Built on Facts

Open Sesame

If you were to find the URL to the ScienceBlogs back end, you’d be presented with a logon prompt. Assuming you knew my username, and it wouldn’t be hard to guess, all that stands in between you and a free ScienceBlogs platform to promote your favorite cause is a password. As such a good password is pretty important, and people correspondingly use good ones. Right?

Well, as you probably guessed the answer is no. Razib points out an article determining that the most common password is “123456″. Many systems won’t even let you pick out a password that terrible, but very often the passwords people do chose even with minimum requirements are pretty awful.

But what makes a password good or bad? In short, the time it takes to guess. To pare things down to their binary essentials, let’s pretend passwords could only consist of the numbers 0 and 1. If you have a one character password, there’s only two possibilities. If you have a two-character password, there’s four: 00, 01, 10, and 11. Each time you add another character the number of possibilities doubles. To be safe, you want to make sure there’s no reasonable way for a person to go through all of them by brute force.

So let’s set a safety threshold. Assume your attacker can guess 1000 passwords per second. This is pretty generous for most contexts, but it’s a good starting point. At that rate in a year your attacker can guess about 32 billion passwords. If you’re picking your password randomly from a set larger than that, you’re probably safe. In our example of 1s and 0s, we know each additional character doubles the possibilities, so we need to invert that and find out how many characters we need to have at least 32 billion possibilities. In other words, 2^n = 32,000,000. The solution for n, given b^n = x is just the base b logarithm of x. The base 2 logarithm of 32 billion is 34.9, so a random string of 35 1s and 0s will keep you safe. But that’s an impractically huge and difficult password so we want something easier.

How about random letters and numbers? There’s 36 choices, not including capitalization. Taking the logarithm, we find that it is 6.75 and thus we need just 7 random letter/number characters for a decent password. They do have to be random, picking from a non-random set like your family’s initials might not be so good. Still, such a password is not super easy, but doable.

How about random words? Your average desk dictionary might have 20,000 words or so, and repeating our procedure means we need a whopping three random words for the same level of security. Not bad at all, and that’s my suggestion. Three random dictionary words, with a digit included at the end if your program requires it.

Since the hard part of choosing a new password is remembering it at the beginning, write it down and keep it in your wallet for a while. Some people gasp at this, but if your password isn’t protecting anything more valuable than your financial identity you aren’t adding much risk. If your password is really so valuable that it pales in comparison to your ID and credit cards, then you should consider being more cautious. But most passwords aren’t, and the risk of forgetting or simply being tempted to pick a bad password is more dangerous. Better yet, pick a good free password manager like KeyPass and then you only have to remember one good password. The program will generate very strong passwords for the rest, and keep them safe and encrypted under your master password.

My password here? 12 random letter/number characters, generated and managed by KeyPass. Good luck!


  1. #1 foole
    January 22, 2010

    My password here? 12 random letter/number characters, generated and managed by KeyPass. Good luck!

    Are you sure about that? I have no doubts that KeyPass generates a password that is 12 characters long, but are you sure that all of the sites it stores passwords for save at least 12 characters of the password?

    You might be surprised at the number of sites that truncate passwords. If ScienceBlogs truncates passwords at 8 characters then your password is not 12 characters long, it’s 8 characters long! So, if your password is ‘password1234′ then ‘password’ will work just as well.

    Although the problem is frequently presented as an issue of ‘user error’, I disagree. Users will choose poor passwords, but administrator commit far more grievous sins, in my opinion. As an example, why on earth were 32 million user passwords stored in plain text? There is no excuse for that at all. Passwords should always be stored as a hash (and SALTed for good measure).

    Passwords are an awful way of doing authentication. Remembering random letters and characters is hard (and becomes harder the more characters you have to remember). And users are frequently advised to use a different password for every site: this is highly impractical. Sure you can use a password manager, but can you really trust that the password manager doesn’t introduce other vulnerabilities?

  2. #2 Maniek
    January 22, 2010

    You can’t say what password is ok what is bad. Why? Everything depends form method what will be chosen to brake this password :) Even every scripts for checking password strength http://www.goodpassword.info/password_strength_checker.php have different methodology :)

  3. #3 Steven N. Severinghaus
    January 22, 2010

    I’m a big fan of KeePass (and KeePassX for Linux). It’s wonderful as a password database, and it’s also very useful as a secure database of other semi-structured information: banking information, various ID numbers that come up periodically, and so on.

    I’ve found a number of bugs in the login systems on various websites due to the complex passwords that I use, including some of the variety that [foole] described. For example, I was locked out of Mint.com after they pushed some updates to the site and no longer accepted a double quote in a password. Really the only downside to using KeePass is that it highlights how bad password policy and code is at many websites.

  4. #4 TheAstronomist
    January 22, 2010

    The best passwords have a random assortment of letters, symbols, and numbers. The best passwords can easily be remembered and guessed by only yourself. An excellent source for personal passwords are phrases, quotes, or short poems you remember by heart. The more obscure the better. For example:
    1) Start with your phrase: ‘The quick brown fox jumps over the lazy dog’.
    2) Then use only the first (or last or second) letter of each word: ‘tqbfjotld’.
    3) Replace some of the letters with suggestive numbers or symbols (as done in leet speak): ’4qbfj041d’

  5. #5 TBRP
    January 22, 2010

    I would add another step in TheAstronomist’s comment:
    4) Press shift on some of the numbers and letters to create more variety: $qbFJ)$1d
    It looks harder to remember, but you just remember “capital 4″ rather than “$”, and it’s not that bad. Probably only important on more security intensive applications though. Adding a |, >, {, etc to the end/beginning helps too (if they’re supported).

  6. #6 oooh, I got one
    January 22, 2010


  7. #7 Matt
    January 22, 2010

    Try out lastpass too, its a Firefox add on, and works on many devices.

  8. #8 Tacroy
    January 22, 2010

    What’s really horrible is that when I was setting up my online Wells Fargo account, they only accepted alphanumerics.

    This is a large bank, for crying out loud, and they restricted my character choices to a mere 36 glyphs!

    Anyway, a reasonably secure system will have some sort of failure lockout. For instance, GMail will give you a captcha to solve if you get your password wrong a few times, which makes brute-forcing a lot harder. GotoMyPC will lock the account for five minutes after three failed login attempts, which will make brute forcing take much longer.

    The real insecurity lies in those retarded wish-it-was two-factor security schemes, especially since most people don’t know any better than to answer them truthfully. Mother’s maiden name? Come on, that’s a search space of maybe ten thousand. Favorite color? Most people are going to pick one out of the rainbow + black and white. High school mascot? Do a bit of Facebook stalking, and that’s ridiculously easy.

    Remember when Sarah Palin’s webmail account was hacked? It wasn’t some uber-leet haxxor or anything; someone was bored on the Internet and did enough digging on to make an accurate guess at the answer to her secret password reset question.

  9. #9 2-D Man
    January 23, 2010

    Ooh, idea: why not include in a browser and item like an ad blocker, ‘cept it overwrites the password prompt with some other piece of text? This way, when you change the password, it changes the prompt. This would help people remember their password when they first change it. Sure it wouldn’t work on other machines, but it would help them solidify the password in their memory for when they use other machines.

  10. #10 Miko
    January 23, 2010

    Putting a number at the end of your password is the most common place to put it. The number most used is 1. If a system requires you to place a number somewhere in your password and you place it at the end, you’ve done effectively nothing to increase the security. If you put it somewhere other than the end, then a potential attacker needs to try 36 possibilities for each character instead of 26 and since many will just try alphabetic characters with a number tacked on at the end, you’ll have foiled the vast majority of crackers.

    The real insecurity lies in those retarded wish-it-was two-factor security schemes, especially since most people don’t know any better than to answer them truthfully. Mother’s maiden name? Come on, that’s a search space of maybe ten thousand.

    Yes, but it doesn’t come up until you’ve already gotten the correct password. So they can make it three-tries-and-you’re-locked-out-until-go-to-the-bank-in-person-to-reset-it. A lock-out system on the password itself would be annoying since any casual attacker could lock-out your password. With the two-tier system, an attacker has to waste hours/days/weeks/etc. cracking your password, only to be presented with three tries to guess your challenge question. A search space of 10,000 isn’t so small when you’re limited to three tries. And with multiple challenge questions available, it becomes one try each at three different questions.

    Also, note that in practice, most attacks aren’t against specific individuals but against those with poor security. Rather than pick one user name and try every conceivable password, an attacker will pick one particularly common password and try every conceivable username. (This is another reason why password-based lock-out systems don’t work well.) This means that when they do get a hit, they’ll typically have no idea whose account they’re trying to get into, and as such it becomes much harder to defeat the challenge question via the “reasonable guess” method.

  11. #11 Ian Kemmish
    January 24, 2010

    For people who don’t like writing down a password, like me, there’s a simple way to learn the new password safely: carry it around on a piece of paper until you have memorised it, then shred the piece of paper, and then – and only then! – start using it as a password.

  12. #12 Chris' Wills
    January 24, 2010

    So writing your password on a post it note and sticking that under the keyboard isn’t advised :o)

    One annoyance is being forced to chage my password at work every month, I just about memorise the December one and I have to think of a new one for January.

    That is just IT being a pain.

  13. #13 Peter
    January 24, 2010

    The problem is memorizing true random passwords. The approach suggested by The Astronomist at #4 beats this issue and makes passwords which are difficult to break by brute force – particularly since they can be longer yet it is still easy to generate them when needed. It is not too hard to come up with your own slightly different means of generating longer passwords based on similar principles. The trick is to break the direct link to the english words so word searches fail but you can pull out the significant characters easily.

    It made me laugh when my workplace IT forced everybody to use a new 6 digit password every month (no repeats allowed) – by the time most people coded the month in there some way, there was not much room for security!

  14. #14 Donna B.
    January 24, 2010

    #10 – isn’t that a good argument for random usernames too? I’ve always thought that my email as username was not a good idea.

  15. #15 William George
    January 25, 2010

    I always took a random sentence on a random page out of a random book. Over the years, I’ve whittled it down to a few sentences that I remember.

    I suppose some clever software can figure it out but…

  16. #16 Benjamin Geiger
    January 25, 2010

    I tend to use a variant of Diceware for my passwords. For systems that accept passphrases, I use Diceware as prescribed.

    For login passwords, I generate three (or four, depending on length) random words. I then generate a random number and a random punctuation character (to comply with my employer’s password policy) and concatenate them all, putting the number and the punctuation character between the words. I also choose one word to be in capitals.

    For instance:

    words: “round”, “vex”, “cosec” (not all ‘words’ in Diceware are English words)
    other symbols: “[“, “7″

    The resulting password would be something like “cosec[vex7ROUND”

    If I understand properly, even if someone knew the method I use, they would still need to brute-force (7776 * 2 * 7776 * 2 * 7776 * 2 * 10 * 26 = 9.77e14) possibilities… and even on a system that truncates to eight characters, it’d still be about (7776 * 2 * 7776 * 2 * 36 = 8.71e9) possibilities (assuming the first word, the first number or punctuation mark, and at least some of the second word ends up in the resulting password).

    Then again, that’s still a drop in the bucket compared to the 2.84e19 possibilities with a five-word passphrase… but it’s easier to remember than random characters. The five-word passphrase may be useful for KeePass/1Password, though.

  17. #17 William
    January 25, 2010

    This is such a simple aspect of a complex topic.

    Passwords, like door locks, are meant to keep honest people out. Your password will keep your snoopy friends, relatives etc., out of your business – but someone inclined to do it for personal gain and profit will have more effective methods than guessing. This applies to most people, where their password is protecting personal and financial data, and there is no James Bond villain targeting them, and only them.

    The layers of security on every piece of computer equipment that you ever enter your password on matter far more, where real world identity theft occurs. By this I mean virus protection, firewalls, etc.

    That said, I still wouldn’t pick “123456″ as a password. Your nosy girlfriend might just be that clever.

  18. #18 Christopher
    February 6, 2010

    Keeping in mind this statement: “The human factor is truly security’s weakest link,” my recommendations would be to do the following:

    Now: Use a password managing service like LastPass [or KeyPass for that matter]. Use one strong master password, use LastPass to generate site specific strong passwords and use it to store and manage them.

    Future: I would suggest that all browser companies agree to an open set of standards for universal password generation, use and storage [e.g. LastPass] and incorporate them into each and every browser and OS, making the process persistent and ubiquitous – independent of browser or operating system platform.

    Websites too would have to adopt a standard of accepting strong passwords – too many reject the characters used to create truly strong ones.