Skip to main content

Choosing Good Passwords -- A User Guide

Introduction

This document presents a plain-language guide to help users understand how passwords are compromised and how to choose secure passwords.

The password management challenge

Passwords are used to protect various systems and services -- e-mail, PC and network logins, applications and more. Users must choose a password when setting up a new account and in many cases must periodically change that password.

Why change passwords?

The simplest thing to do is to have just one password on all systems and never change it. The problem with this strategy is that if any of those systems is compromised, then passwords on that system may be revealed. A password compromised on one system can be used to sign into another system where the same user has an account.

To mitigate this risk, it is reasonable to change passwords periodically and to use different passwords on different systems. Since it's hard to remember lots of different passwords, a reasonable compromise is to use just a few passwords -- for example, one for consumer services like Facebook or Google; another for e-Commerce web sites; another for personal banking and another for work.

Choosing hard to guess passwords

It's tempting to pick something trivial and easy to remember, like spelling your user name backwards, a child's name or a dictionary word. The problem is, the simpler the password, the easier it will be for an attacker to guess.

Attackers often gain access to systems by guessing or otherwise compromising a login ID and password. Having gained these credentials, an attacker can then impersonate a valid user.

If the attacker knows you, they can try password combinations related to your family, interests or history. If they have physical access to your desk, PC or phone, their chances of getting into your accounts are even greater, as your password may be written down or electronically stored, in plaintext, on one of these.

Attackers use readily available software to rapidly try plausible passwords, based on dictionary words and user names, until they hit on a valid password. If an attacker can get a copy of an encrypted password database, they can test billions of password guesses per second, to see if any are correct. At this pace, an attacker can guess many passwords in just a few hours.

The shorter and more predictable the password, the faster it can be guessed. Dictionary words spelled backwards, rearranged or with digits added are unsafe. Simple substitutions, such as replacing the letter l or i with the digit 1 are likewise unsafe, as password guessing software will try these.

Examples of bad passwords include:

  • mydog2
  • bi11smith
  • yromem (memory backwards)
  • win4me

The safest solution for choosing good passwords is to use a randomly generated or seemingly random password that:

  • Is at least 8 characters long.
  • Contains a mix of upper and lower case letters.
  • Includes digits and punctuation marks.
  • Is not based on any personal information.
  • Is not based on any dictionary word.

Examples of strong passwords include:

  • De2#vuX
  • 5sd$oiP
  • :er89TI:

Writing passwords

If you have too many passwords, it is tempting to write them down -- after all, can you really remember 10 different passwords, that change at different times, some of which are rarely used?

Writing down passwords is a serious breach of security, because it means that anyone who can physically get to the piece of paper, sticky note or phone that contains the password, can also log into systems with your accounts. Should a visiting vendor really be able to sign into the finance application? Should the janitor be able to read your e-mail?

A better solution is to create a single, strong password, and apply it to all of your login accounts. One password is easier to remember, and is more secure than a written note.

Reusing passwords

Another temptation, when imagination fails, is to reuse old password values when the time comes to change your password. This is also a security problem, since the whole point of a regular password change is to limit the time available to an attacker to crack your password. If an old password is reused, attackers will have more time to guess them. If the old password was already compromised, the new one will compromise your security again.

If you cannot think of a new, secure password -- have a program, like Hitachi ID Password Manager, randomly generate one for you.

How to choose a good password

Some security experts recommend using a password based on a mnemonic, such as an easily remembered phrase. For example, take the first letter of a each word in a phrase, then add a few special characters or numbers to it. For example, "lend me your ears" can become "lmye4%" (maybe even including the quotes!). "To be or not to be, that is the question" can become "2Bor!2b?".

Of course, having seen these examples in a widely publicized document, do not use them literally.

This is good technique, but you may need some patience to think up a new phrase every time you change your password -- especially if you have to think of a different password for every system that you log into. This may lead some users to recycle some version of their old password - another security threat.

Another easy way to choose a good, safe password is to let an application generate a random one automatically. If you can use the same password on multiple systems, then it's only one random string that you must remember. If you use it a few times after setting it, it will be much easier to remember.

Password Manager makes remembering passwords easy by synchronizing passwords, so that you only have one password to remember, and that password works on every system and application.

Password Manager can provide a suggested list of randomly generated passwords, and reject passwords that do not comply with strong password rules, so that you always choose good passwords.

When to Change Your Password

Perhaps just as important as how to choose a new password is when to do it. New passwords are most easily remembered if you start using them immediately, and use them often. Don't change your password at the end of the day, the end of the week, or before a holiday. Instead, change your password in the morning, at the start of the week. Your mind will be clearer, and frequent use of the new password will reinforce your memory.

Always use a new password a few times after setting it!


What about passphrases?

Some security practitioners recommend the use of passphrases instead of passwords. Technologically, pass-phrases are not much different than passwords -- they are simply longer, and in exchange for that, drop the requirement for mixed-case letters, punctuation marks, digits, etc.

The underlying idea of passphrases is for users to type a sentence instead of a string of apparently random characters. The argument is that this is easier to remember, not much harder to type and more secure (due to length), despite users being allowed to only use characters from a small set (say 26 letters plus space).

Passphrases are described at http://en.wikipedia.org/wiki/Passphrase.

The cryptographic strength of passphrases is discussed in some depth at https://technet.microsoft.com/en-us/library/cc512609.aspx.

When considering the strength of a passphrase, it is important to realize that it is humans who will choose them, not random number generators. Humans will typically:

  1. Type words in all lowercase.
  2. Choose words from a small vocabulary (say 20,000 words).
  3. Compose short sentences of 4-5 words.
  4. Compose sentences that are sensible (grammatically correct) rather than random.

In practice, the 100 most popular words account for about 50% of normal English text, so the real entropy of a 5-word sentence is something like 100 x 100 x 1400 x 20000 x 20000 = 5.6 x 1015.

That looks great, but it doesn’t take into account grammar, which makes some word pairs much more likely than others. This means that the upper bound on the likely number of combinations of 5 word sentences is much lower -- more like: 100 x 500 x 100 x 500 x 20000 = 50 trillion.

The effect of grammar on passphrase complexity is discussed at:

http://www.cs.cmu.edu/~agrao/paper/Effect_of_Grammar_on_Security_of_Long_Passwords.pdf

Another way to estimate the security of passphrases is to estimate how many bits of entropy there are per letter in English. Linguists estimate about 1.75 bits per letter -- if it were higher, English would be too hard for us to learn. If the average word is 5 letters long, then a 5-word sentence has an entropy of 21.75 x 25 or about 17 trillion.

In contrast, consider an 8 character password, with mixed case, digits and 3 possible punctuation marks. Assume it’s really random – password choice is subject to a policy engine which prevents the use of dictionary words, etc. Such passwords should have an entropy of about (26+26+10+3)8 or 3.2 * 1014.

This analysis shows that passphrases -- as chosen by real-world users, as opposed to more sophisticated security people (who might add mixed case, digits, punctuation marks, etc.) -- are actually likely to be less secure than passwords!


Learn More

You can learn more about password management at:

http://Hitachi-ID.com/password-manager/docs/large-scale-password-management-with-hitachi-id-password-manager.html

page top page top