In the last couple of weeks, we’ve once again heard of a couple of major websites suffering from data breaches that have exposed information about millions of user passwords to hackers.
This theft brings up again the concept of so-called “good passwords.”
What many people don’t realize is that the thinking around exactly what it means to have a good password is changing.
And it may be changing in ways you wouldn’t expect.
To understand what makes a good password, we need to understand just a little about what makes passwords vulnerable – which means understanding a couple of the different ways that hackers hack.
Along the way, I’ll also discuss hashes (again) and why a “salted hash” isn’t breakfast food, but rather a critically important approach websites should be using to keep track of your passwords.
And there will be rainbows.
The Rules: Old and New
For those with short attention spans, I’ll start with what you need to do differently, beginning yesterday.
In the past, the traditional advice on passwords was:
- Eight characters long at a minimum
- Never use names or words, at least not without mangling them somehow
- Never use combinations of names or words, at least not without mangling them somehow
- Use a combination of upper and lowercase letters and digits
- Use at least one special character – something other than a letter or digit – if the system will let you
Those rules are no longer sufficient, and for all their complexity, they still leave you with a password that remains quite susceptible to certain types of compromises.
Instead:
- 12 characters long at a minimum
- Longer is always better
- Use a combination of upper and lowercase letters and digits
- Words aren’t as evil as they once were, as long as the password is long enough
- Consider padding the password with a random character to make it longer
As you can see, there’s a new emphasis on length.
If you remember nothing else from this article, size matters, longer is better.
The Dictionary Attack
One of the reasons that we’ve always been told to never use normal words (or common names) in passwords is that there are very simple attacks called “dictionary attacks” that simply try all words, or all combinations of words, one after the other until something works. (Many jump-start this process by starting with a list of known extremely common passwords.)
The Oxford dictionary tells us:
This suggests that there are, at the very least, a quarter of a million distinct English words… 1
If we stick to all single case, then a program needs to try only 250,000 times 250,000 (62.5 million) times to be guaranteed to stumble onto a two-word password. I say “only” 62.5 million because to a computer running with speeds measured in billions of operations a second, that’s nothing.
Yes, you can add names and random capitalization to the mix, and perhaps even insert digits, but even that slightly-obfuscated dictionary-based approach to password cracking remains something that is easily performed by today’s technology.
It’s also not necessary any more.
It’s now quite possible for hackers to just try everything.
The Brute Force Attack
Let’s say you’ve been really, really good and you have an eight-character password made up of completely random letters, numbers, and symbols.
Perhaps “7CxX&*Xf”.
That’s still a good password, but not a great password.
It’s estimated that such a password could be cracked (offline) in a little over 18 hours.2
Doesn’t matter that you didn’t use words, or your name or anything else. Eight characters – 6,704,780,954,517,120 possible combinations and passwords – in less than a day.
Now, the most common response that I get when I throw out numbers like that is, “How can they try that many, that fast when I get locked out after three wrong attempts?”
Online Attacks
In the online scenario, it’s very true that they can’t try quite that fast, but they can still try fast enough for it to be a serious issue, particularly for dictionary attacks.
For example, I can envision a botnet that’s not only sending spam, but is also performing a distributed dictionary attack against a set of email accounts at the same time. Slowly and from different locations, so as not to trip any limit filters, they try millions of passwords against hundreds of thousands of accounts.
Eventually, they’ll hit pay dirt – especially if they try those “known most common” passwords first.
But surprisingly, that’s not why eight characters is too short. A random eight-character password will probably protect you just fine from these types of online attacks.
It’s the offline attack that you need to worry about, where your eight-character password – possibly any eight-character password – might be cracked in microseconds.
To understand how that can be, we need to start by understanding how passwords are stored. But first, we need to realize that guessing from the outside is only one way to get password information. Occasionally, it’s something else.
The Database Breach
Every so often, we hear of an online service that has been hacked into and their database stolen.
What that typically means is that rather than trying to guess logins one at a time, a hacker has infiltrated the systems of the service and snatched a copy of some or all of the user accounts database.
As a result, they typically have:
- A list of all usernames or login IDs for that system
- A companion list of all passwords or password information for those login IDs
- Other stuff that the system may have stored for each user ID
No need to try guessing passwords slowly from the system’s public-facing login; the hackers walk away with almost all of the information that they need in one fell swoop.
Now, note that I said “passwords or password information” above. Most systems do not store your password – they store something else.
Any system that can actually tell you what your password is should not be considered secure.
Hash – Hold the Salt
Any system that can actually tell you what your password is should not be considered secure. Any system requiring security should never, ever actually store your password.
What they store instead is called a “hash” of the password.
A hash is a mathematical function that takes an arbitrary amount of text and computes from it a number. That number has the following characteristics:
- Any change, however small, in the data being hashed should result in a large change in the resulting hash.
- It should never be possible to reconstruct the original data from its hash value.
- It’s not feasible to craft data that, when hashed, would generate a specific hash value.
So, instead of storing your password “iforgot”, the system might instead store:
d9fd60a8cf992ec3d554ec2df8dd4cb345e77de7ecb4df4772920897b1d51bc5
That’s the result of an “SHA 256” hashing function. Any time you give that function “iforgot,” the result will be that number (which happens to be 256-bits long). What’s important is that given only that number there’s no feasible way to figure out what password caused it to be generated.
So, when you login, the system passes whatever you type in to the password field through the hashing function, and if the resulting number matches, then you must have typed in the correct password because it’s the only thing that could have generated that number. 3
All while not needing to store your actual password.
Now, as technology has grown more powerful, we’ve run into an interesting issue rendering even this nicely obscure means of storing passwords without actually storing passwords at risk.
Rainbow Tables (Sorry, no Unicorns)
Consider the eight-character password.
If the password that we’re setting up allows each character to be any of 26 alphabetic upper and lower case characters, 10 digits, and 10 special characters, that’s 72 possible characters in each position. If we have eight of those, that’s 72 to the eighth power or 722,204,136,308,736 – 722 trillion – possibilities.
It sounds like an enormity, but with today’s computational and storage power, it’s possible to:
- Calculate all possible eight-character passwords
- Store in a table the password and its calculated hash value for all possible eight-character passwords
- “Crack” a password from that database you just stole by just looking up the hash value that you have in the table you created and fetching the corresponding password
That table, by the way, is called a “rainbow table.”
In reality, hackers rarely need the entire table for various reasons; there are algorithmic shortcuts, not all hash functions are created equal, and so on and so on. And on top of that, we pick bad passwords, so a smaller table with just the hash values of lots and lots of common passwords is pretty darned useful to many hackers.
But even the worst-case scenario is quite do-able.
All because the hashing algorithms chosen are quite standard (trust me, you don’t want to dream up your own – this is a place where you really want to leave the math involved to trained professionals – homebrew hashes are typically cracked algorithmically within seconds).
So, if your email service, your social media service, and your photo-sharing service and whatever else you happen to login into all use the same hashing algorithm, then they have all stored the exact same hash value for your password. If that table of password hashes is ever stolen, then a quick lookup in a rainbow table will retrieve the password which could then be used on any of those sites, even though they were never directly breached.
Now, as it turns out, there’s a trivial way to stop that possibility.
Add seasoning.
The Salted Hash
“Salting” is a way to obscure the information stored in a service’s password database.
Instead of computing the hash of a password, they instead add something to the password and hash the combination. Then, when the time comes to check that you’ve entered the right password, they take what you’ve typed in, add that same something to it, and hash the result. If the hash value matches, then the password is correct.
For example, perhaps I create my password as “iforgot”. As we saw, that gave us an SHA256 hash of
d9fd60a8cf992ec3d554ec2df8dd4cb345e77de7ecb4df4772920897b1d51bc5
If, however, the system storing my password automatically adds “mypants” to every password and hashes the result – iforgotmypants” – the hashed value is completely different.
9791d33a44b51d071a90cd246a3b8a4ca2491f9474ebd737bc137b82826c7e5d
When I come back to login and enter “iforgot,” the system automatically adds “mypants” and hashes that, and the values match.
If the hash value is even in a rainbow table somewhere, it maps to “iforgotmypants” which is most decidedly not my password.
The item we add – the frivolous “mypants” in the example above – is known as “salt,” as it changes the flavor of the result of the hash function. In reality, it wouldn’t be anything so simple and it would vary from system to system (and if done really well, from account to account).
Now with all of that as backdrop, here’s the kicker: you don’t know how the services you use encode your password and too many do not use salt. In fact, a most recent breach at an extremely well-known large online service exposed the fact that they were not using salt to properly secure their database of hashed passwords. The passwords stolen could be easily looked up via available rainbow tables.
So, in the face of not knowing which services do password security right, how do you protect yourself?
Size Matters
The single most important thing that you can do to improve your password’s security is to make it longer.
The longer the better, in fact.
Recall how I said an eight-character password gave us 722 trillion possible combinations? (722,204,136,308,736 to be exact).
The single most important thing you can do to improve your password’s security is to make it longer.
A 12-character password results in 19,408,409,961,765,342,806,016 possible combinations.
There’s no rainbow table big enough, and there won’t be for quite some time. Short of storing your password unencrypted (which is a huge security no-no anyway), just about any hash will do, salted or not.
And, bonus: it’s extremely unlikely that a dictionary attack will bother with the assorted combinations to eventually get to whatever it is you put in 12 characters.
Length doesn’t imply complexity. There’s a very strong argument that says:
****password****
is, in fact, a significantly more secure password than
7CxX&*Xf
Plus, it’s easier to remember. (Although using normal words in this manner still makes me nervous for reasons I can’t quite explain. 
)
In fact, even longer pass phrases – something like perhaps:
are perhaps best of all. (With big a hat tip & propeller twirl to that great geeky web comic XKCD.)
The Bottom Line (this time at the bottom)
So, what should you do?
- Abandon eight-character passwords. They should no longer be considered secure.
- Create all new passwords 12 characters or longer. (You can make a password longer and more secure by adding repeating characters if you can’t think of anything else.)
That’s the bare minimum. For bonus points:
- Ask for your password (not a reset or “reminder”) from your provider. If they can actually send you the password, complain loudly. They’re doing security wrong. Consider leaving them; and at a minimum, use a unique password there that you use nowhere else.
- Never use the same password in more than one place. If, for some reason, an ID and password gets compromised at service “A”, hackers will then run around to many, many other services – “B”, “C”, “D” and so on – and see if they can login with it. All too frequently, they can.
- Consider using a utility like LastPass or Roboform to remember all your different passwords for you.
And of course, keep your PC secure. No matter how strong your password, malware such as keyloggers can capture it; using an open Wifi hotspot without proper security could be the moral equivalent of writing your password on the wall for all to see.
David
Also, it’s important to use all four classes of characters (numbers, upper case letters, lower case letters, and symbols) according to https://www.grc.com/haystack.htm.
Mike
Great article. I just don’t understand why quite a few sites put certain limits on the password length and complexity. Recently I registered for an Adobe ID, which didn’t even allow passwords longer than 12 characters! I can’t believe they put any limits on it, since you can feed an arbitrary amount of data to the hash functions, and the only practical limit is the size of the post request you’d be sending to the server. Maybe certain characters from specific locales can’t be displayed correctly, but as long as you enter the same password every time, that too should not be an issue, right?
Mark Jacobs
Another weak link to watch out for: Password recovery questions. These should not be easy to guess and to be really safe, should follow the same rules as choosing a password. Ie. 12 or more difficult to guess characters not at all related to the question. Password Recovery Questions; how do they work and can I make up my own?
Gil
I thought I remember reading somewhere that starting one’s password with a space makes it nearly impossible to be stolen. What are your thoughts on this Leo?
12-Jun-2012
Vee
This was great thank you. I will be adding more to my passwords, and sending this to all of my friend’s.
Phil
A real eye opener and something to act on. Thanks, but one maybe naive question. When these hackers create the rainbow tables how do they get the hashing algorithm?
12-Jun-2012
Jackie
Wow!!!!!! I have been educated. About 8 months ago, I started using a 12-letter/digit/caps-combo password, but unfortunately, it was only AFTER my email account had been compromised.
Robert R
Another good technique for developing the password is taking letters, suitably modified, from a phrase. For example, use the phrase: The quick brown fox jumped over the lazy dogs. Take the first and last letter from each word, use numbers where they look like letters, and add a character or two as well. So the password, based on the above phrase, is: Teqkbnfxjd0rte1yd$#
If you remember the phrase and the rule, you’ve got it. Much easier than trying to remember Teqkbnfxjd0rte1yd$#
(Note, don’t use the phrase in the example as too well known)
Steve
Great article! I’ve been trying to use 19 character passwords, but as Mike pointed out that is not always allowed. I’ve been using RoboForm to generate the passwords and occasionally using GRC’s password generator. I’ve been using 63 character passwords on my WPA2 router and my kids think I am crazy. I could do better, but my router only allows alpha-numeric so I’m limited there.
John
Mike, generally, it means they aren’t encrypting your password at all if they use character limits.
12-Jun-2012
tony
But my bank only allows 8 characters and only upper and lower case letters and numbers.
12-Jun-2012
Kevin
Hi Leo
That article did scare me
At the moment my smallest password is 15, and my longest is 26, all as far as I know absolute rubbish. Is this enough ????
Ed
Many of my accounts do not allow long passwords and some no special characters. How do we get them “on board”/
12-Jun-2012
Michael
Alarmingly, it’s most often the big financial institutions (you know…where you do your online banking?!?!) that DON’T allow passwords longer than 8 characters…..and DON’T allow “special” characters…..i.e. anything other than lower-case letters and numbers. Pathetic!
Shame on you CIBC and others!
Mark Magill
Tony and all: If your bank is only allowing 8 characters, then the best thing to do is make it the strongest 8 you can. My friends and I frequent a free site called passwordmeter.com that will tell you just how strong your password is and how to make it stronger, explaining the portions of it that make it good or bad. It seems spot on with what Leo teaches, but was designed in 8-character days. Good luck.
bob price
Many sites will not allow p/w’s longer than 8, and worse, they won’t allow symbols.
That said, if your site does allow more length, and you like your 8 digit p/w, simply repeat it.
So, ‘mynameis’ becomes
mynameismynameismynameis
That’s 24 characters with little effort.
Richard Pedersen
A really great article, Leo!
I learned a lot!
Thanks!
sirpaul2
Also, if the account contains financial data, change your password every so often.
If you want to use a virtual keyboard to input your passwords, get a secure one. Look for: clipboard logger protection, screen logger protection, mouse position protection, and password field protection.
Peter Ballantyne
Thanks Leo – just a quick word of appreciation. I have been using computers since the days of the Sinclair ZX81, and now-a-days use it (NOT the ZX81) intensively for banking, bill paying, etc, etc, etc. I thought my passwords were pretty good, but you have opened up a whole issue for me. As a direct result of your article I am rehashing (no pun intended) my entire password strategy. After almost 30 years hobbying with computers I thought I knew enough to be OK, but you have taught me something in this article I really needed to know. My grateful thanks. Oh, and can I also add that I really appreciate your attitude when dealing with folk who are obviously just beginners with computing. I like how gracious and patient you are with them, and it makes me feel confident to ask whatever I need to ask – assuming I can’t find the answer already in your outstanding web site. Many thanks.
john neeting
My own passwords are always over 40 places long and I’d use a pass phrase that you can never forget example [ I dont use this one ]
“I said lookIsaidLoveIsaidDarlIsaidPetIsaidlookSamwiseGangy” A combinathion of my favorite comedy show of old and lord of the rings. I dont care how fast an offline hacking computer is – there is no way in my lifetime you can stummble on something this long – with salted hash yet.
Les Ashton
I do not keep passwords on the machine; I record them in an XLS file on a 3.5-inch floppy disc; although lately I have also left a copy on a thumb-drive I occasionally use for other purposes (think again, Les!). That way I never type-in a password for the delectation of visiting keyloggers, I use CTRL-C/CTRL-V; and lately I have taken to using a hashed (thank you, Leo!) version of foreign town names and numbers from dates in my life, scattergunned in and stored on three discs and the thumb-drive, which is the master copy and updated about once a month. I have never been hacked. What a splendid service you supply! Cheers, Les from SandGroperLand.
James
For many (10+) years I used one password (not a word) for strictly confidential stuff and one other for everything else. Then, only about a year ago, I started to use KeePass. It’s great: one password to get into KeePass (and local TrueCrypt volumes), and different ones generated by KeePass for everything else.
KeePass also has the advantage that use can use it to plant username and password into any browser.
The only downside to KeePass is that it has so many options that it has so many complexities, like customised scripts for specific situations, that it looks more complex to use than it actually is. It’s actually easy to get started – there’s a First Steps Tutorial, for those who, unlike me, have the sense to read it.
And it’s all free, open source, you name it …
Mary
Does this mean I should not rely on my LastPass program that makes me feel so warm and safe now?
Mark Jacobs
@Mary
Towards the end of the article (the last bullet point) Leo puts in a plug for LastPass and RoboForm.
José
Leo, another terrific article. Thanks so much for all you do.
sowmya
Superb Article!!
Suppose I happened to register into a site where i need to give my email id. They had asked me to set the pw too. So where is the password that we entered for such websites gets stored? How much time does it take to crack it?
Thanks.
Eric Brightwell
This sounds a bit like having a 24 hour security lock on your front door – ie after you shut it you cannot open it again for at least 24 hours. Very secure, but a little inconvenient.
It’s relatively easy to have secure passwords when you are sitting at your PC, either by using RoboForm or KeePass etc, or by using your own list or encrypted spreadsheet etc. But if you have 100 different 12 character passwords how do you remember the one you need when you are out at an office or abroad using someone elses PC? Can you keep all your passwords online, so that you can access them from anywhere using just one 12 character password?
14-Jun-2012
tony
good article on hacking passwords, but you never fully explain why we get locked out after 3 wrong tries and a hacker doesn’t
14-Jun-2012
Stephen Jackson
Thanks Leo. Your article was very helpful. I will lengthen all my passwords to 12 characters starting today. Also, signed up with LastPass to help manage these new passwords.
Mary
Thanks Mark, I missed that last bullet point. I feel better now. I love using LastPass.
Glenn P.,
I agree with almost everything here, except that:
(1): I suggest a 16, rather than 12, character minimum length for passphrases; and
(2): I STILL suggest —
(a) Continuing to respell/obfuscate words wherever possible (hey, why make things any easier on the “crackers” — don’t call them “hackers!” — than they have to be???);
(b) Adding capitals, numbers, punctuation, and special symbols (such as &, #, @, +, $, etc., which for the most part aren’t ordinary punctuation marks normally used in sentences).
The basic premise that “the longer the passphrase, the better” is true enough; but it does NOT vitiate the concurrent principle that “complexity increases the security of ANY passphrase.”
And DO allow me to once again recommend my favorite book on this topic:
“Perfect Passwords: Selection, Protection, Authentication” by Mark Burnett ($20.09),
available for sale at Amazon.COM.
Hugo Kurtz
Good luck trying to use the logical rules of passwords.
Schwab allows only eight characters and nothing but numbers and letters.
Fidelity does not allow more than twelve characters and nothing but numbers and letters.
Vanguard will take almost anything but only uses the first ten characters.
The three financial services rely upon the three-tries then lock-out feature.
I can’t afford to change companies but will if any of them improve.
Schwab really worries me even though they have a “guarantee” of refund if someone hacks the account.
Sansung
At times I just get annoyed at the fact that we are living in a password world. Almost everything is only password protected. But ultimately the fact is passwords (strong or not) do not replace the need for other effective security control. You can opt for a password manager but the only real solution is that these companies need to add additional layers of authentication for access and transaction verification without unreasonable complexity and this will help their customers by implementing some form of 2FA were you can telesign into your account and have the security knowing you are protected if your password were to be stolen. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account.
Duvid
To follow the “different password on each site” rule, but easily remember them all, I simply use [My*Strong*Long*and*Secure*Password] on each one, but prefaced or suffixed (or both) by a word relating to the site: like “citbnk” or “gmal” or similar.
wschloss
That’s not a bad idea. Would that be the same as a custom salt?
I am currently using something like +Phrasepass-)(-212MH97857+
Where Phrasepass is something like IltsoabBfC = I love the smell of a beautiful Balsam for Christmas
and 212MH97857 is something like my Grandfather’s phone number when I was a Kid MH = Murray Hill, long defunct and would never appear in any file on my PC or cloud,–my wife of 30 years wouldn’t even be able to guess it though I have told her.
Next time I overhaul my important passwords I think I’ll make them something like ^Phrasepass=}sitename{=MH59879857^
I will never forget the phrase and phone but see a potential snag; two years later, Is the site Google or gmail or maps or etc? They all use the same credentials.
That’s why I still need LastPass. Also, with LastPass, I only have to type it a couple times per week, so the very long length is OK.
For my low (nothing but email and pass, like magazines) and medium (not financial and minimal other info) risk sites that I often have to type on phone or table; something similar but shorter. LastPass for mobile sucks, but I had tried Dashlane and found it no better.
i am interested in your thoughts. Thanks.
wschloss
One last thing: on someone else’s computer, in incognito mode, search “Phrasepass” to assure it’s not a valid word in any language/dictionary. You may have to turn on all languages in the search engine to do that. My Phrasepass is from an obscure favorite book, and not the first or last line, just something I always found clever or particularly well written, and memorable to me. Do the Asian hackers read Fowles and Grey?
Old Man
You have many articles about creating passwords, so this may be on the wrong one.
Here is something I copied from a government agency on creating passwords that you can remember.
PASSWORD TIP
Here’s one way to create a strong password you’ll remember: Think of a sentence or phrase that’s meaningful to you (i.e., my oldest son Zac will be 15 years old on May 30!). Use the first letter of each word to create a password (i.e., mosZwb15yooM30!). Then change some of the letters to similar special characters (i.e., mo$Zwb15yooM30!). Warning: Do not use this example as your password. Now that it’s been widely published, a hacker is likely to try it.
Add what Duval said to remember which account is involved.
Numbers and letters that can easily be confused – I (cap eye), l (small ell) and 1 (one); O (cap oh) and 0 (zero) – use the alternate form, such as i for I, L for l, o for O. This also adds a little extra security to the password.
Sarah Perkins
I’m perplexed about Roboform and Lastpass. They say that they save your password and automatically fill in the information when you visit a site. How would this protect me if someone stole my computer? Also, my browser already auto fills my log-in and password if I want it to. How are Roboform and Lastpass different?
Mark Jacobs
LastPass and RoboForm give you the option to password protect your passwords with a master password. A recent article on Ask Leo! explains the difference and why having your browser remember passwords isn’t normally such a good idea.
How safe is it to let my browser save my passwords?
Muhammad Sajid
plzzz show me my password. Someone hacked my I.d, plzzz remove it.
Leo
I cannot.
Dolly
Very helpful
Wilfred Dupre
I am a deaf using this email address please make sure you send me message. Thankyou!!!!
Alisa Cameron
please help me get into my facebook
Mark Jacobs
These article discuss Facebook account recovery.
https://askleo.com/how-do-i-recover-my-hacked-facebook-account/
https://askleo.com/how_do_i_recover_my_facebook_log_in_password/
Princess celvina
Mr leo am so much greatful,for all your answers toward all the questions,THANK YOU.and thanks to all many of you that stated a very important comment,but still my gratitud is very much on one paticular person,and that(LEO)sir thanks so very much.
Marina Watton
Can’t log in to my Facebook account and can’t cchange it
Connie (Team Leo)
There are several ways to recover a Facebook account. I’ll point you at this article: https://askleo.com/how_do_i_recover_my_facebook_log_in_password/
Josannie Cuizon
How can i get my facebook password…
Mark Jacobs (Team Leo)
These articles discuss recovering Facebook passwords.
http://askleo.com/how_do_i_recover_my_facebook_log_in_password/
http://askleo.com/how-do-i-recover-my-hacked-facebook-account/
praveen rawal
Facebook I’d forgot password and Gmail how can open my I’d..
Mark Jacobs (Team Leo)
We cannot recover hacked accounts, lost or forgotten passwords. Please see these articles for more information on your options:
http://askleo.com/how_do_i_recover_my_facebook_log_in_password/ and/or
http://askleo.com/how-do-i-recover-my-hacked-facebook-account/