New Year, New Passwords: Or how to create a password you can remember, but not get hacked!

/ richardschwarz.oz
XKCD: Password Strength

Security and Complexity are NOT the same thing, as this comic from XKCD attests…

It’s a new year, so for many schools (and other organisations) it’s time for new passwords. Remember, these are the first, last and only line of defence between your files, your internet use, your music, and others, so it’s kind of important that your password is fairly strong. The issue? Security versus Complexity.

The Problem.

Australian news site news.com.au ran a story ealier this term outlining the 25 most common passwords. These are real passwords, stolen from hacks into large brand name sites, but as with the Sony Playstation hack, it was alarming that the most popular passwords chosen were the most crackable.

Coming in at number 1 was ‘123456’, taking the spot from ‘password’ which moved to position 2. The rest of the list isn’t great either.

The issue that is facing us is that we think complexity (like ‘!k$#(ASJ93kja823’) makes for a great (read “complex” and “difficult to guess”) password, but the problem is that most people won’t remember something like that, so they go for speed and simplicity (read “I can remember that”) and type in passwords like “123456”, “abcdefgh” (actually saw a student use that one) or “password” for the very reason that they’re memorable.

It would seem that the complex is better than the simple… and in this case, it is (actually it’s not… it’s so complex that it will get written down, making it so much easier to guess).

A solution.

There are actually two great solutions for this problem (and they can work together!).

1. Use a password manager.

KeePass: Secure Passwords

KeePass: An Open Source Password Manager

A password manager is a program/app which holds all your passwords, encrypts them, and allows you to access them with just one master password. This means that you can use both insanely complex passwords (which are more secure if you don’t have to remember them) or simple and secure passwords like in the following point. You just need to remember the master password. If you forget that one, your passwords won’t be accessible by you, or anyone else.

I use KeePass, and have it on all my devices and sync it between them all. But that’s for another post (next week). If you want to get started on that, lifehacker (who also recommend KeePass) has some great articles on getting up and going, like this one showing you how to get started.

But I can use the same password for everything, right? NO!

If nothing else, the site hacks we’ve seen have shown that using the same password across multiple sites is bad news. Very bad news. If a hacker gets your one password, it’s not hard for them to find out what other sites you might use (email, bank, cloud storage etc) and then use that to find out more about you (like which bank you use, what your bank account number is… and if you’ve used the same password… šŸ˜¦ ). Use a different password for every site. That’s why password managers are awesome!

2. Create simple, yet secure passwords.

The key to this is remembering that a password has to be remembered, and that for it to be hacked, it needs to be guessed in its entirety. This is not Hollywood where they crack passwords one character at a time, it’s all or nothing.

The length of a password increases its strength, not the type of characters (letters, numbers, special ones like *). As the XKCD comic says, a secure (not complex) password is one which is difficult to guess, but easy to remember. So ‘correct horse battery staple’ would actually be a very secure password (or it was until it gained popularity due to the comic). The principle is that as you increase the length of the phrase needing to be guessed, you increase its security.

Steps to choosing a strong password:Secure your passwords

  1. Think of a word (e.g. monkeys)
  2. Think of another word – preferably not linked to the first (e.g. red)
  3. Think of another word – not like the others (e.g. novella)
  4. You should use 3+ words, for greater security, you could add more words (like in the comic) but make sure you can remember them (and they shouldn’t be a common phrase).
  5. Put them together, with spaces, and you have a new, easy to remember, password: monkeys red novella
  6. If you want to add a little complexity, add a special character, like !, and insert a capital: mOnkeys red! novellA

If the site you’re creating the password for doesn’t allow spaces, then DON’T remove them (remember, it’s length we’re looking for), but replace them with a hyphen ( – ) or underscore ( _ ).

It really is that simple and easy. Just remember, if you have to write it down on a post-it note and put it on your monitor, then it may well be complex, but its certainly not secure.

Further reading.

There is a science to passwords, in fact, there’s been a lot written about passwords and what makes a good one.

Troy Hunt (a security expert) writes about The Science of Password Selection

Thomas Baekdal (another security expert) has an article (The Usability of Passwords) and follow up on the method I’ve described above.

Mark Burnett (a security hardening expert) actually analyses the security of the XKCD comic! And it works (although he suggests adding some complexity).

One thought on “New Year, New Passwords: Or how to create a password you can remember, but not get hacked!

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.