Pink Edition
The Usability of Passwords
Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice, because you can actually make usable, easy to remember and highly secure passwords. In fact, usable passwords are often far better than complex ones.
So let's dive into the world of passwords, and look at what makes a password secure in practical terms.
How to hack a password
The work involved in hacking passwords is very simple. There are 5 proven ways to do so:
- Asking: Amazingly the most common way to gain access to someone's password is simply to ask for it (often in relation with something else). People often tell their passwords to colleagues, friends and family. Having a complex password policy isn't going to change this.
- Guessing: This is the second most common method to access a person's account. It turns out that most people choose a password that is easy to remember, and the easiest ones are those that are related to you as a person. Passwords like: your last name, your wife's name, the name of your cat, the date of birth, your favorite flower etc. are all pretty common. This problem can only be solved by choosing a password with no relation to you as a person.
- Brute force attack: Very simple to do. A hacker simply attempts to sign-in using different passwords one at the time. If you password is "sun", he will attempt to sign-in using "aaa, aab, aac, aad ... sul, sum, sun (MATCH)". The only thing that stops a brute force attack is higher complexity and longer passwords (which is why IT people want you to use just that).
- Common word attacks: A simple form of brute-force attacks, where the hacker attempt to sign-in using a list of common words. Instead of trying different combination of letters, the hacker tries different words e.g. "sum, summer, summit, sump, sun (MATCH)".
- Dictionary attacks: Same concept as common word attacks - the only difference is that the hacker now uses the full dictionary of words (there are about 500,000 words in the English language).
When is a password secure?
You cannot protect against "asking" and "guessing", but you can protect yourself from the other forms of attacks. A hacker will usually create an automated script or a program that does the work for him. He isn't going to sit around manually trying 500,000 different words to see if one of them is your password.
The measure of security must then be "how many password requests can the automated program make - e.g. per second". The actual number varies, but most web applications would not be capable of handling more than 100 sign-in requests per second.
This means it takes the following time to hack a simple password like "sun":
- Brute-force: 3 minutes
- Common Word: 3 minutes
- Dictionary: 1 hour 20 minutes
Note: "sun" has 17,576 possible character combinations. 3 letters using the lowercase alphabet = 263
This is of course a highly insecure password, but how much time is enough for a password to be secure?
- a password that can be hacked in 1 minute is far too riksy
- 10 minutes - still far too risky
- 1 hour - still not good enough
- 1 day - now we are getting somewhere. The probability that a person will have a program running just to hack your account for an entire day is very little. Still, it is plausible.
- 1 month - this is something that only a dedicated attacker would do.
- 1 year - now we are moving from practical risk to theoretical risk. If you are NASA or CIA then it is unacceptable. For the rest of us, well - you do not have that kind of enemies, nor is your company data that interesting.
- 10 years - Now we are talking purely theoretical.
- A lifetime: 100 years - this is really the limit for most people. Who cares about their password being hacked after they have died? Still it is nice to know that you use a password that is "secure for life"
But let's take a full swing at this. Let's look at "100 year - secure for life". It has good ring to it and it makes us feel safe. There is still the chance that the hacker gets lucky. That he accidently finds the right password after only 15 years instead of 100. It happens.
Let's step that up too and go for the full high-end security level. I want a password that takes 1,000 years to crack- let's call this "secure forever". That ought to be good enough, right?
Making usable and secure passwords
Now that we have covered the basics, let's look at some real examples, and see just how usable we can make a password, while still being "secure forever".
Note: The examples below are based on 100 password request per second. The result is the approach that is the most effective way to hack that specific password - either being by the use of brute-force, common words or dictionary attacks.
First let's look at the common 6 character password - using different methods:
In this example complexity clearly wins. Using a password with mixed case characters, numbers and symbols is far more secure than anything else. Using a simple word as your password is clearly useless.
Does that mean that the IT-departments and security companies is right? Nope, it just means that a 6 character password isn't going to work. None can remember a password like "J4fS<2", which evidently mean that it will be written on a post-it note.
To make usable passwords we need to look at them differently. First of all what you need is to use words you can remember, something simple and something you can type fast.
Like these:
Using more than one simple word as your password increases you security substantially (from 3 minutes to 2 months). But, by simply using 3 words instead of two, you suddenly got an extremely secure password.
It takes:
- 1,163,859 years using a brute-force method
- 2,537 years using a common word attack
- 39,637,240 years using a dictionary attack
It is 10 times more secure to use "this is fun" as your password, than "J4fS<2".
If you want to be insanely secure; simply choose uncommon words as your password - like:
A usable and secure password is then not a complex one. It is one that you can remember - a simple password using 3+ words.
It is not just about passwords
One thing is to choose a secure and usable password. Another thing is to prevent the hacker from hacking password in the first place. This is a very simple thing to do.
All you need to do is to prevent automatic hacking scripts from working effectively. What you need to do is this:
- Add a time-delay between sign-in attempts. Instead of allowing people to sign-in again and again and again. Add a 5 second delay between each attempt.
It is short enough to not be noticeable (it takes longer than 5 seconds to realize that you have tried a wrong password, and to type in a new one). And, it forces the hacker to only be able make sign-in requests 1 every 5 seconds (instead of 100 times per second). - Add a penalty period if a person has typed a wrong password more than - say - 10 times - of something like 1 hour. Again, this seriously disrupts the hacking script from working effectively.
A hacker can hack the password "alpine fun" in only 2 months if he is able to attack your server 100 times per second. But, with the penalty period and the 5 second delay, the same password can suddenly sustain an attack for 1,889 years.
Remember this the next time you are making web applications or discussing password policies. Passwords can be made both highly secure and user-friendly.
Comments
Jesper Rønn-Jensen - Aug. 11, 2007
Great points, Thomas.
I really hope that the rest of the web developmentment world finally gets that usability is not contrary to security.
Thomas Baekdal - Aug. 11, 2007
Jacob, Indeed - the correct word for this is "pass-phrase". But, since many people do not know what that is I opted for simplicity and called everything for password.
Thomas Baekdal - Aug. 11, 2007
Jesper, Thanks!
The problem, I think, is that IT often seem to be stuck in the dark ages when it comes to handling things like security. Instead of solving the problem, they lock everything down. To IT the best website is one that isn't connected to the internet... :)
Tero Lepisto - Aug. 11, 2007
I was wondering that using hash-algoritms to store pass-phrases could "weaken" some of them.
Although, using those penalty times between false login would make it "forever" to hack.
Thomas Baekdal - Aug. 11, 2007
Tero, There is indeed a potential problem with Windows hash-algorithms, but it is easily solved.
The problem is that all Windows versions except Windows Vista, stores and transmits the obsolete LM hash for backward compatibility. It doesn't actually use it, but transmits it anyway.
There are three kinds of Hash-algorithms in use on Windows: LM, NTLMv1 and NTLMv2.
The only one to be concerned with is LM, which can potentially be hacked in a matter of hours if you got local access. It takes 19 hours with 1,000,000 requests per seconds, and you cannot create that many requests remotely. Thus the problem is not related to web applications, nor with any other kind of application where you cannot read the hash directly.
NTLMv1 and NTLMv2 is both "secure forever".
There are three ways that completely solves the problem with the LM hash algorithm (either one solves the problem)
1: Use a newer windows operating system (Windows 2003 server and Windows Vista), and if you cannot do that, disable LM hash backward compatibility (you do not need it).
2: Never expose the password hash to the outside world - handle passwords in your backend system. Do not involve the client computer in this process. Note: This is how most web applications work anyway.
3: Choose a password with 15+ characters - like: "there is a chance" or "inspired by design". The reason is that LM algorithms only work with passwords that are no more than 14 characters. If your password is longer, the LM hash defaults to "0" (or rather the hash of "0") and NTLM is used exclusively instead.
Hash hacking is not an issue for most people. A hacker needs local access to exploit it.
Lea de Groot - Aug. 12, 2007
Excellent article, Thomas.
I loved that you quantified the risks - I'll be pointing users at the article, to convince them that their dogs name is not a good password... :(
Jean-Marc Fontaine - Aug. 12, 2007
Great article Thomas but maybe you should emphasize more that your recommendations are only true for web applications.
For example brute force cracking a password protected file can be much easier. No penalty period can be applied and the number of tries per second depends mainly on the CPU speed.
The CPU power increasing continuously the year needed today to crack the password could be a day next year.
Thomas Baekdal - Aug. 12, 2007
Jean-Marc, While it is true that local access to e.g. a password protected file means that you can attack a password with much greater speed - a simple password like "this is fun" is still 10 times better than "J4fS<2".
and "Fluffy is puffy" is still 180,000 times more secure than "J4fS<2".
This is not related just to web applications - any system would be more secure by using pass-phrases instead of comlpex passwords. The main reason is that as complex passwords gets longer, it also gets harder to remember (thus will be writtin down which destroys the added security it provides).
While you can remeber "2>my", it is impossible to remember "fHe47yF#kd%sgjs&wk". But remembering a pass-phrase of the same length is easy - like "inspired by design".
Thomas Baekdal - Aug. 12, 2007
BTW: It is true that never CPU's provides greater speed when hacking password. For the same reason it is essential that developers prevent this by adding delays - regardless if it is in a web application,, desktop program, or in a file.
Making password secure cannot be done by putting the burden on the person. It is the developer who needs to make it right.
Jean-Marc Fontaine - Aug. 12, 2007
Thomas, I was talking about the times announced. I agree that the ratios are the same.
I do not see how a delay can be added to a file, a zip archive for example.
Thomas Baekdal - Aug. 12, 2007
I do not know how password in zip files work today, but the way to make a file secure is not store the password within the file, but instead use a e.g. 128 bit hash instead.
This means if you only got the file, you will to crack an insanly secure hash value.
The zip program is then the one who needs to have built in delay mechanism. It, simply put, will turn the password people enter into a hash value, which, un turn, it will then compare with the one in the file (with a delay). If it matches, then it unlocks it - if not... well...
Or if you unlock mechanism in embedded within the file - like with products like "LockNote" - it (the unlock mechanism) needs to have a a delay added to it.
Tara Kelly - Aug. 12, 2007
I agree on the problem with using the term "pass-phrase". This is something we came across with PassPack too.
We encourage using pass-phrases, but people don't know what that means and get frightened. But "password" is just too misleading. In the end, we opted for "Pass" and then suggest using a "normal sentence."
Good choice or bad choice? Don't really know yet, but so far no one has asked "what's a pass?"
Fabrizio Menghini Calderon - Aug. 13, 2007
Nice article Thomas...
The use of a pass-phrase is definitely better than a password, but a lot of time is useless, because a lot of websites doesn't support spaces or punctuation characters in the passwords. This is very annoying because I have a pass-phrase that I want to use for all the website, but sometimes I can't register it with an account. That's why currently I have to use a pool of pass-phrases and passwords for the web... A simple list with a priority, depending on the password policy provided by the website on which I'm creating my account.
When I have to register an account I use the first pass-phrase (the most complicated, but simple to remember). If the website doesn't support the pass-phrase I use the second password (systems that don't accept spaces). The third entry is for websites that only support alphanumeric characters, the fourth for websites that only support characters and the last for websites that only accept passwords with a length lower that 8 characters (in this case the password is only 6 characters)...
I know that sometimes is difficult for me to remember what password or pass-phrase I've used in a website, but is the only one solution (for me) to contrast the problem in this password policy granularity...
Bambang - Aug. 14, 2007
Good article, thanks.
I want to know how to calculate the time to crack those password? I'm still newbie...
How about this password:
64.572.881.649
how much time to crack it?
Thomas Baekdal - Aug. 14, 2007
Bambang, The way to calculate it depends on how much information the hacker has. If he knows that it is made up of 3 numbers separated with a dot, then it is going to be a lot easier.
Known structure: xx.xxx.xxx.xxx consists of 100,000,000,000 possible combinations: 10 numbers (0-9) and 11 of them is 1011.
Meaning it will take 32 years to crack using 100 attempts per second.
If the hacker does not know the structure, it will take a lot longer. Usually a hacker will try a password using different brute-force attacks:
a-z = forever (no match)
a-zA-z = forever (no match)
a-zA-z0-9 = forever (no match - no dots)
a-zA-z0-9+symbols = 5,062,982,072,492,060,000,000 combinations, or 1,605,461,083,363 years to hack (or 350 times longer than the current age of our solar system)
If the hacker knows that the password only consists of number and symbols, then that time can be shortened to:
0-9+symbols = 717,368,321,110,469,000 combinations or 227,476,002 years.
So the safety of the password depends largely on how much the hacker knows about its structure. But, it is generally extremely safe!
Bambang - Aug. 14, 2007
Wow that's very very long time to crack. Thanks so much for the information. Now I'm feel more secure :)
George - Aug. 15, 2007
How about "password phrase"?
You know, I never even thought about using simple phrases for a password, mostly because I've always been asked to make a passWORD.
I think many people force themselves to stick to one word because they think that anything else will not be accepted.
If the whole concept of "password phrase" catches on, then I think password crackers are going to have a lot more trouble...
Will definitely be taking along the recommendation for login time-outs and such to slow down attacks.
Mathew Currie - Aug. 16, 2007
Fabrizio - you should NOT use the same password / pass phrase for ALL websites. This is the same those websites "Asking"
You're potentially telling a non-trusted site how to access your email, E-bay, bank etc.. etc..
Have different "secure" passwords / pass phrases for e.g. payment / work / bank sites and possibly have a "low security" password / phrase for signing up to interest sites like magazine subscriptions and so on.
Mathew Currie - Aug. 16, 2007
Thomas,
Thank you for the very thought provoking article.
Firstly I can't help but think that you are guilty of a bit of "spin", though. Have you worked in sales before, by any chance?
If I can play devil's advocate for a moment - the "3 common word" passwords "this is fun" could be described as "at least eleven characters including two spaces" in the traditional (IT) view of the world. So it's not correct to say that pass phrase is "more secure" than a password - only that it's easier to remember a longer set of characters.
As an IT person it would be a lot harder for me to sell to a visitor / user - "You need a password that is eleven characters long with at least two spaces" than to suggest "pick three words". So I applaud your suggestion of 11+ character long passwords in such a user friendly way :-)
Secondly I'm not sure that I agree with you about your comments on delays and fixed penalties for two reasons.
1) It would be very unlikely that I could sell to my UCD / User Experience team that we need to impose a deliberate delay of 5 seconds before responding to a password input remembering that it is important to enforce the 5 second delay even for successful attempts.
As a "hacker" knowing about the 5 second delay, I would give up waiting after 1 second and start another hack attempt unless I knew I had to wait 5 seconds to find out if the password was successful. Of course that delay would only take one thread out - I'd have hundreds of concurrent threads trying to hack.
I'd need your selling skills to get this past them!
A bit of an aside but there was an interesting article describing how hackers could work out if an ID was valid because of the difference in time between a "invalid user" and a "valid user / invalid password" response.The research was by "Andrew Bortz" http://crypto.stanford.edu/~abortz/ the article "Exposing Private Information by timing Web Applications".
2) The imposition of a "fixed penalty" needs to be considered of very carefully. It's very easy to make the mistake of thinking that you can e.g. use a cookie to tell how many attempts have been made. As a hacker I would wipe my cookies after every attempt - so don't rely on cookies.
What about IP address? Well, that too can be problematic.The visitors I deal with (in the UK) are predominantly from two ISPs - AOL and NTL, as well as some large corporate / government gateways such as the NHS. All of these proxy so attempting to block based on IP address (especially with AOL) could potentially disable a significant percentage of visitor traffic. AOL for example only has a few tens of proxies in the UK. Know your visitor base - but for my organisation IP wouldn't work. This is where dedicated IDP tools come into their own. 100 requests per second (and hopefully a lot less!) should trigger IDP to discard any attempts before the developer has to deal with them.
At an application level, internally logging the number of attempts against a given ID is probably the only way to do this however this has performance overheads that shouldn't be overlooked especially in a multi-server / multi-located environment.
Mat.
Thomas Baekdal - Aug. 16, 2007
Mathew, First of all, I think it should be illegal to write a comment that is longer than the original article (just kidding of course :o))
Secondly, I do not work in sales, but I do work with marketing. Am I guilty of "spin", no - I am just speaking plain English, instead of making it technical :o)
But...
As for the "3 common word", then, unfortunately, you are wrong. It is not a 11 character password, because if it was, a hacker would have to use brute-force, instead of a common word attack - and that would take 1,163,859 years, instead of the 2,537 years using a common word attack.
So it is precisely what I wrote - 3 common words. It does not have to include 11 characters. As an example, a common word password totaling 7 characters would still be more secure than "J4fS<2".
As for the 5 second delay, then I do not agree with you - it is not even close to being as hard as you point out.
1: Why would you have to enforce a 5 second delay if the password is right? I would only add a delay between sign-in attempts not during.
2: You cannot have 100 concurrent attempts if you made it the system correctly. What you do is, simply, to look at the user-name being used, instead of IP-addresses or cookies. Every time a person tries to sign-in, you put the time into the database in a field called e.g. "signinTime" and have another field called "signinStatus" to indicate if he was successful or not.
...And do it server-side, so the hacker cannot tamper with it. Using this method you couldn't even attack using 3 different computers in 3 different countries. The delay is added server-side and thus applies to the username, not where the hacker is attacking from, or what method he uses.
3: I cannot see the relevance of the article you refer to. I think security people and web application developers should read it, but it deals with finding a username, not being able to hack a password. As such, they never gained access to protected information. Good link for developers and thank you for pointing it out - but it is not relevant in this case.
4: A hacker cannot "wipe" a cookie if you use server-side delays to protect you from attacks (read point 2)
5: The same with IP address - user server-side delays based on the user credentials instead of any local information (read point 2). If you do that, you will not have any of the problems that you point out.
Handling passwords is pretty simple. People can choose a simple password that is secure, and developers can prevent attacks using simple methods. You can make it hard and technical, but when you do you run into all sorts of problems - and there really is no reason to do so.
Bhavesh - Aug. 20, 2007
Nice article, but you completely FORGOT keyloggers? They are one of the most frequently used methods to acquire passwords/phrases.
Thomas Baekdal - Aug. 20, 2007
Bhavesh, Heh... Yes, I forgot about thanks. Thanks for the heads up!
BTW: Not much we can do about key loggers, though.
WiseGuy - Aug. 21, 2007
Thomas - Amazing article. It didn't really tell me anything "new", however, it gave me statistics to back up my facts, and a way of putting things simply.
I work as a tech for a major Norwegian corporation, and one of my daily annoyances is people forgetting their passwords, because that's just what they are not, at least not usually, most of my users actually use letter and number combinations for their passphrases.
All the best - WiseGuy
Rob - Sep. 5, 2007
Fun, try to find a form that allows you to fill in "huffy in puffy" as a pw.
In our big company we have to use 3 pw´s since you have to change every 30 days => Result: They are on a post-it on the monitor on most desks :-)
Atlanta Realtor - Feb. 24, 2008
This really opens my eyes to some hings I never knew about when it comes to passwords. I recently thought my e-mail and some other accounts were compromised, and had to get professional help. I see things in a different way now because of that experience.
Designer Portfolio - May. 1, 2008
Wow, very nice article. I will keep this in mind when I need a password next time. Thank you!
Thomas Grefsrud - Jun. 4, 2008
Just wondering, how much will using a different language than English improve attempts? Say Norwegian? For example something like "Passordet mitt er passord. :p"?
woog - Jun. 4, 2008
Which is it going to be, overdesigned "tasteful" tiles or leet computer security tips?
Mark Davidson - Jun. 4, 2008
I just found this via StumbleUpon, in case you're interested.
Great article, Thomas. Could this somehow be combined with another tip I've seen?
http://www.jjmelo.com/blog/2008/02/26/the-best-password-remembering-tip-youll-ever-encounter
Anyway, this article has inspired me to make a quick-and-dirty Flash animation which would allow people to test their passwords. Don't worry, I'm not good enough at Flash to be able to harvest those passwords.
So, I'm off to make a Flash animation! I'll let people here know when it's ready!
Thomas Baekdal - Jun. 4, 2008
Thomas, I do not think writing it in norwegian is going to change much - it largely depends on who is hacking your account.
Woog, Both. My articles is about how to create great products, user-experince, management etc. whereas my design section is all about design. If you just want one of them you can always choose not to go to that section directly - or subscribe to an RSS feed that only contains the content you want.
Mark, that is an interesting way to remember your password. I actually do something similar for some of the online accounts I have signed up to.
Calibre - Jun. 4, 2008
I've found that the dreaded L33T-speak makes for very efficient passphrases. Replacing your three-word example "thisisfun" for "th1s1sfun" greatly increases the security of the password (by adding ten possible characters and voiding the usefulness of dictionary attacks) while still keeping it very simple to remember. It's easy enough to replace I=1, A=4 and E=3 for anyone to remember, and while a script can easily be written to make these replacements in a dictionary attack, it still takes that many more tries to crack the passphrase.
Mike - Jun. 4, 2008
You said that there is nothing that can be done about a keylogger, and I'm not a professional in this field, but I do quite a bit of programming and have written several applications which require that specific programs be closed.
What if you were to incorporate this sort of "script blocking" in the log-in attempt? Basically what I'm saying is when the user attempts to log in, you require that all other applications off a specific list be closed. This list can then be stored on the server, where the user cannot tamper with it, and can be updated as needed.
Or better yet, instead of playing catch-up as my above paragraph suggests, why not simply stop all programs with write capability? This stops the key logger from writing to its log, thus preventing the attack.
And on the note of having the pass expire every 30 days, i would discourage this method because it does lead to the writing of the phrase itself. I would suggest changing the pass every 6 months or so, and never allow a repeat to be entered. This will allow the user time to memorize their new password, and once it expires, they never have to remember it again.
Like I said above, I'm not an expert when it comes to networking, but I know quite a lot about application development, and I think some of the techniques might apply in both fields.
Panther - Jun. 4, 2008
Awesome article, Thomas! I'll definitely keep this in mind for both personal and work related use.
Jarvis - Jun. 4, 2008
I wrote a post on this very topic this morning. You and I agree on many points.
lailai - Jun. 5, 2008
Can you post a link to the password-check website that you used as a example? I want to check my passwords!
Games - Jun. 5, 2008
Nice article. I used to work as a sysadmin and the passwords some people used were stupid. I do think that the human factor plays a bigger role than passwords, once you start getting to ones that have a couple of numbers in, though. People share them too readily, write them down, or just type them 'one fingered' while other people are at their desk. Even some people who change their passwords do it badly - Sarah01 one month, then Sarah02 the next.... Grrr.
antiques - Jun. 5, 2008
That's a really interesting idea. I've never knew how easy hacking a password could be
Marnus - Jun. 5, 2008
Keyloggers? Why not have the alphabet on the screen and you click on the characters of your password.
Cracking? How about one-time passwords, or even much better - 2-factor authentication, such as key cards that generate tokens that should be used with your username and pass-phrase.
I guess normal user accounts don't count as much to a hacker as a root / admin account (except for Internet banking though!). That's why the server should be patched, locked down and default accounts/passwords changed before you allow John Public access to your site.
It's unfortunately also a reality that some sites/systems do not allow special characters / spaces as part of the password. This can be a problem where you use the same password for multiple sites :(
But I totally agree with the article - if you have to choose a password, make it as easy as possible to remember, but as difficult as possible to guess.
Oh, and it doesn't seem like a good idea to have Debian generate a random password for you :)
Drew - Jun. 5, 2008
I do aggree, however if we assume you didn't tell anyone your password, and they therefore don't know what it is comprised of then the password aaaaaaaaaaaaaaaa is more secure than any of the passwords listed above. Complexity of the passwords is not in the least important. Passwords used for authentication should be hashed before they are stored, and passwords which are used for encryption will always be hashed and artificially lengthened before they are used, which results in a different password than you typed, so your password does not need to be cryptographicly strong.
The only thing important in your passwords (or pass-phrases if you prefer) is that they are long, and not in any dictionary.
On that note the English language may have 500,000 words, but hacker dictionary's also contain "words" like asdfzxcv and aqswdefr. Just something to think about.
As for long passwords being hard to remember, I have several fully random passwords which exceed 15 characters, and one which exceeds 20, which I have memorized.
austin - Jun. 6, 2008
This URL is now my pass-phrase.
INVINCIBLE!
George - Jun. 8, 2008
Also a good place to try out your passwords, I've used it to create some AMAZING passwords.
Thomas Baekdal - Jun. 9, 2008
George, I disagree. passwordmeter.com does not support pass-phrases, and as such doesn't know that "this is fun" in reality is more secure than "J4fS<2" (and far more usable).
Som - Jun. 13, 2008
Hi Thomas,
Very nice article indeed and Definitely you are very right in your descriptions.
You would agree that this technique is actually nothing more than a common sense which is most uncommon. I have been using this technique for a long time now (Never thought of writing an article though).... may be around 4-5 years... as i could never remember my password.
I see that you didn't answer the point raised by Fabrizio Menghini Calderon on Aug. 13, 2007 that is, most websites do not allow spaces to be used and hence no pass phrase. I thought I would answer that and see if you agree.
The only changes that I do are:
1. Use underscore instead of a space.
2. Make the first word capitalized
Hence the pass phrase: "i am invincible" becomes "I_Am_Invincible"
Now even Mathew would agree that this pass"word" has 15 characters and combination of Cases and Characters. But still, it is probably the easiest to use.
People (for added security) may choose to make the last character capital instead.
But still... the chain is as string as the weakest link and that is the user itself. "So_Never_Tell_Your_Password"
Som - Jun. 13, 2008
I am sorry. Please read the second sentence as "Make the first letter capitalized"
bulgaria property - Jun. 14, 2008
I mean, I have been a sysadmin for years and never read such a simple informative articla about passwords.
Recruitment Process Outsourcing - Jun. 25, 2008
Very informative and helpful. I just realized the passwords I have been making are terrible!
Avian - Jun. 27, 2008
There are two things I would like to add to this list:
1) If you are trying to create a password for a local administrator or something similar *always* vary the password depending on the name of the computer. This prevents people just getting the password for one computer and having access to all of them.
2) the info mentioned in this guide is just slightly incorrect. With the resources I have available, which are possibly on the hefty side, I can generate roughly 30 billion combinations per second. This doesn't effect online logins, but it means that cracking a hash ( the stored version of the password on your harddrive or stored in the website database ) is reasonably simple.
3) there are various websites which will crack most simple hashes for 6 or 7 letter passwords in a matter of seconds.
Traditionally, when you enter your password, the server takes a hash of the password, eg md5($pass). In reality, a much more secure method would be to add the given username onto the end of the password, making it really hard to crack the password hash.
Thomas Baekdal - Jun. 27, 2008
Avian, you wrote: "the info mentioned in this guide is just slightly incorrect. With the resources I have available, which are possibly on the hefty side, I can generate roughly 30 billion combinations per second."
This article is was specially made for the scenario of being able to generate 100 passwords requests per second. It is true that if you have local access to a file or database, then you can make many more request per second. You cannot, however, make that number of requests to a webserver (not even Google's).
In a recent test, I could only request data from e.g. Google 25 times per second (and their servers are some of the fastest on the planet).
but no matter how you look at it - a usable and easy to remember pass-phrase is still the most secure option.
Anonymous - Jun. 29, 2008
I'd also recommend a simple script that detects too many failed login attempts and logs the IP address of the person doing it. This information can simply be used to deny that IP address access to the server or to report it to the author=ities. Of course, the person is likely to use a proxy, but it'd be inconvenient to have to find a new one, and if a serious offense is committed, even 7 proxies can't save your ass.
gamecube roms - Jul. 4, 2008
i agree on that but i think robots are bypassing this as we speak right now...so back to the drawing board ;)
Thomas Baekdal - Jul. 4, 2008
Gamecube, robots? what robots?
Anyway, the limitation is not in how you request data, but in the transferring of data over the internet and the speed of which the server can validate a password request. So I fail to see how any robots can make a difference
jj - Jul. 21, 2008
I can't remember my GPG password because I wrote it L33T-like, randomly, and can't remember which "e" is 3 and which one isn't... -_-¡
Digital Frames - Jul. 22, 2008
Awesome article, I'll definitely keep this in mind for both personal and biz password ( 3 common word).
Dan Anderson - Jul. 22, 2008
Very interesting information. I'm trying to find studies on the effectiveness of complex passwords for a school paper. Do you know of any real world metrics on how a company with a complex password policy has avoided hacking? Seems to me that most people will intuitively know that complex versus simple is better, but I'd like to find some actual research.
Webdesign Köln - Jul. 26, 2008
very good article ! (could it be my new password ? :D )
Thanks a lot!!!
hooker - Aug. 4, 2008
my password is nigger, that way, if the hacker isn't racist, he would be morally opposed to using it.
Personal Coach Hamburg - Aug. 5, 2008
Very interesting. I just forwarded your article to some of our IT specialists. Thanks!
Guinness gifts - Aug. 11, 2008
Very useful info.
Definitely easier to remember a complex password if you make a password using the aove
Lohberger - Aug. 20, 2008
Awesome article, Thomas! I'll definitely keep this in mind for both personal and work related use.
nico_somb - Aug. 22, 2008
French translation of this article is avalaible here : http://nicosomb.62actu.net/post/2008/08/22/Choisir-un-mot-de-passe-securise-et-facile-a-retenir
Heidi - Aug. 25, 2008
I mean, I have been a sysadmin for years and never read such a simple informative articla about passwords. Werbeagentur Graz
Sexe - Aug. 29, 2008
This article is interesting, I myself will also take into account personal and professional bound!
best acne treatment - Aug. 29, 2008
Great read, I'll definitely keep in mind the different potentials in the passwords I choose.
big mans shop - Sep. 2, 2008
If you think of the numbers 0-9 as a mobile phone keypad its really easy to make up patterns that are easy to remember. For instance a patern of a Z would be:
1-2-3-5-7-8-9 (obviously you would make up more complex patterns)
Easy way to make a good password
San Francisco Lawyer - Sep. 3, 2008
Fantastic writeup on passwords. It makes an issue that is complex for many people very easy to understand. One thing that i tend to disagree on is how a phrase is harder to crack than a pw with a nonsensical combination of letters and characters.
I would make a pw similar to this
*(#timet0gt0w0rk!@)
I do not see where a pw like
time to go to work
would be less susceptible to a hacker.
If you use simple phraseology and use numbers and characters to complicate it the password is nearly uncrackable. you do not have to use different characters for each new pw but can use the same characters over and over again as you change the phrase.
The one form of password cracking you did not mention is social engineering. Because end users are becoming better educated about what types of passwords to use hacking techniques that rely on social engineering, such as phishing scams, are on the rise.
There is no defense against social engineering except you the enduser.
excellent writeup. Thanks
Voyance gratuite - Sep. 12, 2008
Me neither, I never read this information!
But this is a beautiful article on passwords!
Marcos Laredo - Sep. 18, 2008
Thomas,
Great article.
I was pondering about create a blog with technical tips like this, do you agree to I make a brazilian portuguese translation of your articles, not only this, but any other too?
Some body asked about using other languages in the password or passphrase, and you said that depends on who is trying to crack it. My question is: What about mixing languages in the passphrase (or password): for example "Here אני estou" => "here I am" mixing english, hebrew and portuguese.
Thomas Baekdal - Sep. 18, 2008
Marcos, mixing languages would probably make it a lot harder to hack.
As for using my content, then I got a general rule. I do not allow anyone to "republish" my articles without permission, and I generally do not give that permission unless the site has been online for at least a year - and has a proven track record.
You may quote the article and use a part (if you credit me and link to the original article).
Marcos Laredo - Sep. 18, 2008
Actually, I started my own translation of it, and I'll post it maximum tomorrow.
I gave to you the credits in the first paragraph, and I'm not using only your article to compose mine. I hope you agree to that.
If you not agree, I'll remove it, but will be sad to me and to my friends that don't speek english.
Meredi - Sep. 19, 2008
Thomas, your article is fantastic. The company I am working for right now is thinking of changing its security policy, and you've inspired me to calculate the time to crack a password on the old policy, vs. the new policy - to see whether the change is worthwhile or just trivial.
The old policy is: 6 chars, incl. one number or symbol
The new policy is: 8 chars, inc. one number or symbol, and one capital
I can calculate brute force - I believe the new one is 8836 times stronger. But I don't think I can calculate the easy case of a dictionary attack unless I know how many 5+- and 7+-letter words there are in English.
The simplest password someone could come up with for the first policy is something like: smile7. That certainly can't take that long to crack.
The simplest password someone could come up with for the second policy is: Friends7. That doesn't seem like it would take much longer, given that most people will probably capitalize the first letter in the password.
Would be interested in hearing your thoughts. I'm starting to think that the change in policy wouldn't be that helpful and instead more time should be spent on user education (teaching them how to make good, memorable passwords as you've shown people here).
Thomas Baekdal - Sep. 19, 2008
Meredi, I apreciate that you like my article :)
But, I find that your question is irrelevant. It seems that the company has already decided to make the company's passwords more complex - and my article is about that "making things more complex is not the way to go".
So my advice to you is to completely drop the notion of introducing a more complex password altogether and instead advocate the use of a pass-phrase.
Forcing people to use complex passwords is a misguided way to look at security, and it doesn't work in the real world. Saying that it should contain 8 characters, including one number or symbol, and one capital - is not the solution - regardless of how you calculate your stats.
The other thing to remember, do you really have a security risk - is this some fantasy made up by the security people in the IT department. Is there really any real reason why you would introduce a new password policy? Have anyone's account been hacked - and if so, did they really hack the password? ...and if so, did they then really hack-hack the password, and not just read it off a post-it note next to the screen.
Unless you work for some government agency, or a high-profile political candidate, I think the answer to all these questions is "NO".
Meredi - Sep. 19, 2008
Thanks for the quick response, Thomas.
The final decision about more complex passwords hasn't been made - the team wants to make them more complex, and as a usability consultant I naturally have reservations. I was trying to decide if the more complex passwords would increase security enough to justify a decrease in usability.
I am definitely considering passphrases at this point, but my client runs an ecommerce website and I can't say I've ever seen passphrases used on a website before. What I'm uncertain about is if people have decided AGAINST them for some reason I can't figure out. Have you ever heard any criticisms against them?
There is indeed a legitimate security concern: a competitor site was broken into a while ago and numerous customers were phished with data stolen from the site. So they're trying to prevent the same from happening to them.
Thomas Baekdal - Sep. 19, 2008
I was trying to decide if the more complex passwords would increase security enough to justify a decrease in usability
That is precisely the thing that I am trying to advocate against... Security and usability is not mutually exclusive things. You can have great security and highly usable solutions all at one. Pass-phrases are one of those solutions.
It sounds to me like you are dealing with regular IT people that have been brain washed by the security companie's scare tactics. I am constantly amazed how blindly IT people believe the security community. I admit that there is a remote theoretical possibility. But the only way to fully protect you is to take your site completely offline.
Create smart security solutions - not complex ones - so that security is there, but isn't limiting us, or degrading our lives.
Obviously you want to make a system where it is impossible for one user to see data from another user, one where the data is encrypted in the databases, and one where personal data is stored and handled on the server, and not at the user's computer. All of which can be done quite easily, and without making things more complex for the people using your site.
There is indeed a legitimate security concern: a competitor site was broken into a while ago and numerous customers were phished with data stolen from the site
If that is the reason, then the whole notion about making more complex passwords is ridicules.
Nobody is capable of hacking a single person's account and stealing content from multiple accounts. Unless the person that was being hacked is the administrators, or possibly the master password to the database.
In this case, the only password that needs to be more complex is the one used by the IT department. Why should the "regular" people be punished? To do what you say has happened on a competitor's site, you need IT level access - not user access.
Secondly, nothing indicates, in what you write, that it was the password that had been compromised. It is much more likely that they gained entry used a SQL injection hack or some other flaw in the system. Like when you, with previous version of facebook, could write a special URL to gain entry to private pictures.
I am sorry to say this, but I think that the IT people you work with are incompetent. They blindly believe in old myths that are not only wrong, but also create a terrible user experience for anyone.
It takes 1 month to hack a password with 6 characters, with 100 attempts per second. Surely, it would be easier to simply check you server logs, or create a system that checks how many times someone has attempted to gain entry to an account. If an account has been access more than - say 500 times - in a single day, then you could simply lock it down.
Why give everyone a bad time by having to remember a hugely complex password, when the real problem is in the IT department - and that they could simply eliminate the problem by checking their log files with some automatic script. But again, I don't think that the real risk is with the passwords. I think the real risk is somewhere else - with the systems.
So they're trying to prevent the same from happening to them.
No they are not. It sounds to me as if they have absolutely no idea what they are doing...
I must admit that I get angry when I hear something like this, and I am sure you feel the same since you are a usability consultant :)
Voyance gratuite - Sep. 30, 2008
Thank you for taking the time to publish this information very useful!
Published: Aug. 11, 2007 in Usability
Thomas Baekdal is a Writer, Interaction Designer, Change Advocate and Project Manager.
Jacob Wyke - Aug. 11, 2007
Just need to get people to start using the term "Passphrase" instead of "Password".
I tend to use lines from books as then if i do forget a quick browse through the book and I tend to remember it again.