Passwords – Relief is in Sight!
Corrected for incorrect calculation of combinations with 92 characters, 9 Nov 2020
They are the bane of everyone’s life, yet they are essential for our security and safety. Passwords have plagued the world for decades, but with seemingly every website we use and every device we own requiring one, remembering them all has now become impossible. That in itself has become a security issue, because we are tempted to use simple, easy to remember passwords, or re-use the same one in multiple places, leaving us very vulnerable if one should be compromised.
I will look at security in general in a future article, but today let’s just relieve that burden.
Why does it matter?
Things I often hear:
- I’m not very rich so it’s not worth anyone’s while
- I’ve nothing of interest to anyone else on my computer
- I haven’t got any secrets
- It wouldn’t matter if someone else knew my passwords.
It isn’t just banking and PayPal they are after either. If they get into a shopping site like Amazon or Tesco, they can order goods off your credit card – after changing the password and email address registered there first, leaving you both locked out and none the wiser.
Email is often forgotten. Many people don’t realise they have an email password (you do!) and haven’t changed it for years. But it is the key to your whole digital life. Many companies use your email address to prove your identity. With control of your email account, a criminal can quickly take over everything just by clicking the ‘forgotten password’ link on other sites to get a link sent to your email address, which the hackers use to change the password.
Sometimes it isn’t even username and password they are after, just snippets of information about you which they can add to public information and things from other sources to get enough detail to steal your identity. Emails, social media accounts and the files on your computer and in OneDrive or other cloud services can all give away more than you think. That is why you must have a secure password on your computer too. Windows 10 lets you set up a PIN so that you can still log in relatively conveniently even though you have a long password. Use it! If you have a genuine problem with memory, Windows can be set up to log in automatically, which still keeps remote hackers at bay and is much safer than having no password at all.
What is a strong password?
It’s one that would take a potential hacker a long time to break. The simplest kind of attack is a brute force attack, where every possible combination of characters is tried until the right one is found. Let’s say you have a password of 8 lower case letters – the very minimum length you should consider. With 26 possible characters, there are 268 possibilities, or nearly 209 billion, from aaaaaaaa to zzzzzzzz. Sounds a lot, until you realise that a modern computer can check about 7 billion every second, so a hacker could try every single one in half a minute. Not much security at all. And of course, your password isn’t going to be the very last one: they could get lucky and find it in the first half dozen. On average, it will take half that time.
So what if we increase the length to, say, 14 letters? That’s 64,509,974,703 billion combinations or around 290 years. Much better! But you have to remember a long password (or pass phrase) and type it in without error.
But what happens if I include a mix of upper and lower case letters, digits and symbols, as many sites now enforce – about 92 characters that can be easily reached on your keyboard? An 8 character password now requires nearly 8½ days computing time to try all the combinations, 12 characters needs 1,665,518 years and 14 needs, oh, 141 million centuries. It’s that bigger pool of characters that makes all the difference.
Safe as houses? That depends. I am assuming here that the passwords are not really words but completely random, like w%1EU7Poi[$r, but you and I are not good at either choosing or remembering random strings. So we choose something familiar like Orange2! – that’s got 8 characters and at least one from each group (capitals, lower case, digits, symbols). But a hacker would break it in seconds. They don’t brute force passwords like that: they use a dictionary attack, trying every word in a list and varying each one a bit. It is said that there are 60,000 commonly used words in English. To that we might add placenames and personal names, but for the sake of argument call it 60,000. The first letter is a capital (most people choose that for their sole capital) and a number and symbol added at the end. So they check each of the dictionary words with and without an initial capital, and with the each of the 10 digits and 30 symbols at the end, or just 3.6 million combinations (done in thousandths of a second). Even if we mix it up a bit more – and hackers know all about substituting 4 for A, 1 for I or L, zero for O etc. – it is clear that using a real word or name is a fatal error, even assuming that hackers don’t do a bit of research into your likes and dislikes, past and present addresses, where you spent your holidays, family members, pets and the football team you support – all of which are so commonly used as passwords that hackers try those first. (Interesting fact: the most common football team used as a password is Liverpool. ManUtd are fourth.)
Dates also have a distinct form. Say you choose a memorable year and use all four digits. Every year in our lifetime begins with 19 or 20, so that is just two combinations, followed by the hundred combinations from 00 to 99 – but few people were around before 1930 and you can discount any above 2020 as they haven't happened yet! The same argument applies to days (1-31) and months (1-12).
As well as wordlists, hackers also attack using lists of passwords that have been obtained from previous hacks. When a company is breached and its database of usernames and passwords stolen, the lists circulate on the dark web. It is humbling to realise, when you have picked a brilliantly unique and unguessable password, that thousands of others had exactly the same idea and that password is now in one of the lists that hackers use. You can check for this, though at https://haveibeenpwned.com/Passwords.
One idea that is often recommended is called ‘three random words’. The idea is that you choose three unrelated words at random and simply stick them together like this: coffeetrainfish. Or four words like this: correct-horse-battery-staple. The result – a long but easily remembered pass phrase. Harder on your typing fingers than your brain. The supporters of this idea seem to assume that this is as hard to crack as a long random password of lower case letters – even such bodies as the UK government’s National Cyber Security Centre, who really ought to know better. But it isn’t. Checking for every three-word combination of our 60,000 words (which you wouldn’t do as short ones wouldn’t count), gives 216 trillion combinations or around 8½ hours of computer time (4¼ on average), which hackers might reduce by spreading the job around multiple computers. Make it four words and that works out at 59 years, which is much better, though from your point of view, it involves more typing than a shorter random one, usually blind. Just ten random characters would take 200 years to check, after all.
Making up passwordsIn a moment I will tell you why you shouldn’t do this, but for when you have to make up a password,
a) stick to the rules at the end of this article
b) use this password generator, provided by LastPass. You can set an option to make its suggestions easy to say, e.g. MCeboATeUrVErbO, which makes them easier to remember after typing in a handful of times, but long enough to be secure. Not as secure as completely random, but practical, and that is what is important. For better security, add additional ‘decoration’ with symbols or numbers in order to meet the rules.
The real answer
The solution to all this is to use a password manager. This is a program that integrates into your Internet browser and both remembers and generates long, random passwords for you, so you never have to enter them again. Most of these programs will also synchronise them between your computers and other devices like phones. The passwords are safely encrypted using a key only you know – that is the only password you will ever need to remember. And how do you do that? Write it down. Keep it separate from your computer and of course, write neatly, remembering that capital/lower case letters are significant, as are spaces, and differentiate between easily confused characters like one/capital i/lower case L, zero/capital O etc.
Use the password suggestion site (see above) to come up with a really good master password.
Some of these programs are free, some ‘freemium’ (i.e. free but with a paid-for version that offers more features, such as synchronising with mobile phones, or the free version limits how many passwords it can remember) and some subscription only. You may also find that if you have a paid-for antivirus program, there is a password manager included. Just think, though, whether you want to get locked into one AV product by your choice of password manager.
Summary of advice
- When did you last review your passwords? Computers double in power about every 18 months, so what was considered safe 10 years ago is no longer up to scratch.
- Minimum length 8 characters, preferably 12.
- At least one character from each of:
- Capital letters
- Lower case letters
- Symbols and punctuation
- Write down passwords carefully in a notebook kept in a different room from your computer, and date each change (it's easy to get muddled about what is the more recent, and companies may ask for old passwords as proof of ownership if you ever need to recover an account)
- Never re-use password across sites, at least for more sensitive ones – and password1, password2, password3 doesn’t count for that purpose either!
- Never include dictionary words, personal names or placenames, even disguised
- The same goes for fictional characters, sports teams etc.
- Do not use simple sequences such as 123456, qwertyuiop, 5555
- Check to see whether your passwords have been breached at https://haveibeenpwned.com/Passwords
- Invest in a password manager and wave your cares goodbye!