto.stanford.edu/~abortz/ the article "Exposing Private Information by timing Web Applications".
2) The imposition of a "fixed penalty" needs to be considered of very carefully. It's very easy to make the mistake of thinking that you can e.g. use a cookie to tell how many attempts have been made. As a hacker I would wipe my cookies after every attempt - so don't rely on cookies.
What about IP address? Well, that too can be problematic.The visitors I deal with (in the UK) are predominantly from two ISPs - AOL and NTL, as well as some large corporate / government gateways such as the NHS. All of these proxy so attempting to block based on IP address (especially with AOL) could potentially disable a significant percentage of visitor traffic. AOL for example only has a few tens of proxies in the UK. Know your visitor base - but for my organisation IP wouldn't work. This is where dedicated IDP tools come into their own. 100 requests per second (and hopefully a lot less!) should trigger IDP to discard any attempts before the developer has to deal with them.
At an application level, internally logging the number of attempts against a given ID is probably the only way to do this however this has performance overheads that shouldn't be overlooked especially in a multi-server / multi-located environment.
Mat.
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
Mathew, First of all, I think it should be illegal to write a comment that is longer than the original article (just kidding of course :o))
Secondly, I do not work in sales, but I do work with marketing. Am I guilty of "spin", no - I am just speaking plain English, instead of making it technical :o)
But...
As for the "3 common word", then, unfortunately, you are wrong. It is not a 11 character password, because if it was, a hacker would have to use brute-force, instead of a common word attack - and that would take 1,163,859 years, instead of the 2,537 years using a common word attack.
So it is precisely what I wrote - 3 common words. It does not have to include 11 characters. As an example, a common word password totaling 7 characters would still be more secure than "J4fS<2".
As for the 5 second delay, then I do not agree with you - it is not even close to being as hard as you point out.
1: Why would you have to enforce a 5 second delay if the password is right? I would only add a delay between sign-in attempts not during.
2: You cannot have 100 concurrent attempts if you made it the system correctly. What you do is, simply, to look at the user-name being used, instead of IP-addresses or cookies. Every time a person tries to sign-in, you put the time into the database in a field called e.g. "signinTime" and have another field called "signinStatus" to indicate if he was successful or not.
...And do it server-side, so the hacker cannot tamper with it. Using this method you couldn't even attack using 3 different computers in 3 different countries. The delay is added server-side and thus applies to the username, not where the hacker is attacking from, or what method he uses.
3: I cannot see the relevance of the article you refer to. I think security people and web application developers should read it, but it deals with finding a username, not being able to hack a password. As such, they never gained access to protected information. Good link for developers and thank you for pointing it out - but it is not relevant in this case.
4: A hacker cannot "wipe" a cookie if you use server-side delays to protect you from attacks (read point 2)
5: The same with IP address - user server-side delays based on the user credentials instead of any local information (read point 2). If you do that, you will not have any of the problems that you point out.
Handling passwords is pretty simple. People can choose a simple password that is secure, and developers can prevent attacks using simple methods. You can make it hard and technical, but when you do you run into all sorts of problems - and there really is no reason to do so.
Nice article, but you completely FORGOT keyloggers? They are one of the most frequently used methods to acquire passwords/phrases.
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
Bhavesh, Heh... Yes, I forgot about thanks. Thanks for the heads up!
BTW: Not much we can do about key loggers, though.
Thomas - Amazing article. It didn't really tell me anything "new", however, it gave me statistics to back up my facts, and a way of putting things simply.
I work as a tech for a major Norwegian corporation, and one of my daily annoyances is people forgetting their passwords, because that's just what they are not, at least not usually, most of my users actually use letter and number combinations for their passphrases.
All the best - WiseGuy
Fun, try to find a form that allows you to fill in "huffy in puffy" as a pw.
In our big company we have to use 3 pw´s since you have to change every 30 days => Result: They are on a post-it on the monitor on most desks :-)
This really opens my eyes to some hings I never knew about when it comes to passwords. I recently thought my e-mail and some other accounts were compromised, and had to get professional help. I see things in a different way now because of that experience.
Wow, very nice article. I will keep this in mind when I need a password next time. Thank you!
Just wondering, how much will using a different language than English improve attempts? Say Norwegian? For example something like "Passordet mitt er passord. :p"?
Which is it going to be, overdesigned "tasteful" tiles or leet computer security tips?
I just found this via StumbleUpon, in case you're interested.
Great article, Thomas. Could this somehow be combined with another tip I've seen?
http://www.jjmelo.com/blog/2008/02/26/the-best-password-remembering-tip-youll-ever-encounter
Anyway, this article has inspired me to make a quick-and-dirty Flash animation which would allow people to test their passwords. Don't worry, I'm not good enough at Flash to be able to harvest those passwords.
So, I'm off to make a Flash animation! I'll let people here know when it's ready!
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
Thomas, I do not think writing it in norwegian is going to change much - it largely depends on who is hacking your account.
Woog, Both. My articles is about how to create great products, user-experince, management etc. whereas my design section is all about design. If you just want one of them you can always choose not to go to that section directly - or subscribe to an RSS feed that only contains the content you want.
Mark, that is an interesting way to remember your password. I actually do something similar for some of the online accounts I have signed up to.
I've found that the dreaded L33T-speak makes for very efficient passphrases. Replacing your three-word example "thisisfun" for "th1s1sfun" greatly increases the security of the password (by adding ten possible characters and voiding the usefulness of dictionary attacks) while still keeping it very simple to remember. It's easy enough to replace I=1, A=4 and E=3 for anyone to remember, and while a script can easily be written to make these replacements in a dictionary attack, it still takes that many more tries to crack the passphrase.
You said that there is nothing that can be done about a keylogger, and I'm not a professional in this field, but I do quite a bit of programming and have written several applications which require that specific programs be closed.
What if you were to incorporate this sort of "script blocking" in the log-in attempt? Basically what I'm saying is when the user attempts to log in, you require that all other applications off a specific list be closed. This list can then be stored on the server, where the user cannot tamper with it, and can be updated as needed.
Or better yet, instead of playing catch-up as my above paragraph suggests, why not simply stop all programs with write capability? This stops the key logger from writing to its log, thus preventing the attack.
And on the note of having the pass expire every 30 days, i would discourage this method because it does lead to the writing of the phrase itself. I would suggest changing the pass every 6 months or so, and never allow a repeat to be entered. This will allow the user time to memorize their new password, and once it expires, they never have to remember it again.
Like I said above, I'm not an expert when it comes to networking, but I know quite a lot about application development, and I think some of the techniques might apply in both fields.
Awesome article, Thomas! I'll definitely keep this in mind for both personal and work related use.
I wrote a post on this very topic this morning. You and I agree on many points.
Can you post a link to the password-check website that you used as a example? I want to check my passwords!
Nice article. I used to work as a sysadmin and the passwords some people used were stupid. I do think that the human factor plays a bigger role than passwords, once you start getting to ones that have a couple of numbers in, though. People share them too readily, write them down, or just type them 'one fingered' while other people are at their desk. Even some people who change their passwords do it badly - Sarah01 one month, then Sarah02 the next.... Grrr.
That's a really interesting idea. I've never knew how easy hacking a password could be
Keyloggers? Why not have the alphabet on the screen and you click on the characters of your password.
Cracking? How about one-time passwords, or even much better - 2-factor authentication, such as key cards that generate tokens that should be used with your username and pass-phrase.
I guess normal user accounts don't count as much to a hacker as a root / admin account (except for Internet banking though!). That's why the server should be patched, locked down and default accounts/passwords changed before you allow John Public access to your site.
It's unfortunately also a reality that some sites/systems do not allow special characters / spaces as part of the password. This can be a problem where you use the same password for multiple sites :(
But I totally agree with the article - if you have to choose a password, make it as easy as possible to remember, but as difficult as possible to guess.
Oh, and it doesn't seem like a good idea to have Debian generate a random password for you :)
I do aggree, however if we assume you didn't tell anyone your password, and they therefore don't know what it is comprised of then the password aaaaaaaaaaaaaaaa is more secure than any of the passwords listed above. Complexity of the passwords is not in the least important. Passwords used for authentication should be hashed before they are stored, and passwords which are used for encryption will always be hashed and artificially lengthened before they are used, which results in a different password than you typed, so your password does not need to be cryptographicly strong.
The only thing important in your passwords (or pass-phrases if you prefer) is that they are long, and not in any dictionary.
On that note the English language may have 500,000 words, but hacker dictionary's also contain "words" like asdfzxcv and aqswdefr. Just something to think about.
As for long passwords being hard to remember, I have several fully random passwords which exceed 15 characters, and one which exceeds 20, which I have memorized.
This URL is now my pass-phrase.
INVINCIBLE!
Also a good place to try out your passwords, I've used it to create some AMAZING passwords.
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
George, I disagree. passwordmeter.com does not support pass-phrases, and as such doesn't know that "this is fun" in reality is more secure than "J4fS<2" (and far more usable).
Hi Thomas,
Very nice article indeed and Definitely you are very right in your descriptions.
You would agree that this technique is actually nothing more than a common sense which is most uncommon. I have been using this technique for a long time now (Never thought of writing an article though).... may be around 4-5 years... as i could never remember my password.
I see that you didn't answer the point raised by Fabrizio Menghini Calderon on Aug. 13, 2007 that is, most websites do not allow spaces to be used and hence no pass phrase. I thought I would answer that and see if you agree.
The only changes that I do are:
1. Use underscore instead of a space.
2. Make the first word capitalized
Hence the pass phrase: "i am invincible" becomes "I_Am_Invincible"
Now even Mathew would agree that this pass"word" has 15 characters and combination of Cases and Characters. But still, it is probably the easiest to use.
People (for added security) may choose to make the last character capital instead.
But still... the chain is as string as the weakest link and that is the user itself. "So_Never_Tell_Your_Password"
I am sorry. Please read the second sentence as "Make the first letter capitalized"
I mean, I have been a sysadmin for years and never read such a simple informative articla about passwords.
Very informative and helpful. I just realized the passwords I have been making are terrible!
There are two things I would like to add to this list:
1) If you are trying to create a password for a local administrator or something similar *always* vary the password depending on the name of the computer. This prevents people just getting the password for one computer and having access to all of them.
2) the info mentioned in this guide is just slightly incorrect. With the resources I have available, which are possibly on the hefty side, I can generate roughly 30 billion combinations per second. This doesn't effect online logins, but it means that cracking a hash ( the stored version of the password on your harddrive or stored in the website database ) is reasonably simple.
3) there are various websites which will crack most simple hashes for 6 or 7 letter passwords in a matter of seconds.
Traditionally, when you enter your password, the server takes a hash of the password, eg md5($pass). In reality, a much more secure method would be to add the given username onto the end of the password, making it really hard to crack the password hash.
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
Avian, you wrote: "the info mentioned in this guide is just slightly incorrect. With the resources I have available, which are possibly on the hefty side, I can generate roughly 30 billion combinations per second."
This article is was specially made for the scenario of being able to generate 100 passwords requests per second. It is true that if you have local access to a file or database, then you can make many more request per second. You cannot, however, make that number of requests to a webserver (not even Google's).
In a recent test, I could only request data from e.g. Google 25 times per second (and their servers are some of the fastest on the planet).
but no matter how you look at it - a usable and easy to remember pass-phrase is still the most secure option.
I'd also recommend a simple script that detects too many failed login attempts and logs the IP address of the person doing it. This information can simply be used to deny that IP address access to the server or to report it to the author=ities. Of course, the person is likely to use a proxy, but it'd be inconvenient to have to find a new one, and if a serious offense is committed, even 7 proxies can't save your ass.
i agree on that but i think robots are bypassing this as we speak right now...so back to the drawing board ;)
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
Gamecube, robots? what robots?
Anyway, the limitation is not in how you request data, but in the transferring of data over the internet and the speed of which the server can validate a password request. So I fail to see how any robots can make a difference
I can't remember my GPG password because I wrote it L33T-like, randomly, and can't remember which "e" is 3 and which one isn't... -_-¡
Awesome article, I'll definitely keep this in mind for both personal and biz password ( 3 common word).
Very interesting information. I'm trying to find studies on the effectiveness of complex passwords for a school paper. Do you know of any real world metrics on how a company with a complex password policy has avoided hacking? Seems to me that most people will intuitively know that complex versus simple is better, but I'd like to find some actual research.
very good article ! (could it be my new password ? :D )
Thanks a lot!!!
my password is nigger, that way, if the hacker isn't racist, he would be morally opposed to using it.
Very interesting. I just forwarded your article to some of our IT specialists. Thanks!
Very useful info.
Definitely easier to remember a complex password if you make a password using the aove
Awesome article, Thomas! I'll definitely keep this in mind for both personal and work related use.
French translation of this article is avalaible here : http://nicosomb.62actu.net/post/2008/08/22/Choisir-un-mot-de-passe-securise-et-facile-a-retenir
I mean, I have been a sysadmin for years and never read such a simple informative articla about passwords. Werbeagentur Graz
This article is interesting, I myself will also take into account personal and professional bound!
Great read, I'll definitely keep in mind the different potentials in the passwords I choose.
If you think of the numbers 0-9 as a mobile phone keypad its really easy to make up patterns that are easy to remember. For instance a patern of a Z would be:
1-2-3-5-7-8-9 (obviously you would make up more complex patterns)
Easy way to make a good password
Fantastic writeup on passwords. It makes an issue that is complex for many people very easy to understand. One thing that i tend to disagree on is how a phrase is harder to crack than a pw with a nonsensical combination of letters and characters.
I would make a pw similar to this
*(#timet0gt0w0rk!@)
I do not see where a pw like
time to go to work
would be less susceptible to a hacker.
If you use simple phraseology and use numbers and characters to complicate it the password is nearly uncrackable. you do not have to use different characters for each new pw but can use the same characters over and over again as you change the phrase.
The one form of password cracking you did not mention is social engineering. Because end users are becoming better educated about what types of passwords to use hacking techniques that rely on social engineering, such as phishing scams, are on the rise.
There is no defense against social engineering except you the enduser.
excellent writeup. Thanks
Me neither, I never read this information!
But this is a beautiful article on passwords!
Thomas,
Great article.
I was pondering about create a blog with technical tips like this, do you agree to I make a brazilian portuguese translation of your articles, not only this, but any other too?
Some body asked about using other languages in the password or passphrase, and you said that depends on who is trying to crack it. My question is: What about mixing languages in the passphrase (or password): for example "Here אני estou" => "here I am" mixing english, hebrew and portuguese.
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
Marcos, mixing languages would probably make it a lot harder to hack.
As for using my content, then I got a general rule. I do not allow anyone to "republish" my articles without permission, and I generally do not give that permission unless the site has been online for at least a year - and has a proven track record.
You may quote the article and use a part (if you credit me and link to the original article).
Actually, I started my own translation of it, and I'll post it maximum tomorrow.
I gave to you the credits in the first paragraph, and I'm not using only your article to compose mine. I hope you agree to that.
If you not agree, I'll remove it, but will be sad to me and to my friends that don't speek english.
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
Marcos, that is fine with me :)
Thomas, your article is fantastic. The company I am working for right now is thinking of changing its security policy, and you've inspired me to calculate the time to crack a password on the old policy, vs. the new policy - to see whether the change is worthwhile or just trivial.
The old policy is: 6 chars, incl. one number or symbol
The new policy is: 8 chars, inc. one number or symbol, and one capital
I can calculate brute force - I believe the new one is 8836 times stronger. But I don't think I can calculate the easy case of a dictionary attack unless I know how many 5+- and 7+-letter words there are in English.
The simplest password someone could come up with for the first policy is something like: smile7. That certainly can't take that long to crack.
The simplest password someone could come up with for the second policy is: Friends7. That doesn't seem like it would take much longer, given that most people will probably capitalize the first letter in the password.
Would be interested in hearing your thoughts. I'm starting to think that the change in policy wouldn't be that helpful and instead more time should be spent on user education (teaching them how to make good, memorable passwords as you've shown people here).
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
Meredi, I apreciate that you like my article :)
But, I find that your question is irrelevant. It seems that the company has already decided to make the company's passwords more complex - and my article is about that "making things more complex is not the way to go".
So my advice to you is to completely drop the notion of introducing a more complex password altogether and instead advocate the use of a pass-phrase.
Forcing people to use complex passwords is a misguided way to look at security, and it doesn't work in the real world. Saying that it should contain 8 characters, including one number or symbol, and one capital - is not the solution - regardless of how you calculate your stats.
The other thing to remember, do you really have a security risk - is this some fantasy made up by the security people in the IT department. Is there really any real reason why you would introduce a new password policy? Have anyone's account been hacked - and if so, did they really hack the password? ...and if so, did they then really hack-hack the password, and not just read it off a post-it note next to the screen.
Unless you work for some government agency, or a high-profile political candidate, I think the answer to all these questions is "NO".
Thanks for the quick response, Thomas.
The final decision about more complex passwords hasn't been made - the team wants to make them more complex, and as a usability consultant I naturally have reservations. I was trying to decide if the more complex passwords would increase security enough to justify a decrease in usability.
I am definitely considering passphrases at this point, but my client runs an ecommerce website and I can't say I've ever seen passphrases used on a website before. What I'm uncertain about is if people have decided AGAINST them for some reason I can't figure out. Have you ever heard any criticisms against them?
There is indeed a legitimate security concern: a competitor site was broken into a while ago and numerous customers were phished with data stolen from the site. So they're trying to prevent the same from happening to them.
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
I was trying to decide if the more complex passwords would increase security enough to justify a decrease in usability
That is precisely the thing that I am trying to advocate against... Security and usability is not mutually exclusive things. You can have great security and highly usable solutions all at one. Pass-phrases are one of those solutions.
It sounds to me like you are dealing with regular IT people that have been brain washed by the security companie's scare tactics. I am constantly amazed how blindly IT people believe the security community. I admit that there is a remote theoretical possibility. But the only way to fully protect you is to take your site completely offline.
Create smart security solutions - not complex ones - so that security is there, but isn't limiting us, or degrading our lives.
Obviously you want to make a system where it is impossible for one user to see data from another user, one where the data is encrypted in the databases, and one where personal data is stored and handled on the server, and not at the user's computer. All of which can be done quite easily, and without making things more complex for the people using your site.
There is indeed a legitimate security concern: a competitor site was broken into a while ago and numerous customers were phished with data stolen from the site
If that is the reason, then the whole notion about making more complex passwords is ridicules.
Nobody is capable of hacking a single person's account and stealing content from multiple accounts. Unless the person that was being hacked is the administrators, or possibly the master password to the database.
In this case, the only password that needs to be more complex is the one used by the IT department. Why should the "regular" people be punished? To do what you say has happened on a competitor's site, you need IT level access - not user access.
Secondly, nothing indicates, in what you write, that it was the password that had been compromised. It is much more likely that they gained entry used a SQL injection hack or some other flaw in the system. Like when you, with previous version of facebook, could write a special URL to gain entry to private pictures.
I am sorry to say this, but I think that the IT people you work with are incompetent. They blindly believe in old myths that are not only wrong, but also create a terrible user experience for anyone.
It takes 1 month to hack a password with 6 characters, with 100 attempts per second. Surely, it would be easier to simply check you server logs, or create a system that checks how many times someone has attempted to gain entry to an account. If an account has been access more than - say 500 times - in a single day, then you could simply lock it down.
Why give everyone a bad time by having to remember a hugely complex password, when the real problem is in the IT department - and that they could simply eliminate the problem by checking their log files with some automatic script. But again, I don't think that the real risk is with the passwords. I think the real risk is somewhere else - with the systems.
So they're trying to prevent the same from happening to them.
No they are not. It sounds to me as if they have absolutely no idea what they are doing...
I must admit that I get angry when I hear something like this, and I am sure you feel the same since you are a usability consultant :)
Thank you for taking the time to publish this information very useful!
Useful inforamtion for those who use the web.
Ya pas que la voyance dans la vie, il faut s'informer.
The solution to the first two are simple stop giving your password to people. Would you give them your social security number?
I mean, I have been a sysadmin for years and never read such a simple informative articla about passwords.
Wow, I just learned A LOT on password security. Highly useful information. Thanks!!
Hey, that's great advice! I have som many passwords that I have to track them, so this is a whole new way (for me anyway) to evaluate usability vs. risk. Cheers!
Useful article for password protection. Keep it up. I will refer this article to my friends
I prefer "password" as my secret password... :o)
Thanks for your great article and the worthful information.
Great writeup on passwords. In my opinion, passwords can be easily made that are very difficult to crack. What this article does is show people that are unaware of the dangers of making a weak password aware of the dangers and why. Also gives a great mindset on how to really make a password that is both easy to remember and dificult to crack.
Great start...now you need a password/phrase management system.
At work I have no fewer than five logins I must manage. Each one has slightly different password requirements. Each has a different expiration period and none of these systems sync with each other.
I also have to manage somewhere between 50 and 200 website logins.
What I've come to is that I use a passphrase as the base for logins. Each login has a passphrase that is somehow linked to the site. To add a bit of security around that, I'll add pre and/or suffix characters to the phrase; same pre/suffix for everybody. Now each site is unique but easy to remember.
For logins that expire at work, I just switch them all the first day of the month. I stick the current month number somewhere in the logins (so far the systems don't reject attempts to use similar passwords).
Everybody is happy...
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
BTW: Just a quick note... it makes absolutely no sense to have more than a single password for all the systems at work... I am just one person - so I should need one login, and I should only need it once... being when I first turn on my computer.
Thanks for the info, i am going to rethink the way i use and create passwords.
"this is fun" can be guessed using a simple algorithm: Get a list (publicly available) of natural english words sorted in order of frequency of use - this kind of style
For N=2 To Maxwords
Pick_Next_N_Words_From_Frequency_List
Put_Spaces_Between_Them
Try!
Next N
the the
the of
the to
...
the the the
...
this is fun
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
Wonder, I invite you to actually read my article... I wrote about "Common word attacks", which is basically what you describe programatically.
But the whole point is that "this is fun" is far more secure than "J4fS<2", eventhough the hacking method differs. There are 25 letters, 10 number and about 15 common-special characters... but there are about 500,000 english words.
Obviously it takes a lot longer to test the combination of 3 words in a 500,000 word list, than a number of characters in a list of 50 characters.
According to the British National Corpus frequency list
ftp://ftp.itri.bton.ac.uk/bnc/all.num.o5
"this" is the 24th most frequently used english word
"is" is the 9th most frequently used english word
"fun" is the 3958th most frequently used english word
thus, 24x9x3958=854.929 guesses will do the trick.
You assume 100 password requests per second.
Therefore, 855.929/100/60/60 = 2,37 hours is enough, leaving "this is fun" somewhere between "risky" and "useless" in your own terms.
"Obviously it takes a lot longer to test the combination of 3 words in a 500,000 word list, than a number of characters in a list of 50 characters."
Obviously not!
500.000 x 500.000 x 500.000 = 1,25E+17
50 x 50 x 50 x 50 x 50 x 50 x = 1,56E+34
assuming 3 words ("this is fun") vs 6 chars ("J4fS<2")
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
First of all... I think you need a new calculator...
500.0003 = 1,25E+17
506 = 1,563E+10
Secondly, you cannot hack a password using the (24x9x3958=854.929 guesses) method. Unless you know the password in advance (in which case you don't need a word list)...
The first 24 attempts are easy enough...
a a a
an a a
...
this a a
But then your method breaks down, because when you reach "this is a" you don't get a match and the next test would be "this it a" not "this is an" etc. The system cannot stop when it reaches the right word. It only returns a match when the full sentence is correct.
If you do it in reverse, then the problem is the same. You get "a a a", "a a an"... "a a fun" (in 3958 attempts)... but since that doesn't match either it continues testing "a a funk", "a a funky" etc.
"First of all... I think you need a new calculator..."
You're right!
"Secondly, you cannot hack a password using the(24x9x3958=854.929 guesses) method. Unless you know the password in advance (in which case you don't need a word list)..."
I don't need to know the password in advance. All I assume is, that the password consists of a number of english words with spaces between them.
' Assuming 3 words
for i=1 to 500000
for j=1 to 500000
for k=1 to 500000
Try(list[i] & " " & list[j] & " " & list[k])
next k
next j
next i
Now, generalize this: Assume 1 word, Assume 2 words, Assume 3 words, Assume 4 words, ...
Conclusion 1: 854.929 guesses will do - assuming 3 words.
Conclusion 2: Use passphrases but include special chars - that'll fool the frequency list.
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
Wonder, I appreciate you are taking the time to not only read my article, but also write comments, but you are not right in your assumptions.
The loop you describe will not match "this is fun" in 854,929 attempts.
To prove this I made a small test case. I create a very short word list "a,lamp,head,summer,this,car,cranberry,kid,future,fun,sponge,tv,unpredictable,ipod,is,mean,cola,experience,car,juice". According to you, I would be able to hack "this is fun" in just 5x15x10 = 750 attempts (the location of each word in the wordlist).
http://www.baekdal.com/x/hacktest.asp
But, when I reach 750 attempts I get to "lamp experience fun" (The test above uses your code example).
With a short list of only 20 words, I would need 1890 attempts. And using a much larger list of 500,000 words that number will grow exponentially.
"This is fun" cannot be hacked using the loops you describe, because it cannot stop when it have reached a partial match.
I do however, agree that adding a non-word to a passphrase will make the password much harder to hack. Specifically because you then eliminate common-word attacks, but instead have to resort to brute-force.
But, it doesn't matter much for most people. Using three words is "secure forever".
Writer, Project Manager and Interaction Designer
follow me on Facebook, Twitter, Flickr, or visit my website
BTW: Same story with when you filter out repeated words (using 3 distinct words)
Great reference about the usability of passwords. Thanks for your interesting and informative article.
Great information on password security. Internet world is not safe, there are alot of hacking happening around, the best solution is to keep changing your password quarterly but we will have too many password to remember!
I have taken te same password for more than 10 years. Until today I have never had any problems. I think my password would be very simple to crack, but who could be interested at hacking it?
@George: how safe is http://www.passwordmeter.com? I dont want that everybody now my passwords.
This information is important for anyone who uses passwords in any system. Thanks a lot for sharing this infos. I think, most people don't know the risks of a unsecure password...
Yeah, these are some really nice ways to look at cracking a password ;-)
Useful inforamtion, really great ! Thanks.
always use numbers and letters and * # $
ı have followed your writing for a long time.really you have given very successful information.
In regards to the "fluffy is puffy" password, I wonder if you would type that in with spaces in between the words. I could be wrong, but most sites don't allow spaces used in the password field, right??
Comments has been temporarily suspended.
Baekdal.com is (nearly) everywhere. Check out our social profiles:
Published: August 11, 2007 
FaceBook
Twitter
LinkedIn
YouTube
FriendFeed
Delicious
Jacob Wyke
visit my website
Just need to get people to start using the term "Passphrase" instead of "Password".
I tend to use lines from books as then if i do forget a quick browse through the book and I tend to remember it again.