If you were to find the URL to the ScienceBlogs back end, you’d be presented with a logon prompt. Assuming you knew my username, and it wouldn’t be hard to guess, all that stands in between you and a free ScienceBlogs platform to promote your favorite cause is a password. As such a good password is pretty important, and people correspondingly use good ones. Right?
Well, as you probably guessed the answer is no. Razib points out an article determining that the most common password is “123456″. Many systems won’t even let you pick out a password that terrible, but very often the passwords people do chose even with minimum requirements are pretty awful.
But what makes a password good or bad? In short, the time it takes to guess. To pare things down to their binary essentials, let’s pretend passwords could only consist of the numbers 0 and 1. If you have a one character password, there’s only two possibilities. If you have a two-character password, there’s four: 00, 01, 10, and 11. Each time you add another character the number of possibilities doubles. To be safe, you want to make sure there’s no reasonable way for a person to go through all of them by brute force.
So let’s set a safety threshold. Assume your attacker can guess 1000 passwords per second. This is pretty generous for most contexts, but it’s a good starting point. At that rate in a year your attacker can guess about 32 billion passwords. If you’re picking your password randomly from a set larger than that, you’re probably safe. In our example of 1s and 0s, we know each additional character doubles the possibilities, so we need to invert that and find out how many characters we need to have at least 32 billion possibilities. In other words, 2^n = 32,000,000. The solution for n, given b^n = x is just the base b logarithm of x. The base 2 logarithm of 32 billion is 34.9, so a random string of 35 1s and 0s will keep you safe. But that’s an impractically huge and difficult password so we want something easier.
How about random letters and numbers? There’s 36 choices, not including capitalization. Taking the logarithm, we find that it is 6.75 and thus we need just 7 random letter/number characters for a decent password. They do have to be random, picking from a non-random set like your family’s initials might not be so good. Still, such a password is not super easy, but doable.
How about random words? Your average desk dictionary might have 20,000 words or so, and repeating our procedure means we need a whopping three random words for the same level of security. Not bad at all, and that’s my suggestion. Three random dictionary words, with a digit included at the end if your program requires it.
Since the hard part of choosing a new password is remembering it at the beginning, write it down and keep it in your wallet for a while. Some people gasp at this, but if your password isn’t protecting anything more valuable than your financial identity you aren’t adding much risk. If your password is really so valuable that it pales in comparison to your ID and credit cards, then you should consider being more cautious. But most passwords aren’t, and the risk of forgetting or simply being tempted to pick a bad password is more dangerous. Better yet, pick a good free password manager like KeyPass and then you only have to remember one good password. The program will generate very strong passwords for the rest, and keep them safe and encrypted under your master password.
My password here? 12 random letter/number characters, generated and managed by KeyPass. Good luck!