What is a good password? Your girl friend’s, boy friend’s, or partner’s name? A common English word, but in Spanish? Your favorite password which you have used for past five years? I know people who have and still do use these types of passwords!
To understand how to choose a good password, it helps to understand how websites use passwords and how attackers try to break passwords. Websites typically store user’s user names and passwords in a database. The passwords should be stored in processed form. That is, when the user first registers with the website, the password should be processed and then stored. When the user logs in again, their password should be processed in the same way and then compared with the stored processed password. If the processed password used for logging in matches the stored processed password then the user has entered the correct password and should be let into the system.
Attackers find a vulnerability or weakness in a website and then steal the database file with the list of user names and processed passwords. Once in possession of the database file, they can then perform an, “offline attack”, in which they perform their attack using their own computing resources. An “online attack” would be where the attack happens inside the network of the attacked website.
Attackers determine how the passwords have been processed by analyzing the website’s code. They then perform a dictionary attack, in which they try out a long list of possible passwords. Historically, this list would be simply a list of common dictionary words. These days the list would include tens of millions of dictionary words, names, words from different languages, with combinations of various numbers and characters.
Another baseline attack to keep in mind is a Brute Force attack. For this attack and attacker tries all combinations of passwords.
Some websites don’t process stored passwords. These websites sometimes reveal this to their users by emailing them their passwords. Have a look at http://plaintextoffenders.com/ to see websites which have been reported doing this. If an attacker hacks one of these websites, then they have your password, no matter how complex it is.
How long it takes an attacker to try each password depends on how the password was processed by the website. Assuming the website has done a salted hash or better (more on password processing in a latter blog post), then depending on the precise algorithm used, an attacker could try approximately 1,000,000,000 per CPU core per second, and could perhaps arrange for 10,000 parallel CPU cores to operate in parallel, then the attacker could try around 10,000,000,000,000 passwords per second = 1 x 1013 passwords per second. There are around 31,536,000 seconds per year. As such, an attacker could try around 3 x 1020 passwords per year.
On a standard keyboard there are around 70 characters (allowing for UPPER case characters) which users are likely to use. If a user creates an eleven character random password, then there are 2 x 1020 possible password combinations. As such, to have a secure password which attackers would need to allocate considerable resources to breaking for a year, your password needs to be twelve random characters long or longer.
Personally, I don’t use completely random passwords. I find them impossible to remember even temporarily and difficult to enter. I create passwords which are based on groups of randomly associated real words, some unreal words, combined with numbers and special characters. My typical passwords are fifteen to twenty five characters long.
The problem with long passwords is how to remember them. I suggest that everyone use a password manager app.
Some example passwords which seem good to me:
- Iw0uldntWritSky99
- JustGoing###23Nice
- S0eedP89ackets__Hist
- WorNoFinishe12*1234
nelladragon 
Recent Comments