Passwords: Your Keys to the Digital Kingdom
These days, anyone who accesses connected services with a computer, mobile phone, or tablet knows about passwords. The concept of a computer password was first described in 1960 , but passwords go way back in time as a means of authorization. By authorization, we mean that knowledge of the password authorized a person to have access to certain locations or information. The password didn’t securely identify an individual…that is, simply because someone knew a password was no guarantee that they were who they said they were.
Fast forward to the present.
In today’s computing landscape, both authentication and authorization of users is important. We can authenticate ourselves, for example, with fingerprints since no two individuals have a matching set of prints and your fingerprints are not easily spoofed, or misrepresented, by someone else.
In a computer network, users are uniquely identified by user ids, which must be different for every member of a system. But unlike fingerprints, these user ids are generally easy to copy so by themselves they are not a secure means of authentication. However, the combination of a user id and a secret password does provide for authentication, because only the true owner of the user id would know her correct password.
(Note that, while two distinct users may not have the same user id in a system, there is no such limitation about passwords. There is no restriction that everyone’s password must be unique.)
It should be clear that, if a third party knows your user id and password, she can misrepresent herself as you to a computer system. “But,” you say to yourself, “my password has 8 letters and numbers…it would take forever for someone to guess it.” Perhaps that was true once, but today computers can guess, or crack, passwords at lightning speed. So we need to take advantage of complexity to make their job harder.
What Makes a Password Complex
These days, there are several algorithms, or strategies, that password hacking programs use to determine passwords. The two we’ll discuss briefly are dictionary search and brute force.
A dictionary search guesses passwords by trying words in a word list until a one is found that “works”. (We’ll not discuss how a password is determined to be correct, but suffice it to say that most modern systems use a technique called hashing to determine whether a password in correct, without needing to store the actual password in a database somewhere.) One good source of common passwords is a word list of 10 million passwords that was released a few years ago. A modern desktop would only take a short while to exhaustively test each password in the list.
With the advent of password policies that are designed to prevent users from using passwords that are easily determined by dictionary lookup, brute force methods are becoming common. A brute force method tries all possible combinations of characters to generate trial passwords that are essentially random combinations of letters, numbers and punctuation. Desktop brute-force password hackers can try about 1 million attempts per second. It should be clear that, if we restricted passwords to digits, a 6-digit code could be cracked by a desktop cracker in about one second since there are one million possible ways that six digits can be arranged. But if we add uppercase letters to the mix, then a random 6-character password acquires many more possible combinations: (26 + 10)6, or over 2.178 billion!
Ok, so maybe we’re a super-secret government organization that can utilize 1,000 password cracking machines all working together to make some sort of hyper-password-cracker. Such a machine would only cost on the order of $1 million, so such equipment is definitely do-able. Well, this machine could crack all those passwords in a little over 2 seconds. So what can we do to increase our security? We can add lowercase letters! Just a simple modification like that increases our possible password combinations to (26 + 26 + 10)6, or over 56 billion. So now it would take our super machine about a minute. Adding, say, 18 common punctuation marks would increase that to 250 billion (or about 4 minutes for the super cracker). But here’s the thing: every additional character of length to the password (remember, we’re starting at only 6 characters) will now make guessing the password take 80 times longer! So a 7-character password would take close to 6 hours. Passwords of 8 characters would take nearly a month, and 9 characters would take over 6 years!
[Note: the times above are what would be required to exhaustively hash every possible password…on average, the hyper-hacker machine would hit a match in about half the time, sometimes more, sometimes less.]
So the moral of the story is, choose random letters, numbers and punctuation when you create your passwords, and longer is better than shorter. But do the characters have to be truly random? No!
An Alternative to Completely Random Passwords
One alternative to creating passwords that are completely random is to use methods that can work with your memory while remaining secure. The downside is that, because you’re usually not choosing completely random selection of characters, your passwords will be a little longer than 8-10 characters. On the plus side, however, they will be memorable and still very tough to crack! Among some tried-and-true favorites are choosing your favorite line from a song or poem, an old address where your best friend lived as a kid, or some phrase from a random book online. Don’t worry about remembering all these different, somewhat longer passwords…we have a solution for you. Read on!
How Can I Remember These Complicated Passwords
It’s time to introduce a secret weapon: Password Manager Software. Ideally, use a password manager app to keep all your passwords in a single system that’s accessible by all the machines (computers, mobile phones and tablets) that may be used to access your various accounts. Capable apps will generate complex passwords for you, and allow you to cut and paste the complex password whenever you need to log in to a site. Because they are so easy to use, password managers also encourage users to employ unique passwords for each site they access.
What’s the Danger In Reusing Passwords?
Now you may be thinking, “If my password is so secure, why shouldn’t I just use it over and over?” Here’s the deal, Lucille: once in a great while, passwords for various systems are exposed. If you are a user of that system and have a unique password there, the damage that can be done to your trove of internet accounts is likely limited to that one site. However, if you use the same password on multiple sites (perhaps including banking or other financial businesses) and your username is easily guessable, you are particularly vulnerable and may not be able to access affected accounts before unauthorized intrusions on your private information at those other sites are made.
How Often Should I Change My Passwords?
The advice of experts has changed recently, partly in response to human behavior when required to change passwords frequently. Experts found that, to overcome the inconvenience of having to frequently change passwords, people selected new passwords very similar to their old ones! This did not present a sufficient improvement in security to make the frequent-change requirement worthwhile. So now, the thinking goes, it’s recommended that if you use string passwords and they differ for each site you access, you need change them infrequently or only in the event of a reported breach.
So, this completes a brief introduction to personal passwords. I hope we can all agree that, while there is much more to maintaining cybersecurity in your home, a foundation of strong and secure passwords is an excellent place to start!
Dr. John Walter, TEEX Senior Software Developer