English Dept. IT Help Pages

Password Best Practices

How to create secure passwords

Introduction

Top 20 passwords found at Rockyou.com
Rank Password Frequency Rank Password Frequency
1 123456 290731 11 Nicole 17168
2 12345 79078 12 Daniel 16409
3 123456789 76790 13 babygirl 16094
4 Password 61958 14 monkey 15294
5 iloveyou 51622 15 Jessica 15162
6 princess 35231 16 Lovely 14950
7 rockyou 22588 17 michael 14898
8 1234567 21726 18 Ashley 14329
9 12345678 20553 19 654321 13984
10 abc123 17542 20 Qwerty 13856
If you have one of these as your password, change it immediately!

A recent study by Imperva of 32 million compromised passwords for the site rockyou.com reports that an alarming number of people use easy-to-hack passwords. In light of their report, we wanted to inform the English Department community about the risks associated with insecure passwords and offers some tips for developing strong ones.

This page will discuss:

* Facts and recommendations on this site come from "Consumer Password Worst Practices," "How Id Hack Your Weak Passwords," "Study: Hacking Passwords Easy As 123456," and "Geek to Live: Choose (and remember) great passwords"

Vulnerable Practices

A password is considered vulnerable if it is common, too short, has recognizable words or names in it, or uses only standard letters and numbers. Here's why:

According to the Imperva study, the 5,000 most frequently used passwords were shared by 20% of users. Armed with this list, a hacker could easily crack one account per second, or about 1,000 in 17 minutes.

The Brute Force Attack

The simplest way to crack passwords is what is called a "brute force attack," which essentially means using specially designed software (which is freely available, by the way) guessing combinations of characters until one works. Though this may sound like it would take forever and it could, the brute force attack is made feasible by the common password practices users.

Playing the Percentages

A brute force attack is not an attempt to crack every password, just some. Hackers don't have the time to try EVERY character combination, so they make educated guesses based on what will return the most unlocked passwords in the least amount of time. They typically prey on people who use either common passwords (12345, abc123, password, god, money and so on) or passwords simple enough that every combination can be guessed in a short period of time.

While the Imperva study found an alarming number of people using a short list of passwords, it also found that common practices tended to arbitrarily abbreviate the possible character combinations hackers need to try before getting a match and, consequently, cutting down on the amount of time they need to find matches:

About 30% of users chose passwords whose length is equal or below six characters.
It only takes less than 6 minutes to try every combination of 6 or fewer characters.
Almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
Checking all lowercase combinations on a 7-character password with takes 2 days, checking all possible character combinations takes 2 centuries.
Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on).
The OED reports less than 175,000 entries, which isn't that many passwords to try if you can make more than 110 guesses in a second.

These typical practices reduce the number of character combinations that a hacker needs to try before opening accounts. Hackers can target this limited list of possible passwords and thereby make fewer guesses while returning more cracked accounts in less time.

Secure passwords

Time to calculate all combinations of characters in a set.
Password Length All Characters Only Lowercase
3 characters 0.86 seconds 0.02 seconds
4 characters 1.36 minutes 0.046 seconds
5 characters 2.15 hours 11.9 seconds
6 characters 8.51 days 5.15 minutes
7 characters 2.21 years 2.23 hours
8 characters 2.10 centuries 2.42 days
9 characters 20 millennia 2.07 months
10 characters 1,899 millennia 4.48 years
11 characters 180,365 millennia 1.16 centuries
12 characters 17,184,705 millennia 3.03 millennia
13 characters 1,627,797,068 millennia 78.7 millennia
14 characters 154,640,721,434 millennia 2,046 millennia
Notice how much less time is required by arbitrarily eliminating capital letters from the pool of possible characters to check.

In short, make the field of potential character combinations in your password as broad as possible.

The Imperva study recommends that every password you use:

Once you come up with a password you like, that meets this criteria, you can check it against Microsoft's online password security tester.

In addition, each password should be unique to its context. The reason for this is that hackers assume, usually correctly, that people use the same passwords for everything. So rather than targeting a site they expect to have tight security, like a bank, they target websites that they expect to have weaker security, as happened to Twitter in the summer of 2009. Or, they will attempt to trick you into supplying your password in a context you think is secure, usually by impersonating a website you trust or think is innocuous. Once they have one password, they will see if it opens accounts on more secure, and more lucretive, sites. If you have a unique password for each context, if one is cracked, at least it is only one, hopefully unimportant, site that has been compromised.

Practical Security

All of this sounds great, but, as we all know, the core issue is that want passwords we can remember easily. This is the main reason why people use simple, read "easy-to-hack," passwords on every website they use. Here are a couple methods for keeping all your secure passwords under control.

Rule-based password systems

One option for dealing with this problem is to develop a rule set for generating passwords. That way you never have to remember individual passwords, just your rule set. Gina Trapani at Lifehacker suggests having a base-password that you modify with letters from the name of the service the password is for. When using a rule set, one must be careful to select rules that generate passwords that meet the recommended criteria, but also that are not too easy to decode. If the system is easy to decipher, a hacker can potentially figure it out and then open all your accounts.

Password Storage Software

Password storage software like KeePass, RoboForm, or, for Mac users, 1Password are free, ultra-secure, and will remember your passwords for you. These programs can also be set to even autofill website forms for you. Lastpass works in your browser to store passwords you enter, save your form data, and generate strong passwords for you, keeping all encrypted data on your local machine so you never have to remember another password again.

Summary

Though more and more often our personal business is conducted online, we typically do not take adequate measures to protect our private data. Often the only defense we have against intrusion and identity theft is our password. While having a secure password may be inconvenient, it is light years better than the consequences of having one's online accounts hacked with a brute force attack.

So, take a moment today to secure all your passwords.

Remember, to be secure against a brute force attack, a password should:

Good luck and Safe Surfing!