For a long time, the common thinking was that the best, most practical passwords consisted of a random combination of upper and lower-case letters, numbers, and a special character or two. If so composed, password length needed to be only eight characters.
Randomness remains important, but as it turns out, size matters more.
A password today should have a minimum of 12 characters, and ideally, 16 or even more.
Large-scale account hacks
When you hear about large numbers of accounts being stolen by a hack at some service provider, you are naturally concerned that the hacker might now have access to your account names and passwords. If the service was storing your actual passwords, that could indeed be the case. (As I’ve said before, if a service is storing your actual passwords1, then they simply don’t understand security, or they have made some horrifically bad decisions.)
In fact, most services store an encrypted (technically, a “hashed”) form of your password. For example, if my password were “password” (and that’s a very poor password, of course), then a service might store “5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8”, which is the hash value that corresponds to that password.2
What that means is that hackers do not get a list of user names and passwords. What they get is a list of usernames and password hashes.
And what’s great about hashes is that you can calculate a hash from a password, but you cannot do the reverse – you cannot calculate the password from the hash.
As a result, one would think that by being hashed it’d be pretty unhackable, right?
Sadly, not so much.
Dictionary attacks
The most common type of password attack is simply a high-speed guessing game. This doesn’t work when pounding on an actual log-in page; they’re slow, and will quickly deny further access after too many failures. But this technique works wonderfully if the hacker has the entire database of account and password hashes sitting on his computer.
These attacks involve starting with an exhaustive list of possible words and known common passwords (including names, profanities, acronyms, and more) and perhaps a few rules to try interesting and common ways that people try to obfuscate words. They calculate the hash of each guess, and if it matches what was found in the compromised database of account information that they’re working against, they’ve figured out the password for that account.
As we’ll see in a moment, it’s easy for hackers to make an amazing number of guesses is a short amount of time.
That’s why you’re not using that kind of password, right?
That’s why a password created from a totally random combination of characters is best. It forces hackers to move on to a true brute force attack of every possible combination to gain access.
Brute force attacks
Computers are fast. In fact, the computer on your desk is so fast that its ability to do simple operations is measured in terms of billions of operations per second.
Creating a password hash is not a simple operation, on purpose. However, it’s still something that can be done very quickly on most machines today. Spread the work over a number of machines – perhaps a botnet – and the amount of processing power that can be thrown at password cracking is amazing.
The net impact is that it’s now feasible to calculate the encrypted hash values for all possible eight-character passwords comprised of upper and lowercase alphabetic characters and digits.
Sixty-two possible characters (26 lower case, 26 upper case, 10 digits), in each of the eight positions gives us 221,919,451,578,0903, or over 221 trillion, combinations.4
This seems like a lot, until you realize that an off-line attack, which is easily performed once you’ve stolen a database of usernames and encrypted passwords, can be completed in a few hours. (This assumes technology that can “guess” something like 10 billion passwords per second – which, for those performing these kinds of attacks, is quite possible.)
It doesn’t matter what your password is; if it’s eight characters and constructed using upper and lower case letters and numbers, the hackers now have it – even if it was hashed by the service they stole it from.
Why 12 is better and 16 better still
As we’ve seen, eight-character passwords give you over 221 trillion combinations, which can be reasonably brute-force guessed offline in hours.
Twelve characters gives you over three sextillion (3,279,156,381,453,603,096,810). The offline brute-force guessing time in this case would be measured in centuries.
Sixteen takes the calculation off the chart. Today.
That’s why 16 is better than 12, and both are better than eight.
What about special characters?
I did leave out special characters, it’s true.
Let’s say that the system you’re using allows you to use any of 10 different “special characters” in addition to A-Z, a-z, and 0-9. Now, instead of 62 characters, we have 72 possibilities per position.
That takes us to 700 trillion possibilities.
Compare that to sticking with the original 62 letters and numbers, but adding only a single character to make it a nine-character password.
That takes us to over 13 quadrillion possibilities.
Yes, adding and using special characters makes your password better, but significantly better yet is to simply add one more character.
So add two. Or six. 🙂
Long passwords are good, pass-phrases are better
The difference is really a semantic one, but in general:
- A password is a random string of characters.
- A pass-phrase is a longer string of words.
Why passphrase? Because they’re easier to remember, and they’re easier to make long – and as we saw, password length is perhaps the single easiest way to increase the security of a password.
“BT6aKgcAN44VK4yw” is a very nice, 16-character long, secure password that’s difficult to remember. In fact, the only way to use this is with a password manager of some sort that remembers it for you.
On the other hand, “Its fleece was white as you know nothing John Snow”, at 50 characters, is wonderfully long, secure, and most of all, memorable. Much like the now canonical example of “Correct Horse Battery Staple“, you might even have a difficult time forgetting it5.
The biggest problem with passphrases? Many services that use passwords don’t allow spaces and don’t allow such lengthy passwords.
Shouldn’t services fix this and do better?
Absolutely, they should. And many do.
As I’ve stated above, passwords shouldn’t be kept in plain text anywhere by the service at all … yet some do.
There are techniques that make brute-force attacks significantly harder … and yet, many use techniques which are easier than the example above.
There are services that do a great job of keeping your information secure. There are also services that don’t. The problem is you really can’t be certain which is which.
To be safe, you have to act like they’re all at risk.
The bottom line
The bottom line for staying safe is simply this:
- Don’t trust that the service you’re using is handling passwords properly. While many do, it’s become painfully clear that many do not, and you won’t know which kind you’re dealing with until it’s too late.
- Use longer passwords: 12 characters minimum, 16 if at all possible.
- Use even longer passphrases where they’re supported, or where information is particularly sensitive. I use one for sensitive Truecrypt volumes, for example.
- Use a different password for each different site login you have. That way, a password compromised on one service won’t give hackers access to everything else.
Even the best eight-character passwords should no longer be considered secure. Twelve is “good enough for now”, but you really should consider moving to 16 for the long run.
john larson
I don’t mind any recommendations on passwords…what I detest is these sites FORCING you to conform to their password rules…those of us who aren’t overly concerned about getting hacked and have been around awhile often prefer an old password we came up with years ago that may be 4 or 6 characters in length…it’s very aggravating to have sites NOT ALLOW YOU to use it
14-Jun-2011
Rudy
Actually, any password less than 14 characters is easily hackable. 14 characters is the old NTLM limit and there are many pre-hashed disctionary files out there. Personally I use 16 characters – at least 2 upper case, at least 2 lower case, at lease 2 numbers, at lease 2 special characters. A product such as L0ftCrack cannot crack those even when it is the only password in the Windows system and running continuously on a multi-core server !
Robin Clay
You wrote:-
> most services will store an encrypted
> (technically, a “hashed”) form of your
> password
“encrypted” sounds more “technical” than “hashed” to me – but what sort of encryption is it, that turns an 8-character password into a 64-character one ?
And is it 64 even for a 12-character one ?
14-Jun-2011
Dan
Wouldn’t just 12 alpha characters all lower or all upper work? Since the person hacking doesn’t know that there aren’t numbers or special characters, the possibility of having them would make them still have to check.
14-Jun-2011
Gabe Lawrence
@Robin Clay (and Leo’s response#
Hackers don’t have to check for all 4 groups of characters #upper, lower, numbers, specials)…if they’re approach to hacking is to ONLY use lower case letters during their crack attempts, then a password of “123” is far more secure to that particular hack attempt than a password of “lowercasepass”. Hopefully that perspective discourages you from only using one of the four available groups. IMHO.
Gabe Lawrence
…in response to my previous post…
I notice that sometimes during the preview of a post, certain symbols don’t appear correctly, like paranthesis and apostrophes. Nevertheless, in the past I’d click the POST button after previewing and they’d post just fine. My last post however still has some “pound” signs instead of “paranthesis”….just FLI (for Leo’s information) 😛
sVen
Wow. Thanx. I’ve made a couple of wrong assumptions. Now, even before finishing this news letter, I’m going to go and change the password on my Vet Health page. Again, Thanx.
Dan Klein
Many websites lock you out after 3 attempts, so how can a brute force attack work under those conditions?
17-Jun-2011
Ronald parisi
My password is [15] letters long and i’ took my password from the Holy bible
Gabe Lawrence
@Dan Klein
In the article, Leo’s suggesting that many of these types of attacks (if not all) are done “offline”. The hacker get his hands on the data and then goes to work with it in a private (or controlled) setting.
That being said, I can assure you that there are ways for hackers to work online too. Before we purchased a robust firewall for our business network, as the IT Manager I witnessed at least one or two attempts per month on our network. In about 2 or 3 minutes time, the hacker was able to produce thousands of attempts at username/password combos. I’m guessing this is less preferred because one thousand attempts a minute is a lot to you and me, but compared to the numbers Leo explains in the article, it would take lifetimes to crack even a moderately secure password. Like you suggest Dan, they should be getting locked out because I do if I fail 5 times. However, on less secure site (like ours was before a good firewall was implemented) they have methods that allow them to go “underneath” the interface that checks their attempts.
Mark Jacobs (Team Leo)
I had a good relative long (can’t say exactly how long for security reasons) all letter password that I began to feel maybe should be upgraded so I added a friend’s old phone number and some punctuation. Very easy to remember and looooooooonnnnnngggggggg. For the guy who uses the Bible Password. Could be crackable. Add a phone number or something easy to remember.
Jerry
Isn’t it always the simple things that get overlooked and yet can be the root of so many problems if not properly implemented? Very thought-provoking – yet easy to comprehend article, Leo. Many thanks for these pearls (that are hopefully not before swine and we will all act accordingly). Keep up the good work.. 🙂
Larry Clemens
Here is an article that suggests simple three word phrases may be powerful passwords – the words are separated by spaces.
http://www.baekdal.com/tips/password-security-usability
17-Jun-2011
robertprice
Quote: “•Use a different password for each different site login you have. That way a password compromised on one service won’t give hackers access to everything else.”
I think that is completely unreasonable. A different pw for “every site”? In my case, that’s almost a 100 different pw’s. Not very practical
Kaunda
@Robertprice
Pwd for every site is very possible & practical. And simple 🙂 Not just sites even. You can create Unique pass for every account. That’s what I do. and this is how I do it!!
CREATE YOUR OWN ALGORITHM (consider my algorithm 3 years ago)
Step (1)
Take the last 3 characters of the site name in reverse order & Capitalize them. Do not add the extension. By extension I mean something like .gh, .com,.africa, .us, .net, .org, .whatever)
Something like this:
The last 3 characters of:
a) http://www.askleo.com = leo The reverse order is oel. Capitalize to get OEL
b) http://www.WebExtremist.com = ist The reverse order is tsi. Capitalize to get TSI
c) http://www.gmail.com = ail The reverse order is lia. Capitalize to get LIA
d) http://www.hotmail.com = ail The reverse order is lia. Capitalize to get LIA
Step (2)
Take the first 3 characters of the site name.
The first 3 characters of:
a) http://www.askleo.com = ask
b) http://www.webextremist.com = web
c) http://www.gmail.com = gma
d) http://www.hotmail.com = hot
Point (3)
Concatenate Point (1) and Point (2) in the order of numbering.
Thus,
a) OEL and ask = OEL&ask
b) TSI and web = TSI&web
c) LIA and gma = LIA&gma
d) LIA and hot = LIA&hot
Point (4)
Count the length of the characters in the site name. Prefix the length with the character “@”. And put in braces. Add result to Point (3) above
Thus,
a) Length of http://www.askleo.com = 14 Characters. When in bracket (14) When Prefix with @ gives (@14)
b) Length of http://www.webextremist.com = 20 Characters. When in bracket (20) When Prefix with @ gives (@20)
c) Length of http://www.gmail.com = 13 Characters. When in Bracket (13) When Prefix with @ gives (@13)
d) length of http://www.hotmail.com = 15 Characters. When in bracket (15) When Prefix with @ gives (@15)
Weldone! Your final password is therefore
a) = OEL&ask(@14) (When you want to login to askleo.com)
b) = TSI&web(@20) (When you want to login to webextremist.com)
c) = LIA&gma(@13) (When you want to login to gmail.com)
d) = LIA&hot(@15) (When you want to login to hotmail.com)
Though not strong algorithm, this should give u fair idea. You can generate your own which will guarantee you 500+ unique pass. The good news here
is, you don’t have to remember even a single password. You only remember them when you visit the site
My current Algo gives me 21 length character pass. Very complex to computer but simple for human mind to remember
Johnson M
Felt happy reading your comments regarding the algorithm based password. I totally agree and that’s exactly what I do too : )
One thing however that I realized is that my passwords used to be to only 8-10 characters. I should now increase the string length to 12 or more characters.
Cheers!
Mark Jacobs (Team Leo)
@robertprice
That’s where password managers such as LasPass, RoboForm and KeePass come in. You have to remember only one password and the program remembers the rest for you. Warning keep several backups of your password file.
I’m not saying it’s necessary to have a different password for every login as that is still much discussed point, I’m just saying how it can be done. I, for example, have one weak password for forum log-ins where I don’t care if it gets hacked. For important things like my emails and my banks, they all have a similar but unique password ie. the same password but with a unique identifier for each account.
Glenn P.
For RobertPrice:
Dude! That’s what programs like Roboform or (my personal favorite) KeePass Password Safe are for! Sheesh!
For Leo:
Twelve is good — but I understand that 16 should be the minimum, due to rainbow tables.
I’m a little surprised that you didn’t mention rainbow tables in your article.
Rainbow tables essentially are databases in which hackers have computed the all hashes for brute-force attacks on all passwords up to a given length in advance. They make the breaking of passwords both much easier, and much faster. The book “Perfect Passwords: Selection, Protection, Authentication” by Mark Burnett ($18.96)” recommends a 16-character minimum length password for this reason, but then, it was written in 2005 — so I would expect by now that the standard rainbow tables have been rather expanded by now!!! I would very seriously recommend a twenty-character password by now.
Really, folks: There is NO such thing as “a password too long” — unless it’s so long that it’s rejected by the system you’re feeding it to.
17-Jun-2011
George Kerr
Good article Leo.
It Is worth noting that, in some unix environments (eg AIX) you can set a long password but the system will only evaluate the first eight characters (the rest are ignored).
17-Jun-2011
johninlongmont
so do password crackers waste their time trying 4 character passwords?…if not, it seems a shorter password may be more secure…it’s all really about what their algorithms do, isn’t it?
Nitrothor
Hey Leo, great article!
I totally agree with two main points that Leo has made:
1. The password has to be long — the longer, the better. Personally, I use at least a minimum of 16 characters, but in most cases, I use more, even 22 or 24 characters. Every online site is different in what they allow. For example, the last that I knew, Hotmail only allows a 16-character maximum, but other websites allow longer, which in that case, I will always generate passcodes that to the maximal length a website will allow. I suggest contacting the website or reading their help section to find out what the maximal passcode they will allow.
Also, like Leo suggested, I would make all passcodes as a random combination of majuscule and miniscule letters as well as numbers. I admit that I tend to shy away from special characters, as some websites do not seem to understand special characters. There are so many special characters too, even way more than what is on an ordinary qwerty keyboard. And, if we start to discuss non-standard and non-Latin letters, then there are even more. Seemingly, many servers and websites do not understand those characters either.
For the benefit of persons reading this article, I would like to mention two great passcode generators that I like to use:
Chaos Generator by SafeSoft:
http://safechaos.com/cg.htm
PassGEN by Abhishek:
http://myfreewares.weebly.com/passgen.html
Both of these softwares are similar in appearance and how they work. And, they are both easy to use. They can generate passwords of any length and as many at one time as you would like. I normally like to produce a list of over a thousand passcodes at a time, then save them to a notepad and pick out ones that I want to use. Also, I will mention that I use Zone Alarm firewall, and neither of these two softwares have ever suddenly out-of-the-blue “phoned home”, otherwise, ZA would have alerted me.
I have developed my own manual password management system, as I am not willing to use password managers that are supposedly freeware. I am not willing to wake up one day to find software on my computer that was once freeware to now be a paid version, thereby leaving me locked out of my passcodes. I use a program called Mince, in order to manually archive and save my passcodes onto notepads. It can be found at:
http://bluefive.pair.com/mince.htm
I admit that my methods of online security are somewhat intensive and laborious, but me and my computers are worth that effort I put into online security.
Also, I recommend changing your account passcodes at least monthly or quarterly too. As far as robertprice’s comments about having too many different passcodes as being unreasonable. Perhaps you are on too many websites in the first place. Good online security and living a virtual life are nearly incompatible. And, this brings me to the second point that I agree with Leo on…
2. Use a different passcode for each online account you have. Why is that? For example, websites such as Plenty of Fish are easily hacked into. Once a hacker is into someone’s account, they can easily find your email address in your account information section. And, if your email passcode is the same as your PoF account passcode, then wal-lah: the hacker also has your email passcode too.
This is especially problematic nowadays as there is how a great deal of spam and phish is being sent out via normal email. Spammers and phishers like to use “established email accounts” nowadays for their well-developed contact list. Unsuspecting victims (the email recipients) imagine that they got an email from someone they know and trust, only to find out cold, hard reality once they mistakenly click a link or open an email attachment imagining that they received the email from someone they trusted.
If an email account had been legitimate for years but suddenly is hijacked, then those spammers are harder to be detected by ordinary spam filters in the email industry. Email account hijacking nowadays is a dime a dozen. And sadly, many people are too irresponsible to let the people on their contact list to know their account was hijacked in order to ignore any emails from that account.
So, I totally reaffirm Leo’s idea of keeping different passcodes for different accounts. Even if you have online throwaway accounts, if they are linked in any way to some other account of yours that you value, then that is a potential security breach.
I personally use Lavabit email accounts, as in the past two years that I have had my email with them, I have never once received a spam or phishing email. Seemingly, they have a bullet-proof email account system. I have not found a better email carrier on the internet yet. However, I still change my passcodes monthly or quarterly, depending on how I use the account.
Also, I highly suggest keeping a good antivirus, firewall and several anti-spyware engines on your computer too. Getting a trojan or keylogger in your computer can be very devastating to your computer and personal security too. I always say that old-fashioned viruses were only meant to wreck your computer. But nowadays, adware and spyware are meant to wreck your life!
I feel it is a matter of self-respect and personal responsibility to keep my computers clean and fit for duty. Many people do not, so you cannot rely on your online virtual friends to not infect your computer with theirs. I feel that sharing computers nowadays is like someone who is sharing their toothbrush and underware with someone else. As far as I am concerned, computers are not toys whatsoever. As Americans, it is our second amendment right and responsibility to protect ourselves. Often times, using my brain and some common sense are my best line of defense, especially in the cyber world!
Justus
Ik see KeePass Password Safe recommended. How can I be sure this is a safe program and not someone who tries to hack all my passwords?
robert price
I don’t recall if it was a link to this article or some other place. But that article said that phrases with spaces make cracking even more difficult.
For example:
my name is bob
with spaces, is even harder to crack than inserting symbols between the words. Opinion?
29-Jun-2011
john neeting
Good advice. My own passwords are over 22 letters long [ calculate that time to crack hee hee ] and I always use the complete phrase of something I NEVER forget. That favorite opening line from your favorite book EG ‘itwasthebestoftimesandtheworstoftimes’
Just an example. Notice no spaces and no funny characters – not needed because a cracker is using an engine that must go through upper AND lower case as well as numbers 1 to 0 AND funny characters like = or *. The above example is 37 letters long !!! No way hose is a cracker going to stumble on that password this side of eternity.
Clarke Waldron
Looks as though my obsession with long and crazy passwords has already paid off. My “standard” password is 15 characters long and is a little modified for each site; it contains lower and upper case letters, numbers, and special characters. Also I have that nifty little code generator avavilable for free that works on both eBay and PayPal. How do they go about getting around that step as hackers? But my pride and joy password is 25 characters with 16 special characters. No, wait, for Word documents, I use a 33 character password with 24 special characters. Yes, I am crazy.
Margaret Paddock
Thank you. I thought my 8 letters with numbers was safe – I’ll be changing most of my passwords now.
cloud-surfer
Always having a complicated password for every different online account is almost impossible. Just in email I have several accounts that I use regularly and then you add in all the other accounts: online-banking, credit cards, social media, etc… and then to have different passwords for all of them is a pain, but necessary. However one of the first things I look for when setting up an account is if they offer 2FA (two-factor authentication) where I can telesign into my account. This gives me the confidence that my account won’t get hacked and my personal information isn’t vulnerable. Personally I think if you are just relying on your passwords (complicated or not) to protect your info you will pay the price sooner or later.
Rajnikumar Shah
In the above article you have said and I quote “62 possible characters (26 lower case, 26 upper case, 10 digits), in each of the eight positions gives us 221,919,451,578,0902, or over 221 trillion, combinations.3” Looking at mathematically, if you have more characters, the resulting number will be still larger and more difficult to hack or conversely you can get away with shorter password. Please let me know how through Email I can send my details of the solution for finding out from expert like you if it is feasible or not.
Thanks.
Mark Jacobs
That’s Jon Snow, but I’m sure you did that to obfuscate the password even more 🙂
There is one way to test if the website is handling passwords well. Submit a lost password request. If they send you your password, as Leo mentioned in the first footnote, you know they’re handling it wrong. However, if they send you a password reset link, you still can’t be 100% sure they are doing it right, but at least you can determine the really bad ones.
VoidPhantom
Some remarks:
1. Dictionary attacks are the reason why general-purpose hash functions are not very good for hashing passwords. Instead of SHA-256, you might want to use something really slow, like bcrypt.
2. If a service doesn’t accept spaces, there’s a trivial fix: instead of spaces, use some other characters, like hyphens. This might even be slightly better because the space key has a distinctive sound, so someone listening to you typing your password could, theoretically, take note of that.
3. I’m surprised you didn’t mention password managers at all. They are pretty much the only way to have a unique password for every website.
4. An excellent tool for generating secure yet memorable passphrases is Diceware (http://diceware.com). Basically, you have a word list of 7,776 short words, and you pick each word by rolling five dice. This way, your passphrase is truly random, so its strength is easier to determine than if you choose a slightly obfuscated, but still sensible phrase from a book or a movie or whatever.
Connie
Leo has a lot of articles on LastPass – a great password manager. Here’s one: https://askleo.com/lastpass_securely_keep_track_of_multiple_passwords_on_multiple_devices/
Mark Jacobs
2. Or just leave out the spaces entirely. That’s what I do.
3. Leo did mention password managers:
““BT6aKgcAN44VK4yw” is a very nice, 16 character long and secure password that’s difficult to remember. In fact the only way to use this is with a password manager of some sort that remembers it for you.”
Linda Paine
I would like to use passwords of the type Mark Jacobs depicts. Trouble is, I don’t trust Password Managers!
Mark Jacobs
I use LastPass and feel safe using it. I have a long random string of letters that I’ve memorized as its password.
https://askleo.com/are_password_managers_safe/
https://askleo.com/is-lastpass-still-secure/
If you don’t trust a password manager storing your passwords on the internet, then you can use a password manager like KeePass which stores the passwords only on your machine and not on the internet.
http://keepass.info/index.html
Linda Paine
Great advice as always ……..really appreciated. My latest way of dealing with passwords is – as you suggest – to create a pass-phrase. To further secure this, I have been creating a long phrase but spelling the main words phonetically – my own version so to speak. To finish off I put numerals. As commented, I have hit the problem of being forced not to have spaces and being limited to number of characters but can easily get around this.
John Smith
There’s another extremely important element to all of this, and that’s your ability to remember the password without writing it down!!
Too often I hear of people who tell me they have “impressive” 18 character long passwords, then I ask them how they remember them, and they say they don’t, they simply write they down and stick them to the back of their monitors!
I think that if you need to write down a password then it’s lost most of it’s benefits. It takes a fraction of a second for someone to come across this piece of paper and take a photo with a smartphone, then months later they could use the passwords and you would have no idea who was doing it.
For me the above tips are very useful, for most people a password of 10-12 characters long which is a mixture of all possible characters but also very memorable is the best solution. Additionally, as others have said, have a 4 digit part of your password and then for different sites change that.
E.g.
jOHn_2001_$AVE – for Apple
jOHn_4001_$AVE – for Microsoft
jOHn_7001_$AVE – for Google
Robert Burger
I use a 6 digit name, 2 digit number, 3 special characters, a 6 digit name and a 2 digit number for a total of 19. Easy to remember. For other PWs I use the 4 digit of one of my aunt’s address mixed into the PW.