Choosing Good Passwords
Notes on how to choose a strong password that you can still remember.
Introduction
Although it has known weakness, username/password pairs still constitute the most common authentication mechanism for modern computer-based services. Because anyone who has your authentication credentials will be treated as if he/she were you, it is important to keep your credentials private and to make it difficult to attack them with brute-force methods.
Your username is often given to you and is often a semi-public or public piece of information; so the username must be regarded as obtainable and so does not contribute significantly to the security of your credentials. The strength and privacy of your password is the only real shield that you have against impersonation. Losing control of it constitutes a (usually relatively minor) form of identity theft. In the worst, case, compromise of your username and password can be leveraged to gain access to more important identity information, such as financial data and the ability to perform financial transactions in your name. Even in the least compromising cases, the imposter can destroy files that may represent an enormous amount of work, or be of sentimental or even cash value.
Always choose a strong password.
Do not share your password. If you need to share resources, work with your system administrator to find a means other than sharing passwords.
What is a Strong Password?
Assuming that the technical security implementations are sound (frequently not a good assumption), a password is strong if it cannot be guessed in a reasonable amount of time by persons with modern hardware using brute-force methods.
The most common method is to start with a dictionary of common words in common languages and then combine them with short sequences of numbers or common punctuation symbols. If your password contains only dictionary words, or is only slightly modified from dictionary words, then you have a weak password.
| Example | Strength | Comments |
|---|---|---|
| abc123 | Extremely Weak | Short Obvious Sequences |
| sandtruck32 | Weak | Dictionary words. Insufficient variation. |
| chohMei6 | Strong | Mixed set. No dictionary words. Semi-pronounceable. Difficult to remember. |
| EishieSh0SaNei9w | Very Strong | Long. Well mixed. Nearly impossible to remember. |
Creating Strong Passwords
Basic Guidelines
Whichever method or methods you finally use, try to follow the following guidelines:
- At least on character from each of the following categories:
- lower case alphabetic characters
- upper case alphabetic characters
- numeric characters
- punctuation and special characters
- avoid unmutated dictionary words
- at least 7 or 8 characters (longer is better when permitted)
- letter to symbol mappings should not all be of the obvious type: (eg. a -> @ or &, s -> 5, o -> 0)
Password Length
All things being equal, long passwords are better than short ones. However, the longer the passphrase, the more difficult it will be to remember; so the more likely we are to use simple guessable parts. In addition, many systems, including many Unix systems, have rather small upper-limits on the length of a passphrase. Eight characters is common. If you are restricted to 8 characters or fewer, be sure to use all of them.
Creating Memorable Strong Passwords
There are a number of ways to create strong and memorable passwords. We will outline a few techniques here.
The Nth Letter Method
Choose a memorable phrase, whether it be cute, dramatic, funny or just particularly clear in your mind. You may then mutate it a bit, trying to creatively add punctuation and numbers. At that point choose a small number (usually 1-3) and take that letter from each sentence, plus all of the numbers and punctuation. To squeeze a long phrase into 8 character, drop some definite and indefinite articles.
It is unfortunate, but this method really only works well when the letter chosen is the 1st, both because it takes too long for the human brain to determine letters 2 and 3, and because capitalization rules tend to affect only the first letter of a word. Even then, this method provides much stronger passwords than most people will normally select.
| Phrase | Mutated Phrase | Number | Passphrase |
|---|---|---|---|
| To boldly go where no man has gone before! | To boldly pause! emphatically where no Shatner has gone before! | 1 | Tbp!ewnShgb! |
| Oh where, oh where has my little lamb gone? | - | 2 | hh,hhayiao? |
| Ack! I shot 5 smurfs! Blam! | - | 1 | A!Is5s!B! |
Algorithmic Mutations
This method involves choosing a memorable password and then transforming in a way that enhances its superficial randomness. While its real crytographic strength is not really enhanced, it does provide an extra buffer against standard brute force attacks unless everyone adopts the same transformation, which then becomes part of the standard brute force attack. (Even then, it may have value because the transformation is computationally costly, rendering the brute force attack drastically less efficient.)
Some examples would be:
- adding 1 to the ASCII sequence (a->b, b->c, c->d, etc.) WEAK!!
- rotate the word by 1 character to the right, wrapping at the end ("wizard" -> "dwizar") WEAK!!
- swap pair sequences ("wizard" -> "iwazdr") OK
- convert the string to base64 ("wizard" -> "d2l6YXJk")
Sample Base64 Conversion One-Liner
bworth@darkstar$ python -c'import base64; print base64.b64encode("wizard")'
d2l6YXJk
As long as you don't rely on these simple mutations for all of your security, they can add a useful dash of pseudo-randomness.
The Finger Shift
This technique involves choosing your password, say "wizard" for example, and then shifting the key-strike by one key in a selected direction. If this technique is chosen with a right-shift, you will get "eoxstf".
