Password security for human beings

It’s a curse of the modern world that so much of our lives are secured by passwords. If you use the same one for everything, or switch between a few tried and tested favourites, then you don’t really have much in the way of security at all.  If you are an online business then you are a bigger target than most – it is therefore vital to practice safe passwording.

Common password mistakes

The most common mistakes we see with passwords are:

Using words as passwords

Just because they are called passwords doesn’t mean they should contain words. A particularly common way to crack passwords is to launch a dictionary attack – literally trying all the words in the dictionary (and combinations of them). This is an incredibly efficient way to hack the majority of password combinations.

Substituting numbers for letters

Switching letters for numbers (such as changing password to pa55wo7d) might make a password appear more secure – it might even help you bypass an annoying form that requires a more robust password.  It doesn’t, though, add much in the way of security. Programmes created to launch dictionary attack also infiltrate letter/number substitutions.

Re-using passwords

When you use the same password more than once your security is only as strong as the weakest service you use. When sites are cracked and user passwords exposed, hackers will then try those passwords on other common sites to see if those details have been used elsewhere. The lists are also often made public, meaning that your login details, for a variety of services, may be circulating on the internet.

Painful though it sounds, you should only use each password once.

Hard to crack doesn’t have to mean hard to remember

We have all been taught to think that passwords like resTeThu?7Ru  or P3As*qUg are the ideal: long strings of difficult to guess and difficult to remember random characters.  These are pretty tough to crack, but the fact they are hard to remember renders them close to useless as ‘use once’ passwords – unless you are storing them for look-up.

Software to the rescue?

Systems such as LastPass and Keepass offer ways to generate passwords and have them available whenever you need them.  This solution is convenient and ensures you have the strongest one-use passwords. You are reliant on the security of both the service itself and the master password that you use to protect your login store.

Such systems work particularly well when groups of people need access to passwords. In fact, we employ something similar here at OKO.

Have a system

An alternative approach is to have a system come up with tough to crack passwords that are not hard for you to remember. Here is just one example of something that might work for you.

Pick a sentence that you will remember, or maybe a line from a song. Use the initial letters from that line to make the password. This can provide you with long passwords that are incredibly easy to remember. For instance, Led Zeppelin fans might be find talwkatgigasbasth easy to recall, or maybe iwlaactfohovah – if Wordsworth is more your thing. This works just as well with jokes, book titles or quotes, film names and scene dialogue or in fact any sentence that is memorable to you.

As far as password strength goes, those are pretty good passwords. The length of the ‘string’ makes it tougher to crack by brute force. For pure password strength, initials from the first line of Stairway to Heaven are CONSIDERABLY more secure than the tougher looking P3As*qUg .

P3As*qUg is part of a pattern with 608 billion passwords (608,000,000,000)
talwkatgigasbasth  is part of a pattern containing 127 sextillion (127,000,000,000,000,000,000,000)

Problem solved then? Well, not quite. There are three issues with this type of password.

Someone could create a whole new dictionary

If everyone started using the first line of their favourite song or poem, then it wouldn’t take long for someone to create a new dictionary of those initials. Picking a random line that you like makes it much harder, but there is still an inherent problem there as well.

Such passwords will often be rejected

When you provide a password you often have to comply with whatever arbitrary rules the website or service requires. We’ve all been annoyed by messages requiring that ‘all passwords must contain at least two letters, one number, one special character and a funny squiggly line that appears above the # key’. Despite the fact such restrictions make passwords considerably LESS secure, we have no choice but to follow such directions.

You still need to remember a lot of passwords

As mentioned before, passwords should ideally be unique to each service and this method doesn’t help you remember which song to use and when.

Getting past the password police

Pick a letter, a number and special character – mine are h7&. Add those to your password using an upper case letter. Those three characters are not particularly secure, but if you are relying on password length as security then that is not a problem. They should be enough to get you past most restrictive password systems.

In this case, my ‘Stairway’ password has just become H7&talwkatgigasbasth .

Making passwords unique

If you add something to each password relating to where you use it, then you can make your new secure password mobile without compromise.  For example, I might choose to use the second and fourth letter of the services name and add that to the front.

When I log into my Amazon account I might use maH7&talwkatgigasbasth but when I log into my Google profile it could be ogH7& talwkatgigasbasth.

That system itself isn’t so secure if anyone knows it. However, you’d need to either tell someone or they’d need to have access to at least two of your passwords before they could apply it to a third login.

Protecting against expanded dictionary attacks

Using the above steps you also protect against someone adding lines from books/ films/songs (and whatever else they choose) to their dictionary.

Wrapping it up

Systems like the one explained are not perfect. In my experience though is they result in considerably more secure passwords than the vast majority of people are using. There are lots of ways you can vary this approach, but the core idea is the same:

Stop remembering bad passwords and instead learn a system to create good ones you can’t forget.