I work on a couple of websites that require user registration and I'm consistently surprised at how many people use really bad passwords. I mean really bad passwords, like 'password' or '123'. It's more than you might think.

Everyone says to pick strong passwords, but how do you choose a strong password that's hard to guess or crack and but easy to remember? The answer lies in looking at how passwords are cracked.

Dictionary Attack

The way most passwords are cracked is by a Dictionary Attack. A Dictionary Attack is done via a file of a bunch of words and common passwords called a dictionary file. The attacker checks each of those words against your password and, if your password is in that file, the attacker gains access to your account.

That is why you shouldn't use words you might find in the dictionary. Even simple things like replacing letters in a word with symbols isn't enough, since a lot of those have found their way into dictionary files too.

So how can you create strong passwords that are still easy to remember?

Password Selection

Easy, pick words out of the dictionary.

The idea is to turn a phrase or group of words into a strong password. We do that by joining the words with numbers or symbols in between them. So instead of the weak password "honeybee", we can make it a little stronger by adding another word with a number in between, "honeybee3tea".

If someone knew this system, they could devise a way to crack it via the dictionary file. They could try every word joined with every other word. If we assume that a dictionary file contains 100,000 words, to check two word combinations would be 100,000 x 100,000, which would be 10,000,000,000 or ten billion combinations. Adding any of 10 numbers in between would be 100,000,000,000 combinations.

This is hard on an attacker, but not impossible. With parallel and cloud computing getting easier and easier to access, attackers will be able to pull a lot of resources in to crack your password.

So what to do?

Add more words! "honeybee3tea9is&great" this password will be very hard to crack via the attack mentioned above, needing the ability to check over 100,000,000,000,000,000,000,000 combinations to try and crack a password of this length. this is outside of the realm of possibility, especially since there are so many easy passwords to crack these days. You can make it even harder by changing the case of the words. "HoneyBee3Tea9is&great".

You're probably thinking that you don't want to type that much when picking a password, so I'll let you know that three words is probably enough. Sadly, password security is a little like out running a bear, you don't have to be the best, you just have to better than the other guy. If a hacker can crack 10% of the passwords on a site, he'll have enough personal information to work with that he won't spend the extra time to get yours.

Other Methods

Before I get a lot of nasty emails, this is not the best way to choose a password, but is the first step in picking better passwords than most people out there use. I will have future posts about some other ways to pick passwords, including my favorite, Password Hashes. Most people don't know the danger of picking simple words by themselves. If you do use simple passwords now and start using the above technique instead, you'll be much better off.

Related posts:

1. How Secure is WiFi? WiFi has had a rough security past. The 802.11a, the...
2. TrueCrypt: Virtual-Disk Encryption TrueCrypt is one of those applications that no one has...
3. Sandboxie: Windows Security Tool Windows has always been considered one of the most insecure...

Tags: password, Security

This entry was posted on Tuesday, December 2nd, 2008 at 10:53 am by Joe and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.