How do I choose a good password?

Password security has never been more important. With occasional security breaches at service providers, and rampant email account theft you need to do everything you can to make sure you're choosing and using secure passwords.

In the last couple of weeks, we’ve once again heard of a couple of major websites suffering from data breaches that have exposed information about millions of user passwords to hackers.

This theft brings up again the concept of so-called “good passwords.”

What many people don’t realize is that the thinking around exactly what it means to have a good password is changing.

And it may be changing in ways you wouldn’t expect.

To understand what makes a good password, we need to understand just a little about what makes passwords vulnerable – which means understanding a couple of the different ways that hackers hack.

Along the way, I’ll also discuss hashes (again) and why a “salted hash” isn’t breakfast food, but rather a critically important approach websites should be using to keep track of your passwords.

And there will be rainbows.

Caveat

I’m no security guru.

The concepts that I’m describing here aren’t intended to make you one either. Things are most definitely simplified – often over-simplified – to make a point or to explain basic concepts. The devil is in the details, and you won’t find him here.

My goal here is simply to explain how and why passwords are so darned important, why the password that you think is strong enough probably isn’t, and what you need to do about it all.

If you’re designing a website and are looking here for what you need to do to keep passwords secure, you’ve come to the wrong place.

If you’re an average computer user and you just want to keep your online life secure, then follow the “New Rules” to the left, and keep your computer safe.

If you’re curious as to how some of this stuff works at a high level …

read on.

The Rules: Old and New

For those with short attention spans, I’ll start with what you need to do differently, beginning yesterday.

In the past, the traditional advice on passwords was:

  • Eight characters long at a minimum
  • Never use names or words, at least not without mangling them somehow
  • Never use combinations of names or words, at least not without mangling them somehow
  • Use a combination of upper and lowercase letters and digits
  • Use at least one special character – something other than a letter or digit – if the system will let you

Those rules are no longer sufficient, and for all their complexity, they still leave you with a password that remains quite susceptible to certain types of compromises.

Instead:

  • 12 characters long at a minimum
  • Longer is always better
  • Use a combination of upper and lowercase letters and digits
  • Words aren’t as evil as they once were, as long as the password is long enough
  • Consider padding the password with a random character to make it longer

As you can see, there’s a new emphasis on length.

If you remember nothing else from this article, size matters, longer is better.

The Dictionary Attack

One of the reasons that we’ve always been told to never use normal words (or common names) in passwords is that there are very simple attacks called “dictionary attacks” that simply try all words, or all combinations of words, one after the other until something works. (Many jump-start this process by starting with a list of known extremely common passwords.)

The Oxford dictionary tells us:

This suggests that there are, at the very least, a quarter of a million distinct English words… 1

If we stick to all single case, then a program needs to try only 250,000 times 250,000 (62.5 million) times to be guaranteed to stumble onto a two-word password. I say “only” 62.5 million because to a computer running with speeds measured in billions of operations a second, that’s nothing.

Yes, you can add names and random capitalization to the mix, and perhaps even insert digits, but even that slightly-obfuscated dictionary-based approach to password cracking remains something that is easily performed by today’s technology.

It’s also not necessary any more.

It’s now quite possible for hackers to just try everything.

The Brute Force Attack

Let’s say you’ve been really, really good and you have an eight-character password made up of completely random letters, numbers, and symbols.

Perhaps “7CxX&*Xf”.

That’s still a good password, but not a great password.

It’s estimated that such a password could be cracked (offline) in a little over 18 hours.2

Doesn’t matter that you didn’t use words, or your name or anything else. Eight characters – 6,704,780,954,517,120 possible combinations and passwords – in less than a day.

Now, the most common response that I get when I throw out numbers like that is, “How can they try that many, that fast when I get locked out after three wrong attempts?”

Online Attacks

A different kind of 'picking' passwords ...
In the online scenario, it’s very true that they can’t try quite that fast, but they can still try fast enough for it to be a serious issue, particularly for dictionary attacks.

For example, I can envision a botnet that’s not only sending spam, but is also performing a distributed dictionary attack against a set of email accounts at the same time. Slowly and from different locations, so as not to trip any limit filters, they try millions of passwords against hundreds of thousands of accounts.

Eventually, they’ll hit pay dirt – especially if they try those “known most common” passwords first.

But surprisingly, that’s not why eight characters is too short. A random eight-character password will probably protect you just fine from these types of online attacks.

It’s the offline attack that you need to worry about, where your eight-character password – possibly any eight-character password – might be cracked in microseconds.

To understand how that can be, we need to start by understanding how passwords are stored. But first, we need to realize that guessing from the outside is only one way to get password information. Occasionally, it’s something else.

The Database Breach

Every so often, we hear of an online service that has been hacked into and their database stolen.

What that typically means is that rather than trying to guess logins one at a time, a hacker has infiltrated the systems of the service and snatched a copy of some or all of the user accounts database.

As a result, they typically have:

  • A list of all usernames or login IDs for that system
  • A companion list of all passwords or password information for those login IDs
  • Other stuff that the system may have stored for each user ID

No need to try guessing passwords slowly from the system’s public-facing login; the hackers walk away with almost all of the information that they need in one fell swoop.

Now, note that I said “passwords or password information” above. Most systems do not store your password – they store something else.


Any system that can actually tell you what your password is should not be considered secure.

Hash – Hold the Salt

Any system that can actually tell you what your password is should not be considered secure. Any system requiring security should never, ever actually store your password.

What they store instead is called a “hash” of the password.

A hash is a mathematical function that takes an arbitrary amount of text and computes from it a number. That number has the following characteristics:

  • Any change, however small, in the data being hashed should result in a large change in the resulting hash.
  • It should never be possible to reconstruct the original data from its hash value.
  • It’s not feasible to craft data that, when hashed, would generate a specific hash value.

So, instead of storing your password “iforgot”, the system might instead store:

d9fd60a8cf992ec3d554ec2df8dd4cb345e77de7ecb4df4772920897b1d51bc5

That’s the result of an “SHA 256″ hashing function. Any time you give that function “iforgot,” the result will be that number (which happens to be 256-bits long). What’s important is that given only that number there’s no feasible way to figure out what password caused it to be generated.

So, when you login, the system passes whatever you type in to the password field through the hashing function, and if the resulting number matches, then you must have typed in the correct password because it’s the only thing that could have generated that number. 3

All while not needing to store your actual password.

Now, as technology has grown more powerful, we’ve run into an interesting issue rendering even this nicely obscure means of storing passwords without actually storing passwords at risk.

Rainbow Tables (Sorry, no Unicorns)

Rainbow
Consider the eight-character password.

If the password that we’re setting up allows each character to be any of 26 alphabetic upper and lower case characters, 10 digits, and 10 special characters, that’s 72 possible characters in each position. If we have eight of those, that’s 72 to the eighth power or 722,204,136,308,736 – 722 trillion – possibilities.

It sounds like an enormity, but with today’s computational and storage power, it’s possible to:

  • Calculate all possible eight-character passwords
  • Store in a table the password and its calculated hash value for all possible eight-character passwords
  • “Crack” a password from that database you just stole by just looking up the hash value that you have in the table you created and fetching the corresponding password

That table, by the way, is called a “rainbow table.”

In reality, hackers rarely need the entire table for various reasons; there are algorithmic shortcuts, not all hash functions are created equal, and so on and so on. And on top of that, we pick bad passwords, so a smaller table with just the hash values of lots and lots of common passwords is pretty darned useful to many hackers.

But even the worst-case scenario is quite do-able.

All because the hashing algorithms chosen are quite standard (trust me, you don’t want to dream up your own – this is a place where you really want to leave the math involved to trained professionals – homebrew hashes are typically cracked algorithmically within seconds).

So, if your email service, your social media service, and your photo-sharing service and whatever else you happen to login into all use the same hashing algorithm, then they have all stored the exact same hash value for your password. If that table of password hashes is ever stolen, then a quick lookup in a rainbow table will retrieve the password which could then be used on any of those sites, even though they were never directly breached.

Now, as it turns out, there’s a trivial way to stop that possibility.

Add seasoning.

The Salted Hash

“Salting” is a way to obscure the information stored in a service’s password database.

Instead of computing the hash of a password, they instead add something to the password and hash the combination. Then, when the time comes to check that you’ve entered the right password, they take what you’ve typed in, add that same something to it, and hash the result. If the hash value matches, then the password is correct.

For example, perhaps I create my password as “iforgot”. As we saw, that gave us an SHA256 hash of

d9fd60a8cf992ec3d554ec2df8dd4cb345e77de7ecb4df4772920897b1d51bc5

If, however, the system storing my password automatically adds “mypants” to every password and hashes the result –  iforgotmypants” – the hashed value is completely different.

9791d33a44b51d071a90cd246a3b8a4ca2491f9474ebd737bc137b82826c7e5d

When I come back to login and enter “iforgot,” the system automatically adds “mypants” and hashes that, and the values match.

If the hash value is even in a rainbow table somewhere, it maps to “iforgotmypants” which is most decidedly not my password.

The item we add – the frivolous “mypants” in the example above – is known as “salt,” as it changes the flavor of the result of the hash function. In reality, it wouldn’t be anything so simple and it would vary from system to system (and if done really well, from account to account).

Now with all of that as backdrop, here’s the kicker: you don’t know how the services you use encode your password and too many do not use salt. In fact, a most recent breach at an extremely well-known large online service exposed the fact that they were not using salt to properly secure their database of hashed passwords. The passwords stolen could be easily looked up via available rainbow tables.

So, in the face of not knowing which services do password security right, how do you protect yourself?

Size Matters

The single most important thing that you can do to improve your password’s security is to make it longer.

The longer the better, in fact.

Recall how I said an eight-character password gave us 722 trillion possible combinations? (722,204,136,308,736 to be exact).


The single most important thing you can do to improve your password’s security is to make it longer.

A 12-character password results in 19,408,409,961,765,342,806,016 possible combinations.

There’s no rainbow table big enough, and there won’t be for quite some time. Short of storing your password unencrypted (which is a huge security no-no anyway), just about any hash will do, salted or not.

And, bonus: it’s extremely unlikely that a dictionary attack will bother with the assorted combinations to eventually get to whatever it is you put in 12 characters.

Length doesn’t imply complexity. There’s a very strong argument that says:

****password****

is, in fact, a significantly more secure password than

7CxX&*Xf

Plus, it’s easier to remember. (Although using normal words in this manner still makes me nervous for reasons I can’t quite explain. Smile)

In fact, even longer pass phrases – something like perhaps:

correct horse battery staple

are perhaps best of all. (With big a hat tip & propeller twirl to that great geeky web comic XKCD.)

The Bottom Line (this time at the bottom)

So, what should you do?

  • Abandon eight-character passwords. They should no longer be considered secure.
  • Create all new passwords 12 characters or longer. (You can make a password longer and more secure by adding repeating characters if you can’t think of anything else.)

That’s the bare minimum. For bonus points:

  • Ask for your password (not a reset or “reminder”) from your provider. If they can actually send you the password, complain loudly. They’re doing security wrong. Consider leaving them; and at a minimum, use a unique password there that you use nowhere else.
  • Never use the same password in more than one place. If, for some reason, an ID and password gets compromised at service “A”, hackers will then run around to many, many other services – “B”, “C”, “D” and so on – and see if they can login with it. All too frequently, they can.
  • Consider using a utility like LastPass or Roboform to remember all your different passwords for you.

And of course, keep your PC secure. No matter how strong your password, malware such as keyloggers can capture it; using an open Wifi hotspot without proper security could be the moral equivalent of writing your password on the wall for all to see.

 

There are 40 comments:

  1. Mike Reply

    Great article. I just don’t understand why quite a few sites put certain limits on the password length and complexity. Recently I registered for an Adobe ID, which didn’t even allow passwords longer than 12 characters! I can’t believe they put any limits on it, since you can feed an arbitrary amount of data to the hash functions, and the only practical limit is the size of the post request you’d be sending to the server. Maybe certain characters from specific locales can’t be displayed correctly, but as long as you enter the same password every time, that too should not be an issue, right?

  2. Gil Reply

    I thought I remember reading somewhere that starting one’s password with a space makes it nearly impossible to be stolen. What are your thoughts on this Leo?

    Nothing is impossible (for example a keylogger would still see it). Spaces bother me because many services don’t allow them in passwords and some even silently strip them off.

    Leo
    12-Jun-2012
  3. Vee Reply

    This was great thank you. I will be adding more to my passwords, and sending this to all of my friend’s.

  4. Phil Reply

    A real eye opener and something to act on. Thanks, but one maybe naive question. When these hackers create the rainbow tables how do they get the hashing algorithm?

    The hashing algorithm’s are standard. For example SHA256 is the same everywhere. That’s why salting is important because it changes the result in a non-standard way that renders the rainbow tables useless.

    Leo
    12-Jun-2012
  5. Jackie Reply

    Wow!!!!!! I have been educated. About 8 months ago, I started using a 12-letter/digit/caps-combo password, but unfortunately, it was only AFTER my email account had been compromised.

  6. Robert R Reply

    Another good technique for developing the password is taking letters, suitably modified, from a phrase. For example, use the phrase: The quick brown fox jumped over the lazy dogs. Take the first and last letter from each word, use numbers where they look like letters, and add a character or two as well. So the password, based on the above phrase, is: Teqkbnfxjd0rte1yd$#
    If you remember the phrase and the rule, you’ve got it. Much easier than trying to remember Teqkbnfxjd0rte1yd$#

    (Note, don’t use the phrase in the example as too well known)

  7. Steve Reply

    Great article! I’ve been trying to use 19 character passwords, but as Mike pointed out that is not always allowed. I’ve been using RoboForm to generate the passwords and occasionally using GRC’s password generator. I’ve been using 63 character passwords on my WPA2 router and my kids think I am crazy. I could do better, but my router only allows alpha-numeric so I’m limited there.

  8. John Reply

    Mike, generally, it means they aren’t encrypting your password at all if they use character limits.

    I’m not so sure on that. It could be, absolutely, but I’ve seen some pretty strange limits for arbitrary reasons. Regardless short password length limits – whatever the reason – are very annoying and hamper security.

    Leo
    12-Jun-2012
  9. tony Reply

    But my bank only allows 8 characters and only upper and lower case letters and numbers.

    If that’s true, it’s horrible and I’d seriously consider using another bank. Or at least another bank for online transactions and instructing your current bank to DISABLE your online access until they implement a more robust password / security mechanism.

    Leo
    12-Jun-2012
  10. Kevin Reply

    Hi Leo
    That article did scare me
    At the moment my smallest password is 15, and my longest is 26, all as far as I know absolute rubbish. Is this enough ????

  11. Ed Reply

    Many of my accounts do not allow long passwords and some no special characters. How do we get them “on board”/

    Complain. Or switch services (letting them know why as you leave.)

    Leo
    12-Jun-2012
  12. Michael Reply

    Alarmingly, it’s most often the big financial institutions (you know…where you do your online banking?!?!) that DON’T allow passwords longer than 8 characters…..and DON’T allow “special” characters…..i.e. anything other than lower-case letters and numbers. Pathetic!
    Shame on you CIBC and others!

  13. Mark Magill Reply

    Tony and all: If your bank is only allowing 8 characters, then the best thing to do is make it the strongest 8 you can. My friends and I frequent a free site called passwordmeter.com that will tell you just how strong your password is and how to make it stronger, explaining the portions of it that make it good or bad. It seems spot on with what Leo teaches, but was designed in 8-character days. Good luck.

  14. bob price Reply

    Many sites will not allow p/w’s longer than 8, and worse, they won’t allow symbols.

    That said, if your site does allow more length, and you like your 8 digit p/w, simply repeat it.

    So, ‘mynameis’ becomes
    mynameismynameismynameis

    That’s 24 characters with little effort.

  15. Richard Pedersen Reply

    A really great article, Leo!
    I learned a lot!

    Thanks!

  16. sirpaul2 Reply

    Also, if the account contains financial data, change your password every so often.

    If you want to use a virtual keyboard to input your passwords, get a secure one. Look for: clipboard logger protection, screen logger protection, mouse position protection, and password field protection.

  17. Peter Ballantyne Reply

    Thanks Leo – just a quick word of appreciation. I have been using computers since the days of the Sinclair ZX81, and now-a-days use it (NOT the ZX81) intensively for banking, bill paying, etc, etc, etc. I thought my passwords were pretty good, but you have opened up a whole issue for me. As a direct result of your article I am rehashing (no pun intended) my entire password strategy. After almost 30 years hobbying with computers I thought I knew enough to be OK, but you have taught me something in this article I really needed to know. My grateful thanks. Oh, and can I also add that I really appreciate your attitude when dealing with folk who are obviously just beginners with computing. I like how gracious and patient you are with them, and it makes me feel confident to ask whatever I need to ask – assuming I can’t find the answer already in your outstanding web site. Many thanks.

  18. john neeting Reply

    My own passwords are always over 40 places long and I’d use a pass phrase that you can never forget example [ I dont use this one ]
    “I said lookIsaidLoveIsaidDarlIsaidPetIsaidlookSamwiseGangy” A combinathion of my favorite comedy show of old and lord of the rings. I dont care how fast an offline hacking computer is – there is no way in my lifetime you can stummble on something this long – with salted hash yet.

  19. Les Ashton Reply

    I do not keep passwords on the machine; I record them in an XLS file on a 3.5-inch floppy disc; although lately I have also left a copy on a thumb-drive I occasionally use for other purposes (think again, Les!). That way I never type-in a password for the delectation of visiting keyloggers, I use CTRL-C/CTRL-V; and lately I have taken to using a hashed (thank you, Leo!) version of foreign town names and numbers from dates in my life, scattergunned in and stored on three discs and the thumb-drive, which is the master copy and updated about once a month. I have never been hacked. What a splendid service you supply! Cheers, Les from SandGroperLand.

  20. James Reply

    For many (10+) years I used one password (not a word) for strictly confidential stuff and one other for everything else. Then, only about a year ago, I started to use KeePass. It’s great: one password to get into KeePass (and local TrueCrypt volumes), and different ones generated by KeePass for everything else.

    KeePass also has the advantage that use can use it to plant username and password into any browser.

    The only downside to KeePass is that it has so many options that it has so many complexities, like customised scripts for specific situations, that it looks more complex to use than it actually is. It’s actually easy to get started – there’s a First Steps Tutorial, for those who, unlike me, have the sense to read it.

    And it’s all free, open source, you name it …

  21. Mary Reply

    Does this mean I should not rely on my LastPass program that makes me feel so warm and safe now?

  22. Mark J Reply

    @Mary
    Towards the end of the article (the last bullet point) Leo puts in a plug for LastPass and RoboForm.

  23. sowmya Reply

    Superb Article!!
    Suppose I happened to register into a site where i need to give my email id. They had asked me to set the pw too. So where is the password that we entered for such websites gets stored? How much time does it take to crack it?
    Thanks.

  24. Eric Brightwell Reply

    This sounds a bit like having a 24 hour security lock on your front door – ie after you shut it you cannot open it again for at least 24 hours. Very secure, but a little inconvenient.
    It’s relatively easy to have secure passwords when you are sitting at your PC, either by using RoboForm or KeePass etc, or by using your own list or encrypted spreadsheet etc. But if you have 100 different 12 character passwords how do you remember the one you need when you are out at an office or abroad using someone elses PC? Can you keep all your passwords online, so that you can access them from anywhere using just one 12 character password?

    Many of the password safes have applications for your smartphone. I use LastPass which does, and if I ever need a password while I’m out somewhere it’s there in my pocket.

    Leo
    14-Jun-2012
  25. tony Reply

    good article on hacking passwords, but you never fully explain why we get locked out after 3 wrong tries and a hacker doesn’t

    They do. They work around that by attacking several different accounts at one, slowly, so as not to get locked out. Or they steal the database from the service provider which bypasses that lockout mechanism.

    Leo
    14-Jun-2012
  26. Stephen Jackson Reply

    Thanks Leo. Your article was very helpful. I will lengthen all my passwords to 12 characters starting today. Also, signed up with LastPass to help manage these new passwords.

  27. Mary Reply

    Thanks Mark, I missed that last bullet point. I feel better now. I love using LastPass.

  28. Glenn P., Reply

    I agree with almost everything here, except that:

    (1): I suggest a 16, rather than 12, character minimum length for passphrases; and

    (2): I STILL suggest –

    (a) Continuing to respell/obfuscate words wherever possible (hey, why make things any easier on the “crackers” — don’t call them “hackers!” — than they have to be???);

    (b) Adding capitals, numbers, punctuation, and special symbols (such as &, #, @, +, $, etc., which for the most part aren’t ordinary punctuation marks normally used in sentences).

    The basic premise that “the longer the passphrase, the better” is true enough; but it does NOT vitiate the concurrent principle that “complexity increases the security of ANY passphrase.”

    And DO allow me to once again recommend my favorite book on this topic:
    “Perfect Passwords: Selection, Protection, Authentication” by Mark Burnett ($20.09),
    available for sale at Amazon.COM.

  29. Hugo Kurtz Reply

    Good luck trying to use the logical rules of passwords.
    Schwab allows only eight characters and nothing but numbers and letters.
    Fidelity does not allow more than twelve characters and nothing but numbers and letters.
    Vanguard will take almost anything but only uses the first ten characters.
    The three financial services rely upon the three-tries then lock-out feature.
    I can’t afford to change companies but will if any of them improve.
    Schwab really worries me even though they have a “guarantee” of refund if someone hacks the account.

  30. Sansung Reply

    At times I just get annoyed at the fact that we are living in a password world. Almost everything is only password protected. But ultimately the fact is passwords (strong or not) do not replace the need for other effective security control. You can opt for a password manager but the only real solution is that these companies need to add additional layers of authentication for access and transaction verification without unreasonable complexity and this will help their customers by implementing some form of 2FA were you can telesign into your account and have the security knowing you are protected if your password were to be stolen. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account.

  31. Duvid Reply

    To follow the “different password on each site” rule, but easily remember them all, I simply use [My*Strong*Long*and*Secure*Password] on each one, but prefaced or suffixed (or both) by a word relating to the site: like “citbnk” or “gmal” or similar.

  32. Old Man Reply

    You have many articles about creating passwords, so this may be on the wrong one.

    Here is something I copied from a government agency on creating passwords that you can remember.

    PASSWORD TIP
    Here’s one way to create a strong password you’ll remember: Think of a sentence or phrase that’s meaningful to you (i.e., my oldest son Zac will be 15 years old on May 30!). Use the first letter of each word to create a password (i.e., mosZwb15yooM30!). Then change some of the letters to similar special characters (i.e., mo$Zwb15yooM30!). Warning: Do not use this example as your password. Now that it’s been widely published, a hacker is likely to try it.

    Add what Duval said to remember which account is involved.

    Numbers and letters that can easily be confused – I (cap eye), l (small ell) and 1 (one); O (cap oh) and 0 (zero) – use the alternate form, such as i for I, L for l, o for O. This also adds a little extra security to the password.

  33. Sarah Perkins Reply

    I’m perplexed about Roboform and Lastpass. They say that they save your password and automatically fill in the information when you visit a site. How would this protect me if someone stole my computer? Also, my browser already auto fills my log-in and password if I want it to. How are Roboform and Lastpass different?

  34. Muhammad Sajid Reply

    plzzz show me my password. Someone hacked my I.d, plzzz remove it.

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise in comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.