Choosing Good Passwords
|Article Source - http://www.auscert.org.au/render.html?it=2260|
How hard is it to choose a good password? Most people believe that choosing a good password is easy. After all, how is somebody going to guess my wife's maiden name?
In reality, people usually choose poor passwords. In 1990 [Klein 1990] an attempt to crack a large password database revealed over three hundred passwords in the first fifteen minutes! One fifth of all password were obtained in the first week and approximately one quarter were cracked by the end of the search. More than half of the cracked passwords were six characters or less and some accounts didn't even have a password.
Choosing a good password is a trade off between something that is difficult to guess versus something that is easy to remember. While @G7x.m^l is probably a good password, nobody will remember it and it is certain to appear as a sticky note attached to a terminal. Conversely, your first name is very easy to remember, but it is also trivial to guess.
|Length||Number of Passwords||Number of passwords||Cracking Time|
|1||62||Not nearly enough||Try this by hand|
|2||3844||Three thousand||Almost no time|
|3||238328||One quarter of a million||Less than one second|
|4||14776336||Fourteen million||Two seconds|
|5||916132832||Almost one billion||Two and a half minutes|
|6||56800235584||Fifty six billion||Two and a half hours|
|7||3521614606208||Three and a half trillion||One week|
|8||218340105584896||Two hundred trillion||One year|
|9||13537086546263552||Thirteen quadrillion||Seventy years|
|10||839299365868340224||Eight hundred and forty quadrillion||Forty centuries|
|11||52036560683837093888||Lots||A quarter of a million years|
|12||3226266762397899821056||Even more||Sixteen million years|
Having said that longer is better, it is important to note that many machines artificially restrict the length of the password usually by silently truncating what you enter to their maximum length. Since this length is often eight characters under Unix, the rest of this article will assume that an eight character password is being used.
What characters should a good password contain?
The previous section assumed that passwords consisted of upper and lower case letters and digits. What happens if this character set is increased or decreased? The following table presents some of the options for eight character passwords:
|Type of Password||
|7-bit ASCII||128||72057594037927936||Three hundred and fifty years|
|Printable Characters||95||6634204312890625||Thirty three years|
|Letters and Numbers||62||218340105584896||One year|
|Letters only||52||53459728531456||Ninety six days|
|Lowercase with one Uppercase||26/special||1670616516608||Three days|
|Lowercase only||26||208827064576||Nine hours|
|English words: eight letters or longer||special||250000||Less than one second|
So clearly, the richer the character set being used, the harder it will be to crack passwords. You should attempt to include as a minimum both upper and lower case characters and if possible, you should also include some digits, punctuation symbols and/or control codes in your password.
Rarely used passwords and secure storage
There is one situation where writing down your password is a good idea - protecting something important that doesn't require credentials very often. For instance, the root password on a server probably doesn't need to be used every day.
In a case like this it is a good idea to create a long, very complex password that is hard to remember, write it down and store the password in some kind of secure storage (like a safe). On the rare occasion that the password is needed it can be retrieved from storage and used (and the password then returned to storage). The password should still be changed regularly.
Of course, situations vary. If you find that you (or your users) have a tendancy to forget passwords and start making simpler, less secure passwords it may be better to use a complex password and write it down.
Just remember that if anyone gets a hold of the written down version they have a free pass into the system. Any written down passwords should not be kept on or near your computer and preferable should not be kept near any information that identifies you. Store it securely - a locked drawer is much better than your wallet.
Examples of how to construct good passwords
So now that typical bad passwords have been discussed, how is a good password constructed? Try combining two or more words together or taking the first (or second or last) letter of each word in an easily remembered phrase. Then mangle the result by adding capitals, digits and punctuation characters. As an extra measure, control characters can also be introduced.
Some examples of using multiple words with punctuation
Here is a pair of good examples of using multiple words:
- gOt%L0st! - got lost!
- heLP4me$ - help for me (money)
And here is a bad one:
- T0gether - to get her
Some examples of using a phrase
Here are three good examples of using phrases:
- rsKf0myH - Raindrops keep falling on my head.
- wru2rxy? - Who are you to ask why.
- bWiIso3! - Beware the ides of March!
And here is a bad one:
- Aaaaaaaa - Always assert an ambiguous axiom and argue aggressively.
Passwords to never, EVER use
There is a very handy list of the worst 500 passwords over at What's My Pass?. In addition to that, all the sample passwords listed in this article are now known, and should not be used by anyone.
Klein, D.V.; "Foiling the
Cracker": A Survey of, and Improvements to, Password Security, (revised
paper with new data) Proceedings of the 14th DoE Computer Security Group, May
What's My Pass?
The Top 500 Worst Passwords of All
Time, November 2008