English Dept. IT Help Pages

Password Best Practices

How to create secure passwords

Introduction

Top 20 passwords found at Rockyou.com
Rank Password Frequency Rank Password Frequency
1 123456 290731 11 Nicole 17168
2 12345 79078 12 Daniel 16409
3 123456789 76790 13 babygirl 16094
4 Password 61958 14 monkey 15294
5 iloveyou 51622 15 Jessica 15162
6 princess 35231 16 Lovely 14950
7 rockyou 22588 17 michael 14898
8 1234567 21726 18 Ashley 14329
9 12345678 20553 19 654321 13984
10 abc123 17542 20 Qwerty 13856
If you have one of these as your password, change it immediately!

A recent study by Imperva of 32 million compromised passwords for the site rockyou.com reports that an alarming number of people use easy-to-hack passwords. According to the report, their findings demonstrate "that the users, if allowed to, will choose very weak passwords even for sites that hold their most private data. Worse, as hackers continue to rapidly adopt smarter brute force password cracking software, consumers and companies will be at greater risk."

The surprising thing, here, is not just how many people are failing to protect their digital data, but that this these numbers are not surprising. These findings are similar to those made in a similar study done 20 years ago and to another done 10 years ago. That means that during a timeframe that includes the dotcom boom and its eventual bust, the majority of computer users continue to ignore the risks associated with insecure passwords even as computers and the internet have become central fixtures of everyday life.

With this in mind, we wanted to take this opportunity to inform the English Department community about the risks associated with insecure passwords and offers some tips for developing strong ones. These recommendations go not only for UW accounts or just your online bank accounts but wherever you are asked to provide a password, for sometimes the most innocuous-seeming sites can present the biggest risks.

This page will discuss:

* Facts and recommendations on this site come from "Consuper Password Worst Practices," "How I’d Hack Your Weak Passwords," "Study: Hacking Passwords Easy As 123456," and "Geek to Live: Choose (and remember) great passwords"

Vulnerable Practices

The 5,000 most frequently used passwords were shared by 20% of users. A hacker armed with this list of 5,000 passwords as a dictionary could successfully guess 1 out of 111 accounts making just one guess per account. With a moderately fast, DSL internet connection, this hacker could run 110 attempts per second, gaining access to a new account every second or about 1,000 accounts in 17 minutes.

Time to calculate all combinations of characters in a set.
Password Length All Characters Only Lowercase
3 characters 0.86 seconds 0.02 seconds
4 characters 1.36 minutes 0.046 seconds
5 characters 2.15 hours 11.9 seconds
6 characters 8.51 days 5.15 minutes
7 characters 2.21 years 2.23 hours
8 characters 2.10 centuries 2.42 days
9 characters 20 millennia 2.07 months
10 characters 1,899 millennia 4.48 years
11 characters 180,365 millennia 1.16 centuries
12 characters 17,184,705 millennia 3.03 millennia
13 characters 1,627,797,068 millennia 78.7 millennia
14 characters 154,640,721,434 millennia 2,046 millennia
Notice how much less time is required by arbitrarily eliminating capital letters from the pool of possible characters to check.

The Brute Force Attack

The simplest way to crack passwords is what is called a "brute force attack," which essentially means using specially designed software (which is freely available, by the way)guessing combinations of characters until one works. This sounds like it would take forever and it could. To try every combination of just eight characters on the keyboard would take an average computer on a decent internet connection 2.1 centuries. Move up to a nine character password and the computation time explodes to 20 millennia. How, then, is a brute force attack even feasible? In short, the password practices of typical users makes it possible by sticking to a relatively small range of character combinations.

How user practices help hackers

A brute force attack is not an attempt to crack every password, just some. Hackers, therefore, do not need to try every combination of characters, just the combinations that are likely to strike a match. Remember, as we saw above, 20% of user accounts at rockyou.com could be accessed with a list of just 5,000 terms. Setting aside a list of specific terms, the Imperva study demonstrates other ways in which users cut down the number of combinations that need to be checked to return matches.

All of these practices, using a common password, a password below six characters, created from only alpha-numeric characters, typically a name or word, narrow the field of character combinations a hacker has to try in a brute force attack in order to crack a password.

What do hackers do once they have a password?

Once a hacker has your password for one site, the next step is to use it to decipher your password pattern. Most people have one password or password system that they use on multiple sites. Based on this assumption, hackers will usually target sites they expect will not have the best security. Rather than attacking Bank of America directly, for example, they might try Twitter, as happened in the summer of 2009. Or, they might email you posing as a website you trust, asking you to sign in, handing your password right to them. Once a hacker has your password on one site, he will try to use it to unlock everything you have online. Again, typical hacker attacks don't necessarily decipher some encryption or break into an online database of passwords. Far easier is to narrow the field of possible passwords based on typical user behavior and try everything in the narrowed field until something works.

How can you protect yourself?

In short, make the field of potential character combinations in your password as broad as possible.

The Imperva study recommends that every password:

They also recommend the following password practices for users:

Once you come up with a password you like, that meets this criteria, you can check it against Microsoft's online password security tester.

Rule-based password systems

All of this sounds great, but, as we all know, the core issue is that want passwords we can remember easily. This is the main reason why people use simple, read "easy-to-hack," passwords on every website they use. One option for dealing with this problem is to develop a rule set for generating passwords. Gina Trapani at Lifehacker suggests having a base-password that you modify with letters from the name of the service you are trying to use:

"For example, you may use your base password with the first two consonants and the first two vowels of the service name. Say your base password is "asdf." (See how easy those keys are to type?). Then your password for Yahoo would be ASDFYHAO, and your password for eBay would be ASDFBYEA."
Of course, if you used this model, you would want to throw some special characters in there as well. With a system like Trapani's, you won't have to remember a unique password for every website; just the rule you used to generate the password. This will allow you to come up with non-dictionary terms, longer than 8 characters, including capital, non-capital, special characters, and numbers, that are unique to every website you visit. Alternatively to remembering a rule, one can use software to generate and store passwords.

Password Storage Software

Password storage software like KeePass, RoboForm, or, for Mac users, 1Password are free, ultra-secure, and will remember your passwords for you. These programs can also be set to even autofill website forms for you. Lastpass is works in your browser to store passwords you enter, save your form data, and generate strong passwords for you, keeping all encrypted on your local machine so you never have to remember another password again.

In sum

Though more and more often our personal business is conducted online, we typically do not take adequate measures to protect our private data. Often the only defense we have against intrusion and identity theft is our password. While having a secure password may be inconvenient, it is light years better than the consequences of having one's online accounts hacked with a brute force attack.

So, take a moment today to secure all your passwords.

Remember, to be secure against a brute force attack, a password should:

Good luck and Safe Surfing!