Helping people with computers... one answer at a time.

This is from a section out of my Hotmail security checklist. I'll review a couple of approaches to passwords and the tools to manage 'em.

One of the things that I did a couple of months ago was create an ebook for Hotmail users that focuses on account security. The very first topic that I tackled in the book is how to choose a good password.

Choosing a good password is the single most important thing that you can do to secure an account - any account.

In this video excerpt from an Ask Leo! webinar, I'll walk through some of the approaches that I recommend for generating strong passwords.

Download the video: goodpassword-640.mp4 (52M).

View in HD (1280x720)

Transcript

So what's a good password? One of the things that I did a couple of months ago was create this PDF aimed at Hotmail users since that's where I see a lot of problems. And as it turns out, the very first topic that I discuss in this PDF is, in fact, 'Choosing a Strong Password'. There is...well, I'll put it this way; it is the single most important thing you can do to securing an account - any account. I use Hotmail as the example here because that's the one that was in the most need of having some security documentation written. And it's something that a lot of people get wrong. As it turns out, it's very easy to have bad passwords.

So the real question we end up asking is 'What is a good password; what is a bad password?' I want to start by showing you this list from a site called What's My Pass. They published this a couple of years ago and they list what they call 'The Top 500 Worst Passwords of All Time'. Now, the way that they did this is they actually got data from break-ins that was passwords, user accounts and passwords that had been exposed by other people. They collected that data and they simply took a look at all of the passwords people were using and they looked at the 500 most common passwords.

Now before I scroll down here, I do have to warn you that there were apparently several adolescents involved in setting up passwords because there are some curse words and other 'not nice things' here. It won't be on the screen long but I at least wanted to show you what some of these passwords look like. 123456 - the top password of all time and as you can imagine it's incredibly insecure. That and the password 'password' is the number two. 12345678 - apparently for those sites that require 8 character passwords, people would go ahead and type this in. It's kind of scary when you take a look at all of these bad passwords and how simple, how fundamentally simple they are.

So when I took a look through this list, a couple of things popped out. One, is that a majority of the passwords, by far, were simple words or combinations of words. Another set of passwords that was very common were simple numbers, sequences, patterns, that kind of thing. The other thing that stuck out to me are patterns. There's a password you'll note here at the top the author actually calls out a few interesting things he sees in the list. The one that caught my eye was qazwsx that is a pattern on a standard Qwerty keyboard. Those are really bad passwords; the thing that stuck out for me as to just how bad they are is this statement here: 'Approximately one out of every nine people uses at least one of the passwords on this list.' That's a lot of insecure accounts and I want to emphasize how insecure that is. When you take a look at the rampant account theft that I see all of the time, people reporting to me that their, obviously Hotmail, but other accounts are getting stolen, one of the biggest reasons is because they have chosen a very simple, very bad password.

So 'what's a good password' is the question that follows. The answer is complex because on one hand you want passwords that are easy to remember but that's at odds with passwords that are hard to guess. Typically, hard to guess passwords are, in fact, very difficult to remember. One of the approaches that I've outlined in the past is to create a method; computer guys would call it an algorithm to create your passwords. So, for example, you might take a phrase that you remember and always will remember. I'll use 'Tech Questions? Ask Leo!' It's a four-word phrase that, at least for me is really easy to remember. You might choose something else. Now take the first and the last character of each word: ThQsAkLo . That already begins to look like a really safe password; it looks like something really random that would be very difficult to guess.

Now one of the things that we have working against us here is that the latest round of password thefts, the latest round of account breaches actually haven't made, the ones we've heard about in the press haven't been individual account theft. They've been situations like the Sony database getting hacked or a number of other large institutions getting hacked. And in some cases they actually get security wrong and they store the plain text password in the database. So what happens is the hackers get a list of account names and passwords for your Sony account. The problem, of course, is what happens when you use that same account and password in more than one site? Well, those hackers now have access to all of those other sites if they care to go give it a try. A good example, I believe is that one of the Sony properties that was compromised was EverQuest, the online role-playing game. Well, if there's an overlap, if you happen to play both EverQuest and say, World of Warcraft and you happen to use the same account name and password on both systems, then the hackers that have gotten into EverQuest , if they are likely at all to try your World of Warcraft account, they'll get right in. That's the biggest reason that security folks like myself keep telling people you really need to have a different password for every login account that you have.

Now, I actually got some push-back in a comment to an article not that long ago, someone who basically said 'There's no way that's gonna happen; I can't do that; that's way too many to remember.' Well, let's take our method that we've got here and modify it slightly. Let's say that we're going to use a password, we're going to create a password for Hotmail.com. The method might be altered to say, Ok, we will take the first and the last letters of the domain that we're about to log into and insert those into the middle of this password phrase-based mess we've got above. So the password for Hotmail might be ThQahmAkLo. Now you've got an easy to run through and create unique passwords for all of the different sites that you might log into and still have them be different. In this particular example, it's the middle two characters that would be different. And, in all honesty, that's probably enough in most cases because that's going to tell, hackers aren't going to be playing around trying to figure out what algorithm you're using. They're going to go on to the next account that they've stolen and see if that one works.

One of the other things that you can do to increase the strength of this is to include something like the length of the domain name. So, for example, Hotmail, maybe the root part of the domain name. the Hotmail part of it, alright? So that is seven characters so you might alter your password to include the number seven in it somewhere; I just happened to choose the middle. The goal here isn't so much to use this technique; it's a fine technique; you're welcome to use it. I suggest you not use the phrase that I've used but use something that is more unique to you if you happen to go down this path.

What's more important about - what I want you to take away from this is that one approach to managing large numbers of secure passwords is to have a method for creating them - have an algorithm, have some rules. Take a phrase, take certain letters from that phrase, mush them together, insert some information about the unique place that you actually logging into and then create a password from that.

Now, that's one approach. Interestingly, I recently ran into a...well first I want to talk real quickly about this page because it is one way to generate non-algorithmic long passwords: GRC's Ultra High Security Password Generator, he calls it Perfect Passwords. All that he is done, you can see the URL here: https://www.grc.com/passwords.htm. All he's done here is he's generating random numbers. And every time you visit this page, the numbers change. So if I were to refresh this page, you'll see that everything in these three boxes has changed. So if you decide you need a 12 character random password, you might pick off 12 characters from here and copy/paste that into where you want it. This set happens to only have alphanumeric; this set happens to have only hexadecimal characters which is even more restrictive; this set here uses 63 random printable ASCII characters. It's another way, it's a very simple password generator - not algorithmic - you're going to have to remember these some other way and we're going to talk about ways of doing that in the next segment, but the point is that these are the other extreme from those 500 bad passwords that we saw. These are passwords that are great; they're perfect.

Now, one of the things that Steve ended up investigating was what he ended up calling password haystacks and I want to talk about that real briefly because this concept is the concept that led to my article a couple of weeks ago where I spoke about the fact that longer passwords are more important than complex passwords. Now before I type anything in here, I want to be clear: this is not a password strength test. This is a test ONLY for how difficult certain types of passwords are to brute force by trying every possible character combination. So take our standard super simple password of 'password' - we only have 8 lowercase characters - without any smarts at all, in other words simply trying every possible combination of eight lowercase letters, it will take about two seconds. And again, this is an order of magnitude, these things change. The reason that it's, the thing to take away here is not that it's 2.17 seconds, but rather that it's not something larger or something smaller as we compare other types of passwords. So 'password' of course is a really bad password because it's a word. But even if we were to randomly pick eight lower-case characters, an offline attack where they've stolen a database of passwords, and they simply try all combinations, all possible combinations of eight lower-case letters, it will take them a couple of seconds to figure out what this password is. Now there are a couple of different ways you could make the password stronger: one is you could start to include upper-case; now all of a sudden, the pool of characters that it needs to be able to check against gets larger; it's 52 instead of the 26. So, great, it only takes nine minutes to crack an eight-character password. We can include a digit and now it takes a half an hour supposedly to crack an eight-character password. But the order of magnitude hasn't really changed all that much. On the other hand, if we were to take a password and simply add special characters to it, say make it four characters longer, and we've thrown in symbols here just because it's easy for us to type in, it's easy for us to remember. Simply doing that - making your password longer, even if it's with a few simple characters which are the same repeated, makes the password significantly stronger. So if you take your hopefully good password, whatever that might be...and here we have what would normally be a ten-character password except that we've added a couple of dashes in the front and back. Now, all of a sudden, the chances of it being cracked have gone into the order of magnitude of hundreds of thousands of centuries.

A lot of people get concerned when we talk about longer passwords because they think that will be something more complex that they are going to have more difficulty remembering. If that's too much for you and in many cases it is, I don't want to diminish the fact that longer passwords, longer good passwords are harder to remember. A very simple approach is to simply do something like this: throw a couple of dashes at the beginning and the end or throw a couple of characters that are unique to you. One of the things that Steve Gibson did in his examples is he just put a number of dots after it. With a fixed number of dots - in this particular case, I think I've got two, four, six, eight, ten-character password and twelve dots - well, now it just became incredibly difficult to brute force hack. It's just not going to happen. And it's a longer password; it meets the criteria for a secure much longer password.

So I wanted to throw that out there as something else to think about when you are creating passwords. To be honest, I'm not doing this; I'm actually going to straight to creating long and complex passwords purposefully and exactly how I do that and how I save them, like I said, will be part of our next segment. To be clear about the haystack metaphor, by the way, the metaphor he's using here is simply that a password search you're looking for a needle in a haystack and the idea is to have as a big a haystack of possible passwords to have to look through in order to find the password that you happen to have.

Article C4887 - July 27, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

9 Comments
Duvid
August 2, 2011 2:09 PM

When you talk about longer passwords (and the difficulty of remembering them) - how about just using your existing password TWICE? Or even THRICE? I usually use a transliteration of a foreign word, together with a few numbers, both of which are meaningful only to me. How much better would it be if I repeated that, making 16 or 18 characters?

By the way, when I do feel a need to write passwords down (though not on sticky-notes pasted to my monitor!) I intersperse the REAL password with DUMMY characters - again which only I will recognise.

Dave Porter
August 3, 2011 4:41 AM

I don't understand.......
I can see how hackers can run through every combination of 8 letters in seconds, BUT how do they know when they have the right one ?
Most password-protected (I thought ALL) apps give you only three tries to get the password right and then close the account down for say 24 hours. Trying all the combinations at 3 goes a day would take a few billion years I reckon.
So, there must be a different way of using these combinations because just trying them will never work. Please tell me what this or these methods are.
Thanks.

Guy
August 3, 2011 4:50 AM

The 'character map' has several thousand characters from which to choose. Why limit passwords to keyboard characters? The only problem I've had with this is that some sites accept the password but then can't recognize it when you try to login. Using just English and Greek characters somtimes fixes this.

Mark J
August 3, 2011 7:02 AM

@Dave
On the web sites that block account access for a time, even as short as 10 min, it would take millions of years to crack even a short password. Brute force hackers take advantage of the fact that most websites and applications don't do take that precaution.

Mark J
August 3, 2011 7:10 AM

@Guy
There are thousands of printable characters, but in reality there are only 256 possible options for each printable character and therefore only 256 possibilities for each password character. The character set is determined by telling the computer how to interpret each of these values of 0-255. That's also why sometimes emails and web pages sometimes show strange character combinations instead of quotes or apostrophes etc.

GREG JACKSON
August 3, 2011 9:03 PM

I have a desktop shortcut to GRC's password generator (64 characters) for quick access to random passwords. I cut/paste all or a portion (then sent to an encrypted file).
https://www.grc.com/passwords.htm

Now, I love to share the following:
Which of the following two passwords is stronger, more secure, and more difficult to crack?
D0g...........[OR].......... PrXyc.N(n4k77#L!eVdAfp9

"first password would take an attacker approximately 95 times longer"
Huh? Yes. GRC has a page explaining this, and the concept behind it. Quite stimulating indeed.

Password Haystacks https://www.grc.com/haystack.htm

Mike
August 7, 2011 11:59 AM

In the article, isn't the Hotmail password supposed to be 'ThQshmAkLo', not 'ThQahmAkLo'?

john neeting
April 10, 2012 4:43 PM

The longer the pass 'phrase' the better. Hard to remember?, not if it's a complete phrase from that book or 1940's song or comedy show that has driven you nuts for 40 years. Example - "isaidlookisaidloveisaiddarlisaidpetisaidlook"
How long to crack that - a lot longer than 200 hundred years, I dont care how fast your computer is. factorial 26 to the power of 44 ..? and thats just lower case alpha, never mind the rest of the keyboard.

Mario
June 12, 2012 9:53 AM

Would passwords using foreign words be hard to find ?

Depends on if you're certain that a hacker isn't using a foriegn dictionary. I wouldn't count on it and simply assume that words are words in any language and act accordingly.
Leo
12-Jun-2012

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.