Sep 032014

Yes, you read that correctly. Creating and using secure passwords can actually be simple. With an understanding of how to make a password harder to crack through brute force (i.e., multiple, repeated attempts at guessing) and a password manager, you can greatly enhance the security of your passwords.

tl;dr – Longer passwords + a good password manager = simple security.

Let’s start with a look at bad passwords. Seriously, people are still using ‘password’ and ‘123456’ as passwords. If you wanted to gain access to someone’s account, there’s a relatively high probability you could get in with one of the commonly-used passwords. How common are they? Take a look at the top 250 passwords from a leak from 2010. Hmm, there’s ‘123456’, ‘password’, ‘12345678’, ‘qwerty’ and for all you Jackson Five fans – ‘abc123’. In 2011, 77 million of Sony’s PlayStation Network accounts were breached, followed by breaches at other Sony sites. An analysis of the passwords leaked shows similar issues with simple passwords. Even more interestingly, there is a significant correlation of passwords between Gawker and Sony users. While not entirely conclusive, it does support the idea that many people use the same passwords at many different sites. DON’T DO THAT. (I’ll suggest how to make this easy a bit later.)

Even if you didn’t guess someone’s password as being ‘password’, it’s pretty easy to use a computer to crack simple passwords like this. Steve Gibson provides a great perspective on how weak passwords can be and how easy it is to make them strong. You can read the details on his website, but let’s look at a simple example…

If you used ‘password’ as your password and a hacker used brute force to guess it online (1,000 guesses/second), it would take 6.91 years to crack. Keep in mind, this is an estimate of time required to go through all possible passwords leading up to ‘password’. In the real world, a hacker would likely try the easy passwords first, so it wouldn’t take 6.91 years to guess ‘password’. But, this number gives a good baseline. If you compare this to how long it would take if you made a few simple, but easy to remember changes – ‘password’ becomes ‘p4s$w0rd’. (That’s a zero instead of the letter O in word.) It still looks like ‘password’ which helps you remember it. If you substitute numbers and symbols for letters in a logical way, you can greatly increase security. ‘p4s$w0rd’ requires 1.66 hundred centuries to crack using the same brute force method! See, isn’t that easy? Well, unfortunately, we’re not done yet. Leaks like the one at Gawker and Sony (and many others) often start with hackers grabbing password files to try to crack offline. That same ‘strong’ password of ‘p4s$w0rd’ only takes 5.21 seconds if you have the processing power of one hundred trillion guesses per second – not too much of a stretch the way computing power is today. Using one hundred billion guesses per second, it would still only take 1.45 hours.

So, now what? That’s the main point of Steve Gibson’s article. You can greatly increase security of passwords simply by increasing their length. For example, change ‘password’ to ‘ppaasssswwoorrdd’ and the online cracking time goes from 6.91 years to 14.42 billion centuries. At one hundred trillion guess per second, the longer password takes 14.42 years to crack. But, all you did was double each letter!

Longer passswords with simple substitutions (and avoiding common words) are a huge step forward for the security of your passwords.

But, wait, there’s more!

Even if you come up with an easy to remember password like this, you shouldn’t reuse it. If by some means, a hacker gets a hold of this password and you use it everywhere, you’re toast. So, even if you have strong, but easy to remember passwords, you need a lot of them. How do you remember them? (If you said post-it notes, please don’t tell me!)

This is where password managers come in. A password manager is a secure vault that stores all of your passwords. You create one strong, but easy to remember password using the tips above and especially, the suggestions from Steve Gibson’s site. This is what you use to unlock the password manager ‘vault’. All of your passwords are secure, but you only have to remember one. Even better, most password vaults can generate secure passwords. Use this feature to create ridiculously hard to remember passwords for everything. You don’t need to remember them – the password manager will. Plus, most password managers plug into your browser to allow you to login with just a click. They’ll also remember passwords as you use them in different sites.

You’ll find a number of good password managers out there that work across major platforms – Windows, Mac, Linux, iOS (iPhone, iPad), Android, Blackberry, etc. The best ones provide a sync feature so you secure vault of passwords is available everywhere. Three popular password managers that come to mind are 1PasswordLastpass and Roboform. There are plenty of others out there, so you can do some research or try one of these three.

The concept may seem like too much work at first, but once you try out a password manager, you’ll find it’s far more convenient and secure than trying to remember, writing down, or stashing your passwords in a spreadsheet.

I hope I managed to avoid GadgetComa (for once) and make this information useful for you. Feel free to let me know what you think in the comments.

Leave a Reply